Skip to content

Latest commit

 

History

History
508 lines (365 loc) · 14.8 KB

README.adoc

File metadata and controls

508 lines (365 loc) · 14.8 KB

devops-stack-module-efs-csi-driver

A DevOps Stack module to deploy an Amazon EFS Container Storage Interface (CSI) driver.

The EFS CSI Driver chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions.

Current Chart Version Original Repository Default Values

3.0.8

Chart

values.yaml

Usage

This module can be declared by adding the following block on your Terraform configuration:

module "efs" {
  source = "git::https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git?ref=<RELEASE>"

  cluster_name            = local.cluster_name
  argocd_namespace        = local.argocd_namespace
  efs_file_system_id      = resource.aws_efs_file_system.eks.id
  create_role             = true
  cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url

  depends_on = [
    module.argocd_bootstrap,
  ]
}

In case you want to create an OIDC assumable IAM role on your own, you’ll need to provide the ARN for that role and disable the creation of the role inside of the module as follows:

module "efs" {
  source = "git::https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git?ref=<RELEASE>"

  cluster_name       = local.cluster_name
  argocd_namespace   = local.argocd_namespace
  efs_file_system_id = resource.aws_efs_file_system.eks.id
  create_role        = false
  iam_role_arn       = module.iam_assumable_role_efs.iam_role_arn

  depends_on = [
    module.argocd_bootstrap,
  ]
}
Important
The create_role variable is required. If passing iam_role_arn it should be set as false, otherwise you will need to specify the variable cluster_oidc_issuer_url and set it as true.

This module needs to have other resources created externally. You can follow the example bellow:

resource "aws_efs_file_system" "eks" {
  creation_token = module.eks.cluster_name

  tags = {
    Name = module.eks.cluster_name
  }
}

resource "aws_security_group" "efs_eks" {
  name        = "efs-devops-stack"
  description = "Security group for EFS."
  vpc_id      = module.vpc.vpc_id

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port       = 2049
    to_port         = 2049
    protocol        = "tcp"
    security_groups = [module.eks.node_security_group_id]
  }
}

resource "aws_efs_mount_target" "eks" {
  count = length(local.private_subnets)

  file_system_id  = resource.aws_efs_file_system.eks.id
  subnet_id       = element(module.vpc.private_subnets, count.index)
  security_groups = [resource.aws_security_group.efs_eks.id]
}

Technical Reference

Dependencies

module.argocd_bootstrap

This module must be one of the first ones to be deployed and consequently it needs to be deployed after the module argocd_bootstrap.

Requirements

The following requirements are needed by this module:

Providers

The following providers are used by this module:

Modules

The following Modules are called:

Source: terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc

Version: ~> 5.0

Resources

The following resources are used by this module:

Required Inputs

The following input variables are required:

Description: EFS Filesystem ID to use by the CSI driver to create volumes.

Type: string

Description: Boolean to indicate that the OIDC assumable IAM role should be created. If passing iam_role_arn this should be false, otherwise if you want to create the OIDC assumable IAM role provided by this module, you will need to specify the variable cluster_oidc_issuer_url.

Type: bool

Optional Inputs

The following input variables are optional (have default values):

Description: Name given to the cluster. Value used for naming some the resources created by the module.

Type: string

Default: "cluster"

Description: Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application.

Type: string

Default: null

Description: Labels to attach to the Argo CD Application resource.

Type: map(string)

Default: {}

Description: Destination cluster where the application should be deployed.

Type: string

Default: "in-cluster"

Description: Override of target revision of the application chart.

Type: string

Default: "v5.0.0"

Description: Helm chart value overrides. They should be passed as a list of HCL structures.

Type: any

Default: []

Description: Automated sync options for the Argo CD Application resource.

Type:

object({
    allow_empty = optional(bool)
    prune       = optional(bool)
    self_heal   = optional(bool)
  })

Default:

{
  "allow_empty": false,
  "prune": true,
  "self_heal": true
}

Description: IDs of the other modules on which this module depends on.

Type: map(string)

Default: {}

Description: Resource limits and requests for aws-efs-csi-driver’s components. Follow the style on official documentation to understand the format of the values."

Note
These are the same values as the defaults on the Helm chart aws-efs-csi-driver.

Type:

object({

    controller = optional(object({
      requests = optional(object({
        cpu    = optional(string, "10m")
        memory = optional(string, "40Mi")
      }), {})
      limits = optional(object({
        cpu    = optional(string)
        memory = optional(string, "256Mi")
      }), {})
    }), {})

    node = optional(object({
      requests = optional(object({
        cpu    = optional(string, "10m")
        memory = optional(string, "40Mi")
      }), {})
      limits = optional(object({
        cpu    = optional(string)
        memory = optional(string, "256Mi")
      }), {})
    }), {})

  })

Default: {}

Description: ARN of an OIDC assumable IAM role that has access to the EFS filesystem. When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning.

Type: string

Default: null

Description: Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set create_role as true.

Type: string

Default: ""

Outputs

The following outputs are exported:

Description: ID to pass other modules in order to refer to this module as a dependency.

Reference in table format

Show tables

= Requirements

Name Version

>= 6

>= 3

>= 1

= Providers

Name Version

>= 6

>= 1

aws

n/a

>= 3

= Modules

Name Source Version

terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc

~> 5.0

= Resources

Name Type

resource

resource

resource

resource

data source

data source

= Inputs

Name Description Type Default Required

Name given to the cluster. Value used for naming some the resources created by the module.

string

"cluster"

no

Name of the Argo CD AppProject where the Application should be created. If not set, the Application will be created in a new AppProject only for this Application.

string

null

no

Labels to attach to the Argo CD Application resource.

map(string)

{}

no

Destination cluster where the application should be deployed.

string

"in-cluster"

no

Override of target revision of the application chart.

string

"v5.0.0"

no

Helm chart value overrides. They should be passed as a list of HCL structures.

any

[]

no

Automated sync options for the Argo CD Application resource.

object({
    allow_empty = optional(bool)
    prune       = optional(bool)
    self_heal   = optional(bool)
  })
{
  "allow_empty": false,
  "prune": true,
  "self_heal": true
}

no

IDs of the other modules on which this module depends on.

map(string)

{}

no

Resource limits and requests for aws-efs-csi-driver’s components. Follow the style on official documentation to understand the format of the values."

Note
These are the same values as the defaults on the Helm chart aws-efs-csi-driver.
object({

    controller = optional(object({
      requests = optional(object({
        cpu    = optional(string, "10m")
        memory = optional(string, "40Mi")
      }), {})
      limits = optional(object({
        cpu    = optional(string)
        memory = optional(string, "256Mi")
      }), {})
    }), {})

    node = optional(object({
      requests = optional(object({
        cpu    = optional(string, "10m")
        memory = optional(string, "40Mi")
      }), {})
      limits = optional(object({
        cpu    = optional(string)
        memory = optional(string, "256Mi")
      }), {})
    }), {})

  })

{}

no

EFS Filesystem ID to use by the CSI driver to create volumes.

string

n/a

yes

Boolean to indicate that the OIDC assumable IAM role should be created. If passing iam_role_arn this should be false, otherwise if you want to create the OIDC assumable IAM role provided by this module, you will need to specify the variable cluster_oidc_issuer_url.

bool

n/a

yes

ARN of an OIDC assumable IAM role that has access to the EFS filesystem. When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning.

string

null

no

Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set create_role as true.

string

""

no

= Outputs

Name Description

id

ID to pass other modules in order to refer to this module as a dependency.