Skip to content

feat: Add FSx OpenZFS IRSA #565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions examples/iam-role-for-service-accounts-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ Run `terraform destroy` when you don't need these resources.
| <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_external_secrets_irsa_role"></a> [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_fsx_lustre_csi_irsa_role"></a> [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_fsx_openzfs_csi_irsa_role"></a> [fsx\_openzfs\_csi\_irsa\_role](#module\_fsx\_openzfs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_iam_eks_role"></a> [iam\_eks\_role](#module\_iam\_eks\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_iam_policy"></a> [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | n/a |
| <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
Expand Down
14 changes: 14 additions & 0 deletions examples/iam-role-for-service-accounts-eks/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,20 @@ module "fsx_lustre_csi_irsa_role" {
}
}

module "fsx_openzfs_csi_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "fsx-openzfs-csi"
attach_fsx_openzfs_csi_policy = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:fsx-openzfs-csi-controller-sa"]
}
}
}

module "karpenter_controller_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

Expand Down
6 changes: 6 additions & 0 deletions modules/iam-role-for-service-accounts-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optio
- [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy)
- [External Secrets](https://github.com/external-secrets/external-secrets#add-a-secret)
- [FSx for Lustre CSI Driver](https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/docs/README.md)
- [FSx for OpenZFS CSI Driver](https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver/blob/main/README.md)
- [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml)
- [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json)
- [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules)
Expand Down Expand Up @@ -134,6 +135,7 @@ No modules.
| [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.fsx_openzfs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
Expand All @@ -154,6 +156,7 @@ No modules.
| [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.fsx_openzfs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand All @@ -174,6 +177,7 @@ No modules.
| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.fsx_openzfs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.load_balancer_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
Expand Down Expand Up @@ -204,6 +208,7 @@ No modules.
| <a name="input_attach_external_dns_policy"></a> [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
| <a name="input_attach_external_secrets_policy"></a> [attach\_external\_secrets\_policy](#input\_attach\_external\_secrets\_policy) | Determines whether to attach the External Secrets policy to the role | `bool` | `false` | no |
| <a name="input_attach_fsx_lustre_csi_policy"></a> [attach\_fsx\_lustre\_csi\_policy](#input\_attach\_fsx\_lustre\_csi\_policy) | Determines whether to attach the FSx for Lustre CSI Driver IAM policy to the role | `bool` | `false` | no |
| <a name="input_attach_fsx_openzfs_csi_policy"></a> [attach\_fsx\_openzfs\_csi\_policy](#input\_attach\_fsx\_openzfs\_csi\_policy) | Determines whether to attach the FSx for OpenZFS CSI Driver IAM policy to the role | `bool` | `false` | no |
| <a name="input_attach_karpenter_controller_policy"></a> [attach\_karpenter\_controller\_policy](#input\_attach\_karpenter\_controller\_policy) | Determines whether to attach the Karpenter Controller policy to the role | `bool` | `false` | no |
| <a name="input_attach_load_balancer_controller_policy"></a> [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no |
| <a name="input_attach_load_balancer_controller_targetgroup_binding_only_policy"></a> [attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy](#input\_attach\_load\_balancer\_controller\_targetgroup\_binding\_only\_policy) | Determines whether to attach the Load Balancer Controller policy for the TargetGroupBinding only | `bool` | `false` | no |
Expand All @@ -224,6 +229,7 @@ No modules.
| <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br/> "arn:aws:ssm:*:*:parameter/*"<br/>]</pre> | no |
| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |
| <a name="input_fsx_lustre_csi_service_role_arns"></a> [fsx\_lustre\_csi\_service\_role\_arns](#input\_fsx\_lustre\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for Lustre CSI create and manage FSX for Lustre service linked roles | `list(string)` | <pre>[<br/> "arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"<br/>]</pre> | no |
| <a name="input_fsx_openzfs_csi_service_role_arns"></a> [fsx\_openzfs\_csi\_service\_role\_arns](#input\_fsx\_openzfs\_csi\_service\_role\_arns) | Service role ARNs to allow FSx for OpenZFS CSI create and manage FSX for openzfs service linked roles | `list(string)` | <pre>[<br/> "arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/*"<br/>]</pre> | no |
| <a name="input_karpenter_controller_cluster_id"></a> [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | [Deprecated - use `karpenter_controller_cluster_name`] The name of the cluster where the Karpenter controller is provisioned/managing | `string` | `"*"` | no |
| <a name="input_karpenter_controller_cluster_name"></a> [karpenter\_controller\_cluster\_name](#input\_karpenter\_controller\_cluster\_name) | The name of the cluster where the Karpenter controller is provisioned/managing | `string` | `"*"` | no |
| <a name="input_karpenter_controller_node_iam_role_arns"></a> [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` | <pre>[<br/> "*"<br/>]</pre> | no |
Expand Down
67 changes: 66 additions & 1 deletion modules/iam-role-for-service-accounts-eks/policies.tf
Original file line number Diff line number Diff line change
Expand Up @@ -671,7 +671,7 @@ data "aws_iam_policy_document" "fsx_lustre_csi" {
actions = [
"iam:CreateServiceLinkedRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
"iam:PutRolePolicy",
]
resources = var.fsx_lustre_csi_service_role_arns
}
Expand Down Expand Up @@ -718,6 +718,71 @@ resource "aws_iam_role_policy_attachment" "fsx_lustre_csi" {
policy_arn = aws_iam_policy.fsx_lustre_csi[0].arn
}

################################################################################
# FSx for OpenZFS CSI Driver Policy
################################################################################

# https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver/blob/main/docs/install.md
data "aws_iam_policy_document" "fsx_openzfs_csi" {
count = var.create_role && var.attach_fsx_openzfs_csi_policy ? 1 : 0

statement {
actions = [
"iam:CreateServiceLinkedRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
]
resources = var.fsx_openzfs_csi_service_role_arns
}

statement {
actions = ["iam:CreateServiceLinkedRole"]
resources = ["*"]

condition {
test = "StringLike"
variable = "iam:AWSServiceName"
values = ["fsx.${local.dns_suffix}"]
}
}

statement {
actions = [
"fsx:CreateFileSystem",
"fsx:UpdateFileSystem",
"fsx:DeleteFileSystem",
"fsx:DescribeFileSystems",
"fsx:CreateVolume",
"fsx:DeleteVolume",
"fsx:DescribeVolumes",
"fsx:CreateSnapshot",
"fsx:DeleteSnapshot",
"fsx:DescribeSnapshots",
"fsx:TagResource",
"fsx:ListTagsForResource",
]
resources = ["*"]
}
}

resource "aws_iam_policy" "fsx_openzfs_csi" {
count = var.create_role && var.attach_fsx_openzfs_csi_policy ? 1 : 0

name_prefix = "${var.policy_name_prefix}FSx_OpenZFS_CSI_Policy-"
path = var.role_path
description = "Provides permissions to manage FSx OpenZFS volumes via the container storage interface driver"
policy = data.aws_iam_policy_document.fsx_openzfs_csi[0].json

tags = var.tags
}

resource "aws_iam_role_policy_attachment" "fsx_openzfs_csi" {
count = var.create_role && var.attach_fsx_openzfs_csi_policy ? 1 : 0

role = aws_iam_role.this[0].name
policy_arn = aws_iam_policy.fsx_openzfs_csi[0].arn
}

################################################################################
# Karpenter Controller Policy
################################################################################
Expand Down
13 changes: 13 additions & 0 deletions modules/iam-role-for-service-accounts-eks/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,19 @@ variable "fsx_lustre_csi_service_role_arns" {
default = ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"]
}

# FSx OpenZFS CSI
variable "attach_fsx_openzfs_csi_policy" {
description = "Determines whether to attach the FSx for OpenZFS CSI Driver IAM policy to the role"
type = bool
default = false
}

variable "fsx_openzfs_csi_service_role_arns" {
description = "Service role ARNs to allow FSx for OpenZFS CSI create and manage FSX for openzfs service linked roles"
type = list(string)
default = ["arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/*"]
}

# Karpenter controller
variable "attach_karpenter_controller_policy" {
description = "Determines whether to attach the Karpenter Controller policy to the role"
Expand Down
2 changes: 2 additions & 0 deletions wrappers/iam-role-for-service-accounts-eks/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ module "wrapper" {
attach_external_dns_policy = try(each.value.attach_external_dns_policy, var.defaults.attach_external_dns_policy, false)
attach_external_secrets_policy = try(each.value.attach_external_secrets_policy, var.defaults.attach_external_secrets_policy, false)
attach_fsx_lustre_csi_policy = try(each.value.attach_fsx_lustre_csi_policy, var.defaults.attach_fsx_lustre_csi_policy, false)
attach_fsx_openzfs_csi_policy = try(each.value.attach_fsx_openzfs_csi_policy, var.defaults.attach_fsx_openzfs_csi_policy, false)
attach_karpenter_controller_policy = try(each.value.attach_karpenter_controller_policy, var.defaults.attach_karpenter_controller_policy, false)
attach_load_balancer_controller_policy = try(each.value.attach_load_balancer_controller_policy, var.defaults.attach_load_balancer_controller_policy, false)
attach_load_balancer_controller_targetgroup_binding_only_policy = try(each.value.attach_load_balancer_controller_targetgroup_binding_only_policy, var.defaults.attach_load_balancer_controller_targetgroup_binding_only_policy, false)
Expand All @@ -38,6 +39,7 @@ module "wrapper" {
external_secrets_ssm_parameter_arns = try(each.value.external_secrets_ssm_parameter_arns, var.defaults.external_secrets_ssm_parameter_arns, ["arn:aws:ssm:*:*:parameter/*"])
force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, true)
fsx_lustre_csi_service_role_arns = try(each.value.fsx_lustre_csi_service_role_arns, var.defaults.fsx_lustre_csi_service_role_arns, ["arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*"])
fsx_openzfs_csi_service_role_arns = try(each.value.fsx_openzfs_csi_service_role_arns, var.defaults.fsx_openzfs_csi_service_role_arns, ["arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/*"])
karpenter_controller_cluster_id = try(each.value.karpenter_controller_cluster_id, var.defaults.karpenter_controller_cluster_id, "*")
karpenter_controller_cluster_name = try(each.value.karpenter_controller_cluster_name, var.defaults.karpenter_controller_cluster_name, "*")
karpenter_controller_node_iam_role_arns = try(each.value.karpenter_controller_node_iam_role_arns, var.defaults.karpenter_controller_node_iam_role_arns, ["*"])
Expand Down