From f28647f752a48148b94a869faa25f1e3dcc2dfaf Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Fri, 8 Sep 2023 12:36:05 +0000 Subject: [PATCH 1/4] fix: (IAC-1165) Error: attaching policy msg occurs with a previously working tfvars file - tflint fix: Remove unused variable --- docs/CONFIG-VARS.md | 2 +- main.tf | 2 +- modules/aws_fsx_ontap/main.tf | 10 +++++----- modules/aws_fsx_ontap/variables.tf | 6 ------ 4 files changed, 7 insertions(+), 13 deletions(-) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 2391d9a5..9e0dacc1 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -291,7 +291,7 @@ When `storage_type=ha` and `storage_type_backend=ontap`, an [AWS FSx for NetApp | :--- | :--- | :--- | :--- | :--- | | aws_fsx_ontap_deployment_type | The FSx file system availability zone deployment type. | string | SINGLE_AZ_1 | Supported values are `MULTI_AZ_1` and `SINGLE_AZ_1`. | | aws_fsx_ontap_file_system_storage_capacity | The storage capacity of the ONTAP file system in GiB. | number | 1024 | Valid values range from 1024 to 196608. | -| aws_fsx_ontap_file_system_throughput_capacity | The throughput capacity of the ONTAP file system in MBps. | number | 512 | Valid values are 128, 256, 512, 1024, 2048 and 4096. | +| aws_fsx_ontap_file_system_throughput_capacity | The throughput capacity of the ONTAP file system in MBps. | number | 256 | Valid values are 128, 256, 512, 1024, 2048 and 4096. | | aws_fsx_ontap_fsxadmin_password | The ONTAP administrative password for the fsxadmin user. | string | "v3RyS3cretPa$sw0rd" | | ### AWS Elastic Block Store (EBS) diff --git a/main.tf b/main.tf index fde253aa..7b9d7ca3 100755 --- a/main.tf +++ b/main.tf @@ -190,9 +190,9 @@ module "ebs" { module "ontap" { source = "./modules/aws_fsx_ontap" + count = var.storage_type_backend == "ontap" ? 1 : 0 prefix = var.prefix - cluster_name = local.cluster_name tags = local.tags iam_user_name = local.aws_caller_identity_user_name } diff --git a/modules/aws_fsx_ontap/main.tf b/modules/aws_fsx_ontap/main.tf index 1bb19b7e..899040c1 100644 --- a/modules/aws_fsx_ontap/main.tf +++ b/modules/aws_fsx_ontap/main.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 # Permissions based off the IAM Policies required to manage fsx_ontap resources in this project -data "aws_iam_policy_document" "worker_fsx_ontap" { +data "aws_iam_policy_document" "fsx_ontap" { statement { sid = "fsxFileSystemOwn" effect = "Allow" @@ -66,10 +66,10 @@ data "aws_iam_policy_document" "worker_fsx_ontap" { } } -resource "aws_iam_policy" "worker_fsx_ontap" { +resource "aws_iam_policy" "fsx_ontap" { name_prefix = "${var.prefix}-fsx-ontap" - description = "EKS worker node fsx_ontap policy for cluster ${var.cluster_name}" - policy = data.aws_iam_policy_document.worker_fsx_ontap.json + description = "FSx policy document for user ${data.aws_iam_user.terraform.user_name}" + policy = data.aws_iam_policy_document.fsx_ontap.json tags = var.tags } @@ -79,5 +79,5 @@ data "aws_iam_user" "terraform" { resource "aws_iam_user_policy_attachment" "attachment" { user = data.aws_iam_user.terraform.user_name - policy_arn = aws_iam_policy.worker_fsx_ontap.arn + policy_arn = aws_iam_policy.fsx_ontap.arn } diff --git a/modules/aws_fsx_ontap/variables.tf b/modules/aws_fsx_ontap/variables.tf index b1fe73ae..3eaed5ca 100644 --- a/modules/aws_fsx_ontap/variables.tf +++ b/modules/aws_fsx_ontap/variables.tf @@ -7,12 +7,6 @@ variable "prefix" { default = "" } -variable "cluster_name" { - description = "Name of EKS cluster" - type = string - default = "" -} - variable "tags" { description = "Tags used for fsx_ontap" type = map(any) From c693d3a6ed12812627a0b3f941a2440663ad4ea4 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Fri, 8 Sep 2023 14:43:34 +0000 Subject: [PATCH 2/4] Update description per review comment --- modules/aws_fsx_ontap/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/aws_fsx_ontap/main.tf b/modules/aws_fsx_ontap/main.tf index 899040c1..468e1bf4 100644 --- a/modules/aws_fsx_ontap/main.tf +++ b/modules/aws_fsx_ontap/main.tf @@ -68,7 +68,7 @@ data "aws_iam_policy_document" "fsx_ontap" { resource "aws_iam_policy" "fsx_ontap" { name_prefix = "${var.prefix}-fsx-ontap" - description = "FSx policy document for user ${data.aws_iam_user.terraform.user_name}" + description = "FSx policy for user ${data.aws_iam_user.terraform.user_name}" policy = data.aws_iam_policy_document.fsx_ontap.json tags = var.tags } From c34b55b2c031a5c541591405ef1205568ec8fcb0 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Fri, 8 Sep 2023 15:19:58 +0000 Subject: [PATCH 3/4] Add new FSx IAM policy requirements to CONFIG-VARS.md FSx section --- docs/CONFIG-VARS.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 9e0dacc1..ae99da8c 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -294,6 +294,8 @@ When `storage_type=ha` and `storage_type_backend=ontap`, an [AWS FSx for NetApp | aws_fsx_ontap_file_system_throughput_capacity | The throughput capacity of the ONTAP file system in MBps. | number | 256 | Valid values are 128, 256, 512, 1024, 2048 and 4096. | | aws_fsx_ontap_fsxadmin_password | The ONTAP administrative password for the fsxadmin user. | string | "v3RyS3cretPa$sw0rd" | | +**Note:** The base [IAM Policy](../files/policies/devops-iac-eks-policy.json) document has been updated for the 7.2.0 release to suport FSx for NetApp ONTAP. You will need to add the iam:AttachUserPolicy and iam:DetachUserPolicy permissions to your user's existing base policy document to use FSx for NetApp ONTAP features added in the 7.2.0 release. + ### AWS Elastic Block Store (EBS) [AWS Elastic Block Store](https://aws.amazon.com/ebs/) is a block-level storage service provided by AWS for use with EC2 instances. EBS provides persistent storage for EC2 instances, allowing data to persist even after an EC2 instance is stopped or terminated. EBS volumes can be used as the root device for an EC2 instance, or as additional storage volumes. They can be attached and detached from instances as needed and can also be encrypted for increased security. From 016fa24efeda9a6f90b47079576db84ab39e834d Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Fri, 8 Sep 2023 18:47:30 +0000 Subject: [PATCH 4/4] fix typo --- docs/CONFIG-VARS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index ae99da8c..11482028 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -294,7 +294,7 @@ When `storage_type=ha` and `storage_type_backend=ontap`, an [AWS FSx for NetApp | aws_fsx_ontap_file_system_throughput_capacity | The throughput capacity of the ONTAP file system in MBps. | number | 256 | Valid values are 128, 256, 512, 1024, 2048 and 4096. | | aws_fsx_ontap_fsxadmin_password | The ONTAP administrative password for the fsxadmin user. | string | "v3RyS3cretPa$sw0rd" | | -**Note:** The base [IAM Policy](../files/policies/devops-iac-eks-policy.json) document has been updated for the 7.2.0 release to suport FSx for NetApp ONTAP. You will need to add the iam:AttachUserPolicy and iam:DetachUserPolicy permissions to your user's existing base policy document to use FSx for NetApp ONTAP features added in the 7.2.0 release. +**Note:** The base [IAM Policy](../files/policies/devops-iac-eks-policy.json) document has been updated for the 7.2.0 release to support FSx for NetApp ONTAP. You will need to add the iam:AttachUserPolicy and iam:DetachUserPolicy permissions to your user's existing base policy document to use FSx for NetApp ONTAP features added in the 7.2.0 release. ### AWS Elastic Block Store (EBS)