From b1b71bae4437da81c53a60810a33c106589ad6b1 Mon Sep 17 00:00:00 2001 From: Shubham Rai Date: Tue, 12 Mar 2024 13:54:08 +0530 Subject: [PATCH 1/3] Added file policy to efs --- efs.tf | 20 +++++++++++++++++++- variables.tf | 5 +++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/efs.tf b/efs.tf index 32460b6..14cf5de 100644 --- a/efs.tf +++ b/efs.tf @@ -71,7 +71,25 @@ module "efs" { mount_targets = { for k, v in zipmap(var.azs, var.private_subnets_id) : k => { subnet_id = v } } security_group_description = "${var.cluster_name} EFS" security_group_vpc_id = var.vpc_id - attach_policy = false + attach_policy = true + bypass_policy_lockout_safety_check = false + policy_statements = [ + { + sid = "EFS-CSI-Driver-Access" + actions = ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientRootAccess"] + principals = [ + { + type = "AWS" + identifiers = [var.efs_node_iam_role_arn] + } + ] + conditions = [{ + test = "Bool" + values = ["true"] + variable = "elasticfilesystem:AccessedViaMountTarget" + }] + } + ] throughput_mode = var.throughput_mode performance_mode = var.performance_mode security_group_rules = { diff --git a/variables.tf b/variables.tf index 8e0153d..6271559 100644 --- a/variables.tf +++ b/variables.tf @@ -59,6 +59,11 @@ variable "cluster_oidc_issuer_url" { type = string } +variable "efs_node_iam_role_arn" { + description = "The node IAM role ARN being used by the EFS daemonset" + type = string +} + variable "tags" { type = map(string) default = {} From 5ea6642554615ac243a5dc4f505713d83a17b1b7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 12 Mar 2024 08:24:34 +0000 Subject: [PATCH 2/3] terraform-docs: automated action --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 97daef0..d6a2bb2 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ Truefoundry AWS EFS Module | [azs](#input\_azs) | Availability Zones | `list(string)` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | EKS Cluster Name | `string` | n/a | yes | | [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | The oidc url of the eks cluster | `string` | n/a | yes | +| [efs\_node\_iam\_role\_arn](#input\_efs\_node\_iam\_role\_arn) | The node IAM role ARN being used by the EFS daemonset | `string` | n/a | yes | | [k8s\_service\_account\_name](#input\_k8s\_service\_account\_name) | The k8s efs service account name | `string` | n/a | yes | | [k8s\_service\_account\_namespace](#input\_k8s\_service\_account\_namespace) | The k8s efs namespace | `string` | n/a | yes | | [performance\_mode](#input\_performance\_mode) | the performance mode for EFS | `string` | n/a | yes | From 8c8e4318d818034926e38a2a94363c865af52945 Mon Sep 17 00:00:00 2001 From: Shubham Rai Date: Tue, 12 Mar 2024 13:57:23 +0530 Subject: [PATCH 3/3] Ran terraform fmt --- efs.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/efs.tf b/efs.tf index 14cf5de..2934057 100644 --- a/efs.tf +++ b/efs.tf @@ -68,10 +68,10 @@ module "efs" { name = "${var.cluster_name}-efs" - mount_targets = { for k, v in zipmap(var.azs, var.private_subnets_id) : k => { subnet_id = v } } - security_group_description = "${var.cluster_name} EFS" - security_group_vpc_id = var.vpc_id - attach_policy = true + mount_targets = { for k, v in zipmap(var.azs, var.private_subnets_id) : k => { subnet_id = v } } + security_group_description = "${var.cluster_name} EFS" + security_group_vpc_id = var.vpc_id + attach_policy = true bypass_policy_lockout_safety_check = false policy_statements = [ { @@ -90,8 +90,8 @@ module "efs" { }] } ] - throughput_mode = var.throughput_mode - performance_mode = var.performance_mode + throughput_mode = var.throughput_mode + performance_mode = var.performance_mode security_group_rules = { vpc = { # relying on the defaults provdied for EFS/NFS (2049/TCP + ingress)