Merge branch 'main' into DMVP-3881-mongo-atlas-version-upgrade

dasmeta · Apr 8, 2024 · 61876f3 · 61876f3
2 parents 8796021 + 4dfd60e
commit 61876f3
Showing 5 changed files with 103 additions and 4 deletions.
diff --git a/modules/efs/README.md b/modules/efs/README.md
@@ -21,6 +21,17 @@ module "efs" {
 }
 ```
 
+#### Integrated with a VPC
+This example enables EFS access to a VPC. For example, it can be the VPC of EKS cluster.
+```
+module "efs" {
+  source = "dasmeta/modules/aws//modules/efs"
+  creation_token = "EFS"
+  mount_target_subnets = ["sub-xxx", "sub-yyy", "sub-zzz"]
+  eks_vpc_id = "vpc-1212121212121"
+}
+```
+
 #### Regular usage
 ```
 module "efs" {
@@ -78,22 +89,26 @@ No modules.
 |------|------|
 | [aws_efs_file_system.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
 | [aws_efs_mount_target.mount_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
+| [aws_security_group.efs_kube_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_availability_zone_prefix"></a> [availability\_zone\_prefix](#input\_availability\_zone\_prefix) | Availability zone prefix, concat later to region code | `string` | `""` | no |
-| <a name="input_creation_token"></a> [creation\_token](#input\_creation\_token) | Creation token, same as unique name | `string` | n/a | yes |
+| <a name="input_creation_token"></a> [creation\_token](#input\_creation\_token) | Creation token, same as unique name | `string` | `"EFS-creation-token"` | no |
 | <a name="input_encrypted"></a> [encrypted](#input\_encrypted) | Weather make encrypted or not | `bool` | `false` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS kms key arn | `string` | `null` | no |
 | <a name="input_lifecycle_policy"></a> [lifecycle\_policy](#input\_lifecycle\_policy) | A block representing the lifecycle policy for the file system. | `any` | <pre>{<br>  "transition_to_archive": "AFTER_60_DAYS",<br>  "transition_to_ia": "AFTER_30_DAYS",<br>  "transition_to_primary_storage_class": null<br>}</pre> | no |
 | <a name="input_mount_target_subnets"></a> [mount\_target\_subnets](#input\_mount\_target\_subnets) | Subnet in which to create mount target | `list(string)` | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | EFS name | `string` | `"EFS"` | no |
 | <a name="input_performance_mode"></a> [performance\_mode](#input\_performance\_mode) | Performance mode for EFS | `string` | `null` | no |
 | <a name="input_provisioned_throughput_in_mibps"></a> [provisioned\_throughput\_in\_mibps](#input\_provisioned\_throughput\_in\_mibps) | Throughput mibps for EFS, Only compliant when throughput mode is set to provisioned | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | <pre>{<br>  "Provisioner": "DasMeta"<br>}</pre> | no |
 | <a name="input_throughput_mode"></a> [throughput\_mode](#input\_throughput\_mode) | Throughput mode for the file system. Valid values: bursting, provisioned, or elastic. When using 'provisioned', also set 'provisioned\_throughput\_in\_mibps'. | `string` | `"elastic"` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to which EFS will have access | `string` | `""` | no |
 
 ## Outputs
 

diff --git a/modules/efs/main.tf b/modules/efs/main.tf
@@ -1,4 +1,9 @@
 data "aws_region" "current" {}
+data "aws_vpc" "selected" {
+  count = var.vpc_id != "" ? 1 : 0
+
+  id = var.vpc_id
+}
 
 locals {
   az_name = var.availability_zone_prefix != "" ? format("%s%s", data.aws_region.current.name, var.availability_zone_prefix) : null
@@ -23,12 +28,43 @@ resource "aws_efs_file_system" "efs" {
     }
   }
 
-  tags = var.tags
+  tags = merge({
+    Name = var.name
+  }, var.tags)
 }
 
 resource "aws_efs_mount_target" "mount_target" {
   for_each = toset(var.mount_target_subnets)
 
-  file_system_id = aws_efs_file_system.efs.id
-  subnet_id      = each.value
+  file_system_id  = aws_efs_file_system.efs.id
+  subnet_id       = each.value
+  security_groups = [aws_security_group.efs_kube_sg[0].id]
+}
+
+resource "aws_security_group" "efs_kube_sg" {
+  count = var.vpc_id != "" ? 1 : 0
+
+  name        = "EFS to ${var.vpc_id} VPC"
+  description = "Allow EFS traffic to VPC"
+  vpc_id      = data.aws_vpc.selected[0].id
+
+  ingress {
+    description = "EFS to VPC"
+    from_port   = 2049
+    to_port     = 2049
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.selected[0].cidr_block]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = {
+    Name = "efs-to-vpc"
+  }
 }
diff --git a/modules/efs/tests/mount-with-eks/README.md b/modules/efs/tests/mount-with-eks/README.md
@@ -0,0 +1,29 @@
+# mount-with-eks
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_efs"></a> [efs](#module\_efs) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/efs/tests/mount-with-eks/efs.tf b/modules/efs/tests/mount-with-eks/efs.tf
@@ -0,0 +1,6 @@
+module "efs" {
+  source               = "../../"
+  creation_token       = "EFS-test"
+  mount_target_subnets = ["sub-xxx", "sub-yyy", "sub-zzz"]
+  eks_vpc_id           = "vpc-1213131313131"
+}
diff --git a/modules/efs/variables.tf b/modules/efs/variables.tf
@@ -1,6 +1,13 @@
+variable "name" {
+  type        = string
+  description = "EFS name"
+  default     = "EFS"
+}
+
 variable "creation_token" {
   description = "Creation token, same as unique name"
   type        = string
+  default     = "EFS-creation-token"
 }
 
 variable "availability_zone_prefix" {
@@ -75,3 +82,9 @@ variable "lifecycle_policy" {
     transition_to_primary_storage_class = null // Can be set to AFTER_1_ACCESS
   }
 }
+
+variable "vpc_id" {
+  description = "VPC ID to which EFS will have access"
+  type        = string
+  default     = ""
+}