diff --git a/examples/iam-role-for-service-accounts-eks/README.md b/examples/iam-role-for-service-accounts-eks/README.md
index 224389f0..55317796 100644
--- a/examples/iam-role-for-service-accounts-eks/README.md
+++ b/examples/iam-role-for-service-accounts-eks/README.md
@@ -46,6 +46,7 @@ Run `terraform destroy` when you don't need these resources.
| [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| [fsx\_openzfs\_csi\_irsa\_role](#module\_fsx\_openzfs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| [iam\_eks\_role](#module\_iam\_eks\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
| [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | n/a |
| [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
index a38319a7..17562e82 100644
--- a/examples/iam-role-for-service-accounts-eks/main.tf
+++ b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -205,6 +205,20 @@ module "fsx_lustre_csi_irsa_role" {
}
}
+module "fsx_openzfs_csi_irsa_role" {
+ source = "../../modules/iam-role-for-service-accounts-eks"
+
+ role_name = "fsx-openzfs-csi"
+ attach_fsx_openzfs_csi_policy = true
+
+ oidc_providers = {
+ ex = {
+ provider_arn = module.eks.oidc_provider_arn
+ namespace_service_accounts = ["kube-system:fsx-openzfs-csi-controller-sa"]
+ }
+ }
+}
+
module "karpenter_controller_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
index 09acc8dc..30f04340 100644
--- a/modules/iam-role-for-service-accounts-eks/README.md
+++ b/modules/iam-role-for-service-accounts-eks/README.md
@@ -9,6 +9,7 @@ Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optio
- [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy)
- [External Secrets](https://github.com/external-secrets/external-secrets#add-a-secret)
- [FSx for Lustre CSI Driver](https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/docs/README.md)
+- [FSx for OpenZFS CSI Driver](https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver/blob/main/README.md)
- [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml)
- [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json)
- [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules)
@@ -134,6 +135,7 @@ No modules.
| [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.fsx_openzfs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -154,6 +156,7 @@ No modules.
| [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.fsx_openzfs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -174,6 +177,7 @@ No modules.
| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.fsx_openzfs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -204,6 +208,7 @@ No modules.
| [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
| [attach\_external\_secrets\_policy](#input\_attach\_external\_secrets\_policy) | Determines whether to attach the External Secrets policy to the role | `bool` | `false` | no |
| [attach\_fsx\_lustre\_csi\_policy](#input\_attach\_fsx\_lustre\_csi\_policy) | Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role | `bool` | `false` | no |
+| [attach\_fsx\_openzfs\_csi\_policy](#input\_attach\_fsx\_openzfs\_csi\_policy) | Determines whether to attach the FSx for OpenZFS CSI Driver IAM policy to the role | `bool` | `false` | no |
| [attach\_karpenter\_controller\_policy](#input\_attach\_karpenter\_controller\_policy) | Determines whether to attach the Karpenter Controller policy to the role | `bool` | `false` | no |
| [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no |
| [attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy](#input\_attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy) | Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only | `bool` | `false` | no |
@@ -224,6 +229,7 @@ No modules.
| [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | [
"arn:aws:ssm:*:*:parameter/*"
]
| no |
| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |
| [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` | [
"arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"
]
| no |
+| [fsx\_openzfs\_csi\_service\_role\_arns](#input\_fsx\_openzfs\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for OpenZFS CSI create and manage FSX for openzfs service linked roles | `list(string)` | [
"arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/*"
]
| no |
| [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | [Deprecated - use `karpenter_controller_cluster_name`] The name of the cluster where the Karpenter controller is provisioned/managing | `string` | `"*"` | no |
| [karpenter\_controller\_cluster\_name](#input\_karpenter\_controller\_cluster\_name) | The name of the cluster where the Karpenter controller is provisioned/managing | `string` | `"*"` | no |
| [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` | [
"*"
]
| no |
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
index bbcfd588..7508a34e 100644
--- a/modules/iam-role-for-service-accounts-eks/policies.tf
+++ b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -671,7 +671,7 @@ data "aws_iam_policy_document" "fsx_lustre_csi" {
actions = [
"iam:CreateServiceLinkedRole",
"iam:AttachRolePolicy",
- "iam:PutRolePolicy"
+ "iam:PutRolePolicy",
]
resources = var.fsx_lustre_csi_service_role_arns
}
@@ -718,6 +718,71 @@ resource "aws_iam_role_policy_attachment" "fsx_lustre_csi" {
policy_arn = aws_iam_policy.fsx_lustre_csi[0].arn
}
+################################################################################
+# FSx for OpenZFS CSI Driver Policy
+################################################################################
+
+# https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver/blob/main/docs/install.md
+data "aws_iam_policy_document" "fsx_openzfs_csi" {
+ count = var.create_role && var.attach_fsx_openzfs_csi_policy ? 1 : 0
+
+ statement {
+ actions = [
+ "iam:CreateServiceLinkedRole",
+ "iam:AttachRolePolicy",
+ "iam:PutRolePolicy",
+ ]
+ resources = var.fsx_openzfs_csi_service_role_arns
+ }
+
+ statement {
+ actions = ["iam:CreateServiceLinkedRole"]
+ resources = ["*"]
+
+ condition {
+ test = "StringLike"
+ variable = "iam:AWSServiceName"
+ values = ["fsx.${local.dns_suffix}"]
+ }
+ }
+
+ statement {
+ actions = [
+ "fsx:CreateFileSystem",
+ "fsx:UpdateFileSystem",
+ "fsx:DeleteFileSystem",
+ "fsx:DescribeFileSystems",
+ "fsx:CreateVolume",
+ "fsx:DeleteVolume",
+ "fsx:DescribeVolumes",
+ "fsx:CreateSnapshot",
+ "fsx:DeleteSnapshot",
+ "fsx:DescribeSnapshots",
+ "fsx:TagResource",
+ "fsx:ListTagsForResource",
+ ]
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_policy" "fsx_openzfs_csi" {
+ count = var.create_role && var.attach_fsx_openzfs_csi_policy ? 1 : 0
+
+ name_prefix = "${var.policy_name_prefix}FSx_OpenZFS_CSI_Policy-"
+ path = var.role_path
+ description = "Provides permissions to manage FSx OpenZFS volumes via the container storage interface driver"
+ policy = data.aws_iam_policy_document.fsx_openzfs_csi[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "fsx_openzfs_csi" {
+ count = var.create_role && var.attach_fsx_openzfs_csi_policy ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+ policy_arn = aws_iam_policy.fsx_openzfs_csi[0].arn
+}
+
################################################################################
# Karpenter Controller Policy
################################################################################
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
index 91e7d811..148ce89c 100644
--- a/modules/iam-role-for-service-accounts-eks/variables.tf
+++ b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -227,6 +227,19 @@ variable "fsx_lustre_csi_service_role_arns" {
default = ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"]
}
+# FSx OpenZFS CSI
+variable "attach_fsx_openzfs_csi_policy" {
+ description = "Determines whether to attach the FSx for OpenZFS CSI Driver IAM policy to the role"
+ type = bool
+ default = false
+}
+
+variable "fsx_openzfs_csi_service_role_arns" {
+ description = "Service role ARNs to allow FSx for OpenZFS CSI create and manage FSX for openzfs service linked roles"
+ type = list(string)
+ default = ["arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/*"]
+}
+
# Karpenter controller
variable "attach_karpenter_controller_policy" {
description = "Determines whether to attach the Karpenter Controller policy to the role"
diff --git a/wrappers/iam-role-for-service-accounts-eks/main.tf b/wrappers/iam-role-for-service-accounts-eks/main.tf
index 11e4a2ae..0ca1f8c9 100644
--- a/wrappers/iam-role-for-service-accounts-eks/main.tf
+++ b/wrappers/iam-role-for-service-accounts-eks/main.tf
@@ -18,6 +18,7 @@ module "wrapper" {
attach_external_dns_policy = try(each.value.attach_external_dns_policy, var.defaults.attach_external_dns_policy, false)
attach_external_secrets_policy = try(each.value.attach_external_secrets_policy, var.defaults.attach_external_secrets_policy, false)
attach_fsx_lustre_csi_policy = try(each.value.attach_fsx_lustre_csi_policy, var.defaults.attach_fsx_lustre_csi_policy, false)
+ attach_fsx_openzfs_csi_policy = try(each.value.attach_fsx_openzfs_csi_policy, var.defaults.attach_fsx_openzfs_csi_policy, false)
attach_karpenter_controller_policy = try(each.value.attach_karpenter_controller_policy, var.defaults.attach_karpenter_controller_policy, false)
attach_load_balancer_controller_policy = try(each.value.attach_load_balancer_controller_policy, var.defaults.attach_load_balancer_controller_policy, false)
attach_load_balancer_controller_targetgroup_binding_only_policy = try(each.value.attach_load_balancer_controller_targetgroup_binding_only_policy, var.defaults.attach_load_balancer_controller_targetgroup_binding_only_policy, false)
@@ -38,6 +39,7 @@ module "wrapper" {
external_secrets_ssm_parameter_arns = try(each.value.external_secrets_ssm_parameter_arns, var.defaults.external_secrets_ssm_parameter_arns, ["arn:aws:ssm:*:*:parameter/*"])
force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, true)
fsx_lustre_csi_service_role_arns = try(each.value.fsx_lustre_csi_service_role_arns, var.defaults.fsx_lustre_csi_service_role_arns, ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"])
+ fsx_openzfs_csi_service_role_arns = try(each.value.fsx_openzfs_csi_service_role_arns, var.defaults.fsx_openzfs_csi_service_role_arns, ["arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/*"])
karpenter_controller_cluster_id = try(each.value.karpenter_controller_cluster_id, var.defaults.karpenter_controller_cluster_id, "*")
karpenter_controller_cluster_name = try(each.value.karpenter_controller_cluster_name, var.defaults.karpenter_controller_cluster_name, "*")
karpenter_controller_node_iam_role_arns = try(each.value.karpenter_controller_node_iam_role_arns, var.defaults.karpenter_controller_node_iam_role_arns, ["*"])