From 240b52ed3690a6150e50690ccc959addfe4d826f Mon Sep 17 00:00:00 2001 From: Venkata Mutyala Date: Fri, 17 Feb 2023 21:07:51 -0800 Subject: [PATCH] Feature/upgrade eks (#7) * chore: update aws provider * feat: adding eks addon for ebs csi driver * terraform-docs: automated action --------- Co-authored-by: fernandoataoldotcom Co-authored-by: github-actions[bot] --- README.md | 20 +++++++++++++++----- main.tf | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++--- versions.tf | 2 +- 3 files changed, 66 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 0327e9e..3a293bc 100644 --- a/README.md +++ b/README.md @@ -25,11 +25,14 @@ export AWS_DEFAULT_REGION=us-west-2 | Name | Version | |------|---------| -| [aws](#requirement\_aws) | 4.48.0 | +| [aws](#requirement\_aws) | 4.55.0 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.55.0 | +| [tls](#provider\_tls) | n/a | ## Modules @@ -42,15 +45,22 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_eks_addon.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/resources/eks_addon) | resource | +| [aws_iam_role.eks_addon_ebs_csi_role](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_openid_connect_provider.provider](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/data-sources/iam_openid_connect_provider) | data source | +| [aws_iam_policy_document.eks_assume_addon_role](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/data-sources/iam_policy_document) | data source | +| [tls_certificate.cluster_addons](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [eks\_node\_group](#input\_eks\_node\_group) | n/a | 
object({
    instance_types = list(string)
    desired_size   = number
    min_size       = number
    max_size       = number
  })
| 
{
  "desired_size": 3,
  "instance_types": [
    "t3a.large"
  ],
  "max_size": 4,
  "min_size": 3
}
| no | +| [eks\_node\_group](#input\_eks\_node\_group) | n/a | 
object({
    instance_types = list(string)
    desired_size   = number
    min_size       = number
    max_size       = number
  })
| 
{
  "desired_size": 3,
  "instance_types": [
    "t3a.medium"
  ],
  "max_size": 4,
  "min_size": 3
}
| no | | [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes | -| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The CIDR block for the VPC | `string` | `"10.65.0.0./16"` | no | +| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The CIDR block for the VPC | `string` | `"10.65.0.0/16"` | no | ## Outputs diff --git a/main.tf b/main.tf index 3d8a90d..1731698 100644 --- a/main.tf +++ b/main.tf @@ -6,7 +6,7 @@ variable "region" { variable "vpc_cidr_block" { type = string description = "The CIDR block for the VPC" - default = "10.65.0.0./16" + default = "10.65.0.0/16" } variable "eks_node_group" { @@ -17,7 +17,7 @@ variable "eks_node_group" { max_size = number }) default = { - instance_types = ["t3a.large"] + instance_types = ["t3a.medium"] desired_size = 3 min_size = 3 max_size = 4 @@ -30,7 +30,7 @@ provider "aws" { locals { eks_cluster = { - cluster_version = "1.22" + cluster_version = "1.24" region = var.region } vpc = { @@ -101,6 +101,53 @@ module "kubernetes" { kubernetes_version = local.eks_cluster.cluster_version } +data "tls_certificate" "cluster_addons" { + url = module.kubernetes.eks_cluster_identity_oidc_issuer +} + +data "aws_iam_openid_connect_provider" "provider" { + arn = module.kubernetes.eks_cluster_identity_oidc_issuer_arn +} + +data "aws_iam_policy_document" "eks_assume_addon_role" { + statement { + actions = ["sts:AssumeRoleWithWebIdentity"] + effect = "Allow" + principals { + identifiers = [data.aws_iam_openid_connect_provider.provider.arn] + type = "Federated" + } + + condition { + test = "StringEquals" + variable = "${replace(data.aws_iam_openid_connect_provider.provider.url, "https://", "")}:sub" + values = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] + } + condition { + test = "StringEquals" + variable = "${replace(data.aws_iam_openid_connect_provider.provider.url, "https://", "")}:aud" + values = ["sts.amazonaws.com"] + } + } +} +resource "aws_iam_role" "eks_addon_ebs_csi_role" { + assume_role_policy = data.aws_iam_policy_document.eks_assume_addon_role.json + name = "AmazonEKS_EBS_CSI_DriverRole" +} + +resource "aws_iam_role_policy_attachment" "ebs_csi" { + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" + role = aws_iam_role.eks_addon_ebs_csi_role.name +} + +resource "aws_eks_addon" "ebs_csi" { + cluster_name = module.kubernetes.eks_cluster_id + addon_name = "aws-ebs-csi-driver" + addon_version = "v1.15.0-eksbuild.1" + resolve_conflicts = "OVERWRITE" + service_account_role_arn = aws_iam_role.eks_addon_ebs_csi_role.arn + depends_on = [aws_iam_role_policy_attachment.ebs_csi, module.node_pool] +} diff --git a/versions.tf b/versions.tf index 98cfaa6..b3525f7 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "4.48.0" + version = "4.55.0" } } } \ No newline at end of file