Merge pull request #3 from truefoundry/added_file_policy

Added file policy to efs
truefoundry · Mar 12, 2024 · 71a3be2 · 71a3be2
2 parents 6433502 + 8c8e431
commit 71a3be2
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -36,6 +36,7 @@ Truefoundry AWS EFS Module
 | <a name="input_azs"></a> [azs](#input\_azs) | Availability Zones | `list(string)` | n/a | yes |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS Cluster Name | `string` | n/a | yes |
 | <a name="input_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | The oidc url of the eks cluster | `string` | n/a | yes |
+| <a name="input_efs_node_iam_role_arn"></a> [efs\_node\_iam\_role\_arn](#input\_efs\_node\_iam\_role\_arn) | The node IAM role ARN being used by the EFS daemonset | `string` | n/a | yes |
 | <a name="input_k8s_service_account_name"></a> [k8s\_service\_account\_name](#input\_k8s\_service\_account\_name) | The k8s efs service account name | `string` | n/a | yes |
 | <a name="input_k8s_service_account_namespace"></a> [k8s\_service\_account\_namespace](#input\_k8s\_service\_account\_namespace) | The k8s efs namespace | `string` | n/a | yes |
 | <a name="input_performance_mode"></a> [performance\_mode](#input\_performance\_mode) | the performance mode for EFS | `string` | n/a | yes |

diff --git a/efs.tf b/efs.tf
@@ -68,12 +68,30 @@ module "efs" {
 
   name = "${var.cluster_name}-efs"
 
-  mount_targets              = { for k, v in zipmap(var.azs, var.private_subnets_id) : k => { subnet_id = v } }
-  security_group_description = "${var.cluster_name} EFS"
-  security_group_vpc_id      = var.vpc_id
-  attach_policy              = false
-  throughput_mode            = var.throughput_mode
-  performance_mode           = var.performance_mode
+  mount_targets                      = { for k, v in zipmap(var.azs, var.private_subnets_id) : k => { subnet_id = v } }
+  security_group_description         = "${var.cluster_name} EFS"
+  security_group_vpc_id              = var.vpc_id
+  attach_policy                      = true
+  bypass_policy_lockout_safety_check = false
+  policy_statements = [
+    {
+      sid     = "EFS-CSI-Driver-Access"
+      actions = ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientRootAccess"]
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = [var.efs_node_iam_role_arn]
+        }
+      ]
+      conditions = [{
+        test     = "Bool"
+        values   = ["true"]
+        variable = "elasticfilesystem:AccessedViaMountTarget"
+      }]
+    }
+  ]
+  throughput_mode  = var.throughput_mode
+  performance_mode = var.performance_mode
   security_group_rules = {
     vpc = {
       # relying on the defaults provdied for EFS/NFS (2049/TCP + ingress)

diff --git a/variables.tf b/variables.tf
@@ -59,6 +59,11 @@ variable "cluster_oidc_issuer_url" {
   type        = string
 }
 
+variable "efs_node_iam_role_arn" {
+  description = "The node IAM role ARN being used by the EFS daemonset"
+  type        = string
+}
+
 variable "tags" {
   type        = map(string)
   default     = {}