Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for Mountpoint S3 CSI driver to EKS IRSA #459

Merged
merged 12 commits into from
Mar 3, 2024
1 change: 1 addition & 0 deletions examples/iam-role-for-service-accounts-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ Run `terraform destroy` when you don't need these resources.
| <a name="module_load_balancer_controller_irsa_role"></a> [load\_balancer\_controller\_irsa\_role](#module\_load\_balancer\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_load_balancer_controller_targetgroup_binding_only_irsa_role"></a> [load\_balancer\_controller\_targetgroup\_binding\_only\_irsa\_role](#module\_load\_balancer\_controller\_targetgroup\_binding\_only\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_node_termination_handler_irsa_role"></a> [node\_termination\_handler\_irsa\_role](#module\_node\_termination\_handler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_s3_csi_irsa_role"></a> [s3\_csi\_irsa\_role](#module\_s3\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_velero_irsa_role"></a> [velero\_irsa\_role](#module\_velero\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
| <a name="module_vpc_cni_ipv4_irsa_role"></a> [vpc\_cni\_ipv4\_irsa\_role](#module\_vpc\_cni\_ipv4\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
Expand Down
16 changes: 16 additions & 0 deletions examples/iam-role-for-service-accounts-eks/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,22 @@ module "efs_csi_irsa_role" {
tags = local.tags
}

module "s3_csi_irsa_role" {
josmo marked this conversation as resolved.
Show resolved Hide resolved
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "s3-csi"
attach_s3_csi_policy = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:s3-csi-controller-sa"]
josmo marked this conversation as resolved.
Show resolved Hide resolved
}
}

tags = local.tags
}

module "external_dns_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

Expand Down
5 changes: 5 additions & 0 deletions modules/iam-role-for-service-accounts-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ No modules.
| [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
Expand All @@ -155,6 +156,7 @@ No modules.
| [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand All @@ -174,6 +176,7 @@ No modules.
| [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand Down Expand Up @@ -203,6 +206,7 @@ No modules.
| <a name="input_attach_load_balancer_controller_policy"></a> [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no |
| <a name="input_attach_load_balancer_controller_targetgroup_binding_only_policy"></a> [attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy](#input\_attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy) | Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only | `bool` | `false` | no |
| <a name="input_attach_node_termination_handler_policy"></a> [attach\_node\_termination\_handler\_policy](#input\_attach\_node\_termination\_handler\_policy) | Determines whether to attach the Node Termination Handler policy to the role | `bool` | `false` | no |
| <a name="input_attach_s3_csi_policy"></a> [attach\_s3\_csi\_policy](#input\_attach\_s3\_csi\_policy) | Determines whether to attach the EFS CSI IAM policy to the role | `bool` | `false` | no |
| <a name="input_attach_velero_policy"></a> [attach\_velero\_policy](#input\_attach\_velero\_policy) | Determines whether to attach the Velero IAM policy to the role | `bool` | `false` | no |
| <a name="input_attach_vpc_cni_policy"></a> [attach\_vpc\_cni\_policy](#input\_attach\_vpc\_cni\_policy) | Determines whether to attach the VPC CNI IAM policy to the role | `bool` | `false` | no |
| <a name="input_cert_manager_hosted_zone_arns"></a> [cert\_manager\_hosted\_zone\_arns](#input\_cert\_manager\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow Cert manager to manage records | `list(string)` | <pre>[<br> "arn:aws:route53:::hostedzone/*"<br>]</pre> | no |
Expand Down Expand Up @@ -236,6 +240,7 @@ No modules.
| <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
| <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no |
| <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
| <a name="input_s3_csi_bucket_arns"></a> [s3\_csi\_bucket\_arns](#input\_s3\_csi\_bucket\_arns) | S3 bucket ARNs to allow S3 CSI to manage buckets | `list(string)` | <pre>[<br> "arn:aws:s3:::*"<br>]</pre> | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |
| <a name="input_velero_s3_bucket_arns"></a> [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | <pre>[<br> "*"<br>]</pre> | no |
| <a name="input_vpc_cni_enable_ipv4"></a> [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no |
Expand Down
44 changes: 44 additions & 0 deletions modules/iam-role-for-service-accounts-eks/policies.tf
Original file line number Diff line number Diff line change
Expand Up @@ -422,6 +422,50 @@ resource "aws_iam_role_policy_attachment" "efs_csi" {
policy_arn = aws_iam_policy.efs_csi[0].arn
}

################################################################################
# S3 CSI Driver Policy
bryantbiggs marked this conversation as resolved.
Show resolved Hide resolved
################################################################################

#https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions
data "aws_iam_policy_document" "s3_csi" {
count = var.create_role && var.attach_s3_csi_policy ? 1 : 0

statement {
sid = "MountpointFullBucketAccess"
actions = ["s3:ListBucket"]
resources = var.s3_csi_bucket_arns
josmo marked this conversation as resolved.
Show resolved Hide resolved
}

statement {
sid = "MountpointFullObjectAccess"
actions = [
"s3:GetObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
]
resources = formatlist("%s/*", var.s3_csi_bucket_arns)
josmo marked this conversation as resolved.
Show resolved Hide resolved
}
}

resource "aws_iam_policy" "s3_csi" {
count = var.create_role && var.attach_s3_csi_policy ? 1 : 0

name_prefix = "${var.policy_name_prefix}S3_CSI_Policy-"
bryantbiggs marked this conversation as resolved.
Show resolved Hide resolved
path = var.role_path
description = "S3 CSI policy to allow management of S3"
bryantbiggs marked this conversation as resolved.
Show resolved Hide resolved
policy = data.aws_iam_policy_document.s3_csi[0].json

tags = var.tags
}

resource "aws_iam_role_policy_attachment" "s3_csi" {
count = var.create_role && var.attach_s3_csi_policy ? 1 : 0

role = aws_iam_role.this[0].name
policy_arn = aws_iam_policy.s3_csi[0].arn
}

################################################################################
# External DNS Policy
################################################################################
Expand Down
13 changes: 13 additions & 0 deletions modules/iam-role-for-service-accounts-eks/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,19 @@ variable "attach_efs_csi_policy" {
default = false
}

# S3 CSI
variable "attach_s3_csi_policy" {
description = "Determines whether to attach the EFS CSI IAM policy to the role"
josmo marked this conversation as resolved.
Show resolved Hide resolved
type = bool
default = false
}

variable "s3_csi_bucket_arns" {
description = "S3 bucket ARNs to allow S3 CSI to manage buckets"
bryantbiggs marked this conversation as resolved.
Show resolved Hide resolved
type = list(string)
default = ["arn:aws:s3:::*"]
josmo marked this conversation as resolved.
Show resolved Hide resolved
}

# External DNS
variable "attach_external_dns_policy" {
description = "Determines whether to attach the External DNS IAM policy to the role"
Expand Down
2 changes: 2 additions & 0 deletions wrappers/iam-role-for-service-accounts-eks/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ module "wrapper" {
attach_load_balancer_controller_policy = try(each.value.attach_load_balancer_controller_policy, var.defaults.attach_load_balancer_controller_policy, false)
attach_load_balancer_controller_targetgroup_binding_only_policy = try(each.value.attach_load_balancer_controller_targetgroup_binding_only_policy, var.defaults.attach_load_balancer_controller_targetgroup_binding_only_policy, false)
attach_node_termination_handler_policy = try(each.value.attach_node_termination_handler_policy, var.defaults.attach_node_termination_handler_policy, false)
attach_s3_csi_policy = try(each.value.attach_s3_csi_policy, var.defaults.attach_s3_csi_policy, false)
attach_velero_policy = try(each.value.attach_velero_policy, var.defaults.attach_velero_policy, false)
attach_vpc_cni_policy = try(each.value.attach_vpc_cni_policy, var.defaults.attach_vpc_cni_policy, false)
cert_manager_hosted_zone_arns = try(each.value.cert_manager_hosted_zone_arns, var.defaults.cert_manager_hosted_zone_arns, ["arn:aws:route53:::hostedzone/*"])
Expand Down Expand Up @@ -55,6 +56,7 @@ module "wrapper" {
role_path = try(each.value.role_path, var.defaults.role_path, "/")
role_permissions_boundary_arn = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, null)
role_policy_arns = try(each.value.role_policy_arns, var.defaults.role_policy_arns, {})
s3_csi_bucket_arns = try(each.value.s3_csi_bucket_arns, var.defaults.s3_csi_bucket_arns, ["arn:aws:s3:::*"])
tags = try(each.value.tags, var.defaults.tags, {})
velero_s3_bucket_arns = try(each.value.velero_s3_bucket_arns, var.defaults.velero_s3_bucket_arns, ["*"])
vpc_cni_enable_ipv4 = try(each.value.vpc_cni_enable_ipv4, var.defaults.vpc_cni_enable_ipv4, false)
Expand Down
Loading