devops-stack-module-efs-csi-driver
A DevOps Stack module to deploy an Amazon EFS Container Storage Interface (CSI) driver.
The EFS CSI Driver chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions.
| Current Chart Version | Original Repository | Default Values |
|---|---|---|
2.5.5 |
Usage
This module can be declared by adding the following block on your Terraform configuration:
module "efs" {
source = "git::https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git?ref=<RELEASE>"
cluster_name = local.cluster_name
argocd_namespace = local.argocd_namespace
efs_file_system_id = resource.aws_efs_file_system.eks.id
create_role = true
cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url
depends_on = [
module.argocd_bootstrap,
]
}In case you want to create an OIDC assumable IAM role on your own, you’ll need to provide the ARN for that role and disable the creation of the role inside of the module as follows:
module "efs" {
source = "git::https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git?ref=<RELEASE>"
cluster_name = local.cluster_name
argocd_namespace = local.argocd_namespace
efs_file_system_id = resource.aws_efs_file_system.eks.id
create_role = false
iam_role_arn = module.iam_assumable_role_efs.iam_role_arn
depends_on = [
module.argocd_bootstrap,
]
}
The create_role variable is required. If passing iam_role_arn it should be set as false, otherwise you will need to specify the variable cluster_oidc_issuer_url and set it as true.
|
This module needs to have other resources created externally. You can follow the example bellow:
resource "aws_efs_file_system" "eks" {
creation_token = module.eks.cluster_name
tags = {
Name = module.eks.cluster_name
}
}
resource "aws_security_group" "efs_eks" {
name = "efs-devops-stack"
description = "Security group for EFS."
vpc_id = module.vpc.vpc_id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 2049
to_port = 2049
protocol = "tcp"
security_groups = [module.eks.node_security_group_id]
}
}
resource "aws_efs_mount_target" "eks" {
count = length(local.private_subnets)
file_system_id = resource.aws_efs_file_system.eks.id
subnet_id = element(module.vpc.private_subnets, count.index)
security_groups = [resource.aws_security_group.efs_eks.id]
}Technical Reference
Modules
The following Modules are called:
iam_assumable_role_efs
Source: terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc
Version: ~> 5.0
Resources
The following resources are used by this module:
-
argocd_application.this (resource)
-
argocd_project.this (resource)
-
aws_iam_policy.efs (resource)
-
null_resource.dependencies (resource)
-
null_resource.this (resource)
-
utils_deep_merge_yaml.values (data source)
Required Inputs
The following input variables are required:
efs_file_system_id
Description: EFS Filesystem ID to use by the CSI driver to create volumes.
Type: string
create_role
Description: Boolean to indicate that the OIDC assumable IAM role should be created. If passing iam_role_arn this should be false, otherwise if you want to create the OIDC assumable IAM role provided by this module, you will need to specify the variable cluster_oidc_issuer_url.
Type: bool
Optional Inputs
The following input variables are optional (have default values):
cluster_name
Description: Name given to the cluster. Value used for naming some the resources created by the module.
Type: string
Default: "cluster"
argocd_project
Description: Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application.
Type: string
Default: null
argocd_labels
Description: Labels to attach to the Argo CD Application resource.
Type: map(string)
Default: {}
destination_cluster
Description: Destination cluster where the application should be deployed.
Type: string
Default: "in-cluster"
target_revision
Description: Override of target revision of the application chart.
Type: string
Default: "v3.1.0"
helm_values
Description: Helm chart value overrides. They should be passed as a list of HCL structures.
Type: any
Default: []
app_autosync
Description: Automated sync options for the Argo CD Application resource.
Type:
object({
allow_empty = optional(bool)
prune = optional(bool)
self_heal = optional(bool)
})Default:
{
"allow_empty": false,
"prune": true,
"self_heal": true
}dependency_ids
Description: IDs of the other modules on which this module depends on.
Type: map(string)
Default: {}
resources
Description: Resource limits and requests for aws-efs-csi-driver’s components. Follow the style on official documentation to understand the format of the values."
| These are the same values as the defaults on the Helm chart aws-efs-csi-driver. |
Type:
object({
controller = optional(object({
requests = optional(object({
cpu = optional(string, "10m")
memory = optional(string, "40Mi")
}), {})
limits = optional(object({
cpu = optional(string)
memory = optional(string, "256Mi")
}), {})
}), {})
node = optional(object({
requests = optional(object({
cpu = optional(string, "10m")
memory = optional(string, "40Mi")
}), {})
limits = optional(object({
cpu = optional(string)
memory = optional(string, "256Mi")
}), {})
}), {})
})Default: {}
iam_role_arn
Description: ARN of an OIDC assumable IAM role that has access to the EFS filesystem. When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning.
Type: string
Default: null
cluster_oidc_issuer_url
Description: Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set create_role as true.
Type: string
Default: ""
Outputs
The following outputs are exported:
id
Description: ID to pass other modules in order to refer to this module as a dependency.
Reference in table format
Show tables
= Requirements
| Name | Version |
|---|---|
>= 5 |
|
>= 3 |
|
>= 1 |
= Providers
| Name | Version |
|---|---|
>= 1 |
|
n/a |
|
>= 5 |
|
>= 3 |
= Modules
| Name | Source | Version |
|---|---|---|
terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc |
~> 5.0 |
= Resources
| Name | Type |
|---|---|
resource |
|
resource |
|
resource |
|
resource |
|
resource |
|
data source |
= Inputs
| Name | Description | Type | Default | Required | ||
|---|---|---|---|---|---|---|
Name given to the cluster. Value used for naming some the resources created by the module. |
|
|
no |
|||
Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application. |
|
|
no |
|||
Labels to attach to the Argo CD Application resource. |
|
|
no |
|||
Destination cluster where the application should be deployed. |
|
|
no |
|||
Override of target revision of the application chart. |
|
|
no |
|||
Helm chart value overrides. They should be passed as a list of HCL structures. |
|
|
no |
|||
Automated sync options for the Argo CD Application resource. |
|
|
no |
|||
IDs of the other modules on which this module depends on. |
|
|
no |
|||
Resource limits and requests for aws-efs-csi-driver’s components. Follow the style on official documentation to understand the format of the values."
|
|
|
no |
|||
EFS Filesystem ID to use by the CSI driver to create volumes. |
|
n/a |
yes |
|||
Boolean to indicate that the OIDC assumable IAM role should be created. If passing |
|
n/a |
yes |
|||
ARN of an OIDC assumable IAM role that has access to the EFS filesystem. When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning. |
|
|
no |
|||
Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set |
|
|
no |
= Outputs
| Name | Description |
|---|---|
ID to pass other modules in order to refer to this module as a dependency. |