From 9fafd29b7bff82255f839902fd53967bdbb8e216 Mon Sep 17 00:00:00 2001 From: nimalank7 Date: Thu, 5 Dec 2024 16:02:43 +0000 Subject: [PATCH] Add AWS EFS CSI Driver Description: - Currently assets are stored in `assets_efs` EFS after scanning by ClamAV prior to upload to S3. These are transferred via an NFS mount in each of their pods. We want to move away from this as `nfs` volume type isn't compatible with PSS restricted - Install the EFS CSI Driver as a first step to migrate from NFS to PersistentVolumes - As part of https://github.com/alphagov/govuk-helm-charts/issues/1883 --- .../aws_efs_csi_driver.tf | 29 +++++++++++++++++++ .../cluster-infrastructure/outputs.tf | 15 ++++++++++ 2 files changed, 44 insertions(+) create mode 100644 terraform/deployments/cluster-infrastructure/aws_efs_csi_driver.tf diff --git a/terraform/deployments/cluster-infrastructure/aws_efs_csi_driver.tf b/terraform/deployments/cluster-infrastructure/aws_efs_csi_driver.tf new file mode 100644 index 000000000..ba3b37d89 --- /dev/null +++ b/terraform/deployments/cluster-infrastructure/aws_efs_csi_driver.tf @@ -0,0 +1,29 @@ +resource "helm_release" "efs_csi_driver" { + chart = "aws-efs-csi-driver" + name = "aws-efs-csi-driver" + namespace = "kube-system" + repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver" + version = "3.1.1" # TODO: Dependabot or equivalent so this doesn't get neglected. + + values = [yamlencode({ + controller = { + serviceAccount = { + create = true + name = data.terraform_remote_state.cluster_infrastructure.outputs.aws_efs_csi_driver_controller_service_account_name + annotations = { + "eks.amazonaws.com/role-arn" = data.terraform_remote_state.cluster_infrastructure.outputs.aws_efs_csi_driver_iam_role_arn + } + } + } + storageClasses = [{ + name = "assets_efs-efs-sc" + apiVersion = "storage.k8s.io/v1" + mountOptions = ["tls"] + parameters = { + fileSystemId = data.terraform_remote_state.cluster_infrastructure.outputs.assets_efs_id + } + reclaimPolicy = "Retain" + volumeBindingMode = "WaitForFirstConsumer" + }] + })] +} diff --git a/terraform/deployments/cluster-infrastructure/outputs.tf b/terraform/deployments/cluster-infrastructure/outputs.tf index bfcf50747..810064098 100644 --- a/terraform/deployments/cluster-infrastructure/outputs.tf +++ b/terraform/deployments/cluster-infrastructure/outputs.tf @@ -18,6 +18,11 @@ output "aws_ebs_csi_driver_iam_role_arn" { value = module.aws_ebs_csi_driver_iam_role.iam_role_arn } +output "aws_efs_csi_driver_iam_role_arn" { + description = "IAM role ARN for AWS EFS CSI controller role" + value = module.aws_efs_csi_driver_iam_role.iam_role_arn +} + output "control_plane_security_group_id" { description = "ID of the security group which contains the (AWS-owned) control plane nodes." value = module.eks.cluster_primary_security_group_id @@ -93,6 +98,11 @@ output "external_secrets_role_arn" { value = module.external_secrets_iam_role.iam_role_arn } +output "assets_efs_id" { + description = "EFS Filesystem ID for assets" + value = aws_efs_file_system.assets_efs.id +} + output "aws_lb_controller_role_arn" { description = "IAM role ARN corresponding to the k8s service account for the AWS Load Balancer Controller." value = module.aws_lb_controller_iam_role.iam_role_arn @@ -108,6 +118,11 @@ output "aws_ebs_csi_driver_controller_service_account_name" { value = local.ebs_csi_driver_controller_service_account_name } +output "aws_efs_csi_driver_controller_service_account_name" { + description = "Name of the k8s service account for the AWS EFS CSI Controller" + value = local.efs_csi_driver_controller_service_account_name +} + output "grafana_iam_role_arn" { description = "IAM role ARN corresponding to the k8s service account for Grafana." value = module.grafana_iam_role.iam_role_arn