From 8e0619a970ee0f1b4ed2d94b8cdc6a38be85c8f4 Mon Sep 17 00:00:00 2001 From: Joao C Costa Date: Wed, 8 May 2024 01:02:52 +0100 Subject: [PATCH] initial attempt (not yet tested) --- main.tf | 174 +++++++++++++++++++++++++++++++++++++++++++++++++++ outputs.tf | 12 ++++ variables.tf | 16 +++++ 3 files changed, 202 insertions(+) diff --git a/main.tf b/main.tf index 6b77554f..a12eadb3 100644 --- a/main.tf +++ b/main.tf @@ -1132,6 +1132,180 @@ module "aws_fsx_csi_driver" { } } +################################################################################ +# AWS FSx for OpenZFS CSI DRIVER +############################## +locals { + aws_fsx_zfs_csi_driver_controller_service_account = try(var.aws_fsx_zfs_csi_driver.controller_service_account_name, "fsx-openzfs-csi-controller-sa") + aws_fsx_zfs_csi_driver_node_service_account = try(var.aws_fsx_zfs_csi_driver.node_service_account_name, "fsx-openzfs-csi-node-sa") + aws_fsx_zfs_csi_driver_namespace = try(var.aws_fsx_zfs_csi_driver.namespace, "kube-system") + + # this defines which of the recommended install methods to use from https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver/blob/main/docs/install.md#set-up-driver-permissions + aws_fsx_zfs_csi_driver_full_perms = try(var.aws_fsx_zfs_csi_driver.full_perms, true) + + + # https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfsx.html#amazonfsx-resources-for-iam-policies + fsx_zfs_arns = local.aws_fsx_zfs_csi_driver_full_perms ? null : lookup(var.aws_fsx_zfs_csi_driver, "fsx_zfs_arns", + ["arn:${local.partition}:fsx:${local.region}:${local.account_id}:file-system/*"], + ) + fsx_zfs_volume_arns = local.aws_fsx_zfs_csi_driver_full_perms ? null : lookup(var.aws_fsx_zfs_csi_driver, "fsx_zfs_volume_arns", + ["arn:${local.partition}:fsx:${local.region}:${local.account_id}:volume/*"] + ) +} + +data "aws_iam_policy_document" "aws_fsx_zfs_csi_driver" { + # we only need this if local.aws_fsx_zfs_csi_driver_full_perms==false + count = var.enable_aws_fsx_zfs_csi_driver ? (local.aws_fsx_zfs_csi_driver_full_perms ? 0 : 1) : 0 + + source_policy_documents = lookup(var.aws_fsx_zfs_csi_driver, "source_policy_documents", []) + override_policy_documents = lookup(var.aws_fsx_zfs_csi_driver, "override_policy_documents", []) + + # https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver/blob/main/docs/example-iam-policy.json + statement { + sid = "New0" + effect = "Allow" + actions = [ + "iam:CreateServiceLinkedRole", + "iam:AttachRolePolicy", + "iam:PutRolePolicy", + ] + resources = ["arn:aws:iam::*:role/aws-service-role/fsx.amazonaws.com/*"] + } + statement { + sid = "New1" + effect = "Allow" + actions = [ + "iam:CreateServiceLinkedRole", + ] + resources = ["*"] + condition { + test = "StringLike" + variable = "iam:AWSServiceName" + values = ["fsx.amazonaws.com"] + } + } + + statement { + sid = "Create" + effect = "Allow" + actions = [ + "fsx:CreateFileSystem", + "fsx:UpdateFileSystem", + "fsx:DeleteFileSystem", + "fsx:DescribeFileSystems", + "fsx:CreateVolume", + "fsx:DeleteVolume", + "fsx:DescribeVolumes", + "fsx:CreateSnapshot", + "fsx:DeleteSnapshot", + "fsx:DescribeSnapshots", + "fsx:TagResource", + "fsx:ListTagsForResource", + ] + resources = flatten([ + local.fsx_zfs_arns, + local.fsx_zfs_volume_arns, + ]) + } +} + +module "aws_fsx_zfs_csi_driver" { + source = "aws-ia/eks-blueprints-addon/aws" + version = "1.1.1" + + create = var.enable_aws_fsx_zfs_csi_driver + + # Disable helm release + create_release = var.create_kubernetes_resources + + # https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver/tree/main/charts/aws-fsx-openzfs-csi-driver + name = try(var.aws_fsx_zfs_csi_driver.name, "aws-fsx-openzfs-csi-driver") + description = try(var.aws_fsx_zfs_csi_driver.description, "A Helm chart to deploy aws-fsx-openzfs-csi-driver") + namespace = local.aws_fsx_zfs_csi_driver_namespace + create_namespace = try(var.aws_fsx_zfs_csi_driver.create_namespace, false) + chart = try(var.aws_fsx_zfs_csi_driver.chart, "aws-fsx-openzfs-csi-driver") + chart_version = try(var.aws_fsx_zfs_csi_driver.chart_version, "1.1.0") + repository = try(var.aws_fsx_zfs_csi_driver.repository, "https://kubernetes-sigs.github.io/aws-fsx-openzfs-csi-driver/") + values = try(var.aws_fsx_zfs_csi_driver.values, []) + + timeout = try(var.aws_fsx_zfs_csi_driver.timeout, null) + repository_key_file = try(var.aws_fsx_zfs_csi_driver.repository_key_file, null) + repository_cert_file = try(var.aws_fsx_zfs_csi_driver.repository_cert_file, null) + repository_ca_file = try(var.aws_fsx_zfs_csi_driver.repository_ca_file, null) + repository_username = try(var.aws_fsx_zfs_csi_driver.repository_username, null) + repository_password = try(var.aws_fsx_zfs_csi_driver.repository_password, null) + devel = try(var.aws_fsx_zfs_csi_driver.devel, null) + verify = try(var.aws_fsx_zfs_csi_driver.verify, null) + keyring = try(var.aws_fsx_zfs_csi_driver.keyring, null) + disable_webhooks = try(var.aws_fsx_zfs_csi_driver.disable_webhooks, null) + reuse_values = try(var.aws_fsx_zfs_csi_driver.reuse_values, null) + reset_values = try(var.aws_fsx_zfs_csi_driver.reset_values, null) + force_update = try(var.aws_fsx_zfs_csi_driver.force_update, null) + recreate_pods = try(var.aws_fsx_zfs_csi_driver.recreate_pods, null) + cleanup_on_fail = try(var.aws_fsx_zfs_csi_driver.cleanup_on_fail, null) + max_history = try(var.aws_fsx_zfs_csi_driver.max_history, null) + atomic = try(var.aws_fsx_zfs_csi_driver.atomic, null) + skip_crds = try(var.aws_fsx_zfs_csi_driver.skip_crds, null) + render_subchart_notes = try(var.aws_fsx_zfs_csi_driver.render_subchart_notes, null) + disable_openapi_validation = try(var.aws_fsx_zfs_csi_driver.disable_openapi_validation, null) + wait = try(var.aws_fsx_zfs_csi_driver.wait, false) + wait_for_jobs = try(var.aws_fsx_zfs_csi_driver.wait_for_jobs, null) + dependency_update = try(var.aws_fsx_zfs_csi_driver.dependency_update, null) + replace = try(var.aws_fsx_zfs_csi_driver.replace, null) + lint = try(var.aws_fsx_zfs_csi_driver.lint, null) + + postrender = try(var.aws_fsx_zfs_csi_driver.postrender, []) + set = concat([ + { + name = "controller.serviceAccount.name" + value = local.aws_fsx_zfs_csi_driver_controller_service_account + }, + { + name = "node.serviceAccount.name" + value = local.aws_fsx_zfs_csi_driver_node_service_account + }], + try(var.aws_fsx_zfs_csi_driver.set, []) + ) + set_sensitive = try(var.aws_fsx_zfs_csi_driver.set_sensitive, []) + + # IAM role for service account (IRSA) + set_irsa_names = [ + "controller.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn", + "node.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" + ] + create_role = try(var.aws_fsx_zfs_csi_driver.create_role, true) + role_name = try(var.aws_fsx_zfs_csi_driver.role_name, "aws-fsx-openzfs-csi-driver") + role_name_use_prefix = try(var.aws_fsx_zfs_csi_driver.role_name_use_prefix, true) + role_path = try(var.aws_fsx_zfs_csi_driver.role_path, "/") + role_permissions_boundary_arn = lookup(var.aws_fsx_zfs_csi_driver, "role_permissions_boundary_arn", null) + role_description = try(var.aws_fsx_zfs_csi_driver.role_description, "IRSA for aws-fsx-openzfs-csi-driver project") + role_policies = lookup(var.aws_fsx_zfs_csi_driver, "role_policies", + local.aws_fsx_zfs_csi_driver_full_perms ? { AmazonFSxFullAccess = "arn:${local.partition}:iam::aws:policy/AmazonFSxFullAccess" } : {} + ) + + source_policy_documents = local.aws_fsx_zfs_csi_driver_full_perms ? lookup(var.aws_fsx_zfs_csi_driver, "source_policy_documents", []) : data.aws_iam_policy_document.aws_fsx_zfs_csi_driver[*].json + policy_statements = lookup(var.aws_fsx_zfs_csi_driver, "policy_statements", []) + policy_name = try(var.aws_fsx_zfs_csi_driver.policy_name, null) + policy_name_use_prefix = try(var.aws_fsx_zfs_csi_driver.policy_name_use_prefix, true) + policy_path = try(var.aws_fsx_zfs_csi_driver.policy_path, null) + policy_description = try(var.aws_fsx_zfs_csi_driver.policy_description, "IAM Policy for AWS FSx for OpenZFS CSI Driver") + + oidc_providers = { + controller = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.aws_fsx_zfs_csi_driver_controller_service_account + } + node = { + provider_arn = local.oidc_provider_arn + # namespace is inherited from chart + service_account = local.aws_fsx_zfs_csi_driver_node_service_account + } + } + + tags = var.tags +} + ################################################################################ # AWS Load Balancer Controller ################################################################################ diff --git a/outputs.tf b/outputs.tf index 4aed531b..1379180d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -38,6 +38,11 @@ output "aws_fsx_csi_driver" { value = module.aws_fsx_csi_driver } +output "aws_fsx_zfs_csi_driver" { + description = "Map of attributes of the Helm release and IRSA created" + value = module.aws_fsx_zfs_csi_driver +} + output "aws_load_balancer_controller" { description = "Map of attributes of the Helm release and IRSA created" value = module.aws_load_balancer_controller @@ -216,6 +221,13 @@ output "gitops_metadata" { node_service_account = local.aws_fsx_csi_driver_node_service_account } : "aws_fsx_csi_driver_${k}" => v if var.enable_aws_fsx_csi_driver }, + { for k, v in { + iam_role_arn = module.aws_fsx_zfs_csi_driver.iam_role_arn + namespace = local.aws_fsx_zfs_csi_driver_namespace + controller_service_account = local.aws_fsx_zfs_csi_driver_controller_service_account + node_service_account = local.aws_fsx_zfs_csi_driver_node_service_account + } : "aws_fsx_zfs_csi_driver_${k}" => v if var.enable_aws_fsx_zfs_csi_driver + }, { for k, v in { iam_role_arn = module.aws_privateca_issuer.iam_role_arn namespace = local.aws_privateca_issuer_namespace diff --git a/variables.tf b/variables.tf index 928c8cff..200fd88e 100644 --- a/variables.tf +++ b/variables.tf @@ -148,6 +148,22 @@ variable "aws_efs_csi_driver" { default = {} } +################################################################################ +# AWS FSx for OpenZFS +################################################################################ + +variable "enable_aws_fsx_zfs_csi_driver" { + description = "Enable AWS FSx for OpenZFS CSI Driver add-on" + type = bool + default = false +} + +variable "aws_fsx_zfs_csi_driver" { + description = "FSx for OpenZFS CSI Driver add-on configuration values" + type = any + default = {} +} + ################################################################################ # AWS for Fluentbit ################################################################################