feat: Add support for Mountpoint S3 CSI driver

terraform-aws-modules · Mar 19, 2024 · 801ce9b · 801ce9b
1 parent b75e8de
commit 801ce9b
Show file tree

Hide file tree

Showing 6 changed files with 123 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -286,6 +286,22 @@ module "amazon_managed_service_prometheus_pod_identity" {
 }
 ```
 
+### [Mountpoint S3 CSI Driver](https://github.com/awslabs/mountpoint-s3)
+
+module "mountpoint_s3_csi_pod_identity" {
+  source = "terraform-aws-modules/eks-pod-identity/aws"
+
+  name = "mountpoint-s3-csi"
+
+  attach_mountpoint_s3_csi_policy    = true
+  mountpoint_s3_csi_bucket_arns      = ["arn:aws:s3:::mountpoint-s3"]
+  mountpoint_s3_csi_bucket_path_arns = ["arn:aws:s3:::mountpoint-s3/example/*"]
+
+  tags = {
+    Environment = "dev"
+  }
+}
+
 ### [AWS Node Termination Handler](https://github.com/aws/aws-node-termination-handler)
 
 ```hcl
@@ -327,9 +343,9 @@ module "velero_pod_identity" {
 
   name = "velero"
 
-  attach_velero_policy   = true
-  velero_s3_bucket_arns  = ["arn:aws:s3:::velero-backups"]
-  velero_s3_bucket_paths = ["arn:aws:s3:::velero-backups/example/*"]
+  attach_velero_policy       = true
+  velero_s3_bucket_arns      = ["arn:aws:s3:::velero-backups"]
+  velero_s3_bucket_path_arns = ["arn:aws:s3:::velero-backups/example/*"]
 
   tags = {
     Environment = "dev"
@@ -414,6 +430,7 @@ No modules.
 | [aws_iam_policy.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.lb_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.lb_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.mountpoint_s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -434,6 +451,7 @@ No modules.
 | [aws_iam_role_policy_attachment.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lb_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lb_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.mountpoint_s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -454,6 +472,7 @@ No modules.
 | [aws_iam_policy_document.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lb_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lb_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.mountpoint_s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -486,6 +505,7 @@ No modules.
 | <a name="input_attach_custom_policy"></a> [attach\_custom\_policy](#input\_attach\_custom\_policy) | Determines whether to attach the custom IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_external_dns_policy"></a> [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_external_secrets_policy"></a> [attach\_external\_secrets\_policy](#input\_attach\_external\_secrets\_policy) | Determines whether to attach the External Secrets policy to the role | `bool` | `false` | no |
+| <a name="input_attach_mountpoint_s3_csi_policy"></a> [attach\_mountpoint\_s3\_csi\_policy](#input\_attach\_mountpoint\_s3\_csi\_policy) | Determines whether to attach the Mountpoint S3 CSI IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_velero_policy"></a> [attach\_velero\_policy](#input\_attach\_velero\_policy) | Determines whether to attach the Velero IAM policy to the role | `bool` | `false` | no |
 | <a name="input_aws_ebs_csi_kms_arns"></a> [aws\_ebs\_csi\_kms\_arns](#input\_aws\_ebs\_csi\_kms\_arns) | KMS key ARNs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
 | <a name="input_aws_ebs_csi_policy_name"></a> [aws\_ebs\_csi\_policy\_name](#input\_aws\_ebs\_csi\_policy\_name) | Custom name of the EBS CSI IAM policy | `string` | `null` | no |
@@ -518,6 +538,9 @@ No modules.
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | `[]` | no |
 | <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | `[]` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
+| <a name="input_mountpoint_s3_csi_bucket_arns"></a> [mountpoint\_s3\_csi\_bucket\_arns](#input\_mountpoint\_s3\_csi\_bucket\_arns) | List of S3 Bucket ARNs that Mountpoint S3 CSI needs access to list | `list(string)` | `[]` | no |
+| <a name="input_mountpoint_s3_csi_bucket_path_arns"></a> [mountpoint\_s3\_csi\_bucket\_path\_arns](#input\_mountpoint\_s3\_csi\_bucket\_path\_arns) | S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no |
+| <a name="input_mountpoint_s3_csi_policy_name"></a> [mountpoint\_s3\_csi\_policy\_name](#input\_mountpoint\_s3\_csi\_policy\_name) | Custom name of the Mountpoint S3 CSI IAM policy | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of IAM role | `string` | `""` | no |
 | <a name="input_override_policy_documents"></a> [override\_policy\_documents](#input\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document | `list(string)` | `[]` | no |
 | <a name="input_path"></a> [path](#input\_path) | Path of IAM role | `string` | `"/"` | no |
@@ -530,7 +553,7 @@ No modules.
 | <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether the role name and policy name(s) are used as a prefix | `string` | `true` | no |
 | <a name="input_velero_policy_name"></a> [velero\_policy\_name](#input\_velero\_policy\_name) | Custom name of the Velero IAM policy | `string` | `null` | no |
 | <a name="input_velero_s3_bucket_arns"></a> [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to list | `list(string)` | `[]` | no |
-| <a name="input_velero_s3_bucket_paths"></a> [velero\_s3\_bucket\_paths](#input\_velero\_s3\_bucket\_paths) | List of S3 Bucket paths that Velero needs access to in order to backup and restore cluster resources | `list(string)` | `[]` | no |
+| <a name="input_velero_s3_bucket_path_arns"></a> [velero\_s3\_bucket\_path\_arns](#input\_velero\_s3\_bucket\_path\_arns) | S3 path ARNs to allow Velero to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no |
 
 ## Outputs
 

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -52,6 +52,7 @@ Note that this example may create resources which will incur monetary charges on
 | <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../ | n/a |
 | <a name="module_external_dns_pod_identity"></a> [external\_dns\_pod\_identity](#module\_external\_dns\_pod\_identity) | ../../ | n/a |
 | <a name="module_external_secrets_pod_identity"></a> [external\_secrets\_pod\_identity](#module\_external\_secrets\_pod\_identity) | ../../ | n/a |
+| <a name="module_mountpoint_s3_csi_pod_identity"></a> [mountpoint\_s3\_csi\_pod\_identity](#module\_mountpoint\_s3\_csi\_pod\_identity) | ../../ | n/a |
 | <a name="module_velero_pod_identity"></a> [velero\_pod\_identity](#module\_velero\_pod\_identity) | ../../ | n/a |
 
 ## Resources

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -185,6 +185,18 @@ module "amazon_managed_service_prometheus_pod_identity" {
   tags = local.tags
 }
 
+module "mountpoint_s3_csi_pod_identity" {
+  source = "../../"
+
+  name = "mountpoint-s3-csi"
+
+  attach_mountpoint_s3_csi_policy    = true
+  mountpoint_s3_csi_bucket_arns      = ["arn:aws:s3:::mountpoint-s3"]
+  mountpoint_s3_csi_bucket_path_arns = ["arn:aws:s3:::mountpoint-s3/example/*"]
+
+  tags = local.tags
+}
+
 module "aws_node_termination_handler_pod_identity" {
   source = "../../"
 
@@ -212,9 +224,9 @@ module "velero_pod_identity" {
 
   name = "velero"
 
-  attach_velero_policy   = true
-  velero_s3_bucket_arns  = ["arn:aws:s3:::velero-backups"]
-  velero_s3_bucket_paths = ["arn:aws:s3:::velero-backups/example/*"]
+  attach_velero_policy       = true
+  velero_s3_bucket_arns      = ["arn:aws:s3:::velero-backups"]
+  velero_s3_bucket_path_arns = ["arn:aws:s3:::velero-backups/example/*"]
 
   tags = local.tags
 }

diff --git a/mountpoint_s3_csi.tf b/mountpoint_s3_csi.tf
@@ -0,0 +1,52 @@
+################################################################################
+# Mountpoint S3 CSI Driver Policy
+################################################################################
+
+#https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions
+
+data "aws_iam_policy_document" "mountpoint_s3_csi" {
+  count = var.create && var.attach_mountpoint_s3_csi_policy ? 1 : 0
+
+  source_policy_documents   = [data.aws_iam_policy_document.base[0].json]
+  override_policy_documents = var.override_policy_documents
+
+  statement {
+    sid       = "MountpointFullBucketAccess"
+    actions   = ["s3:ListBucket"]
+    resources = coalescelist(var.mountpoint_s3_csi_bucket_arns, ["arn:${local.partition}:s3:::*"])
+  }
+
+  statement {
+    sid = "MountpointFullObjectAccess"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:AbortMultipartUpload",
+      "s3:DeleteObject"
+    ]
+    resources = var.mountpoint_s3_csi_bucket_path_arns
+  }
+}
+
+locals {
+  mountpoint_s3_csi_policy_name = coalesce(var.mountpoint_s3_csi_policy_name, "${var.policy_name_prefix}MountpointS3CSI")
+}
+
+resource "aws_iam_policy" "mountpoint_s3_csi" {
+  count = var.create && var.attach_mountpoint_s3_csi_policy ? 1 : 0
+
+  name        = var.use_name_prefix ? null : local.mountpoint_s3_csi_policy_name
+  name_prefix = var.use_name_prefix ? "${local.mountpoint_s3_csi_policy_name}-" : null
+  path        = var.path
+  description = "Permissions for Mountpoint S3 CSI Driver"
+  policy      = data.aws_iam_policy_document.mountpoint_s3_csi[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "mountpoint_s3_csi" {
+  count = var.create && var.attach_mountpoint_s3_csi_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.mountpoint_s3_csi[0].arn
+}
diff --git a/variables.tf b/variables.tf
@@ -412,6 +412,31 @@ variable "external_secrets_create_permission" {
   default     = false
 }
 
+# Mountpoint S3 CSI
+variable "attach_mountpoint_s3_csi_policy" {
+  description = "Determines whether to attach the Mountpoint S3 CSI IAM policy to the role"
+  type        = bool
+  default     = false
+}
+
+variable "mountpoint_s3_csi_policy_name" {
+  description = "Custom name of the Mountpoint S3 CSI IAM policy"
+  type        = string
+  default     = null
+}
+
+variable "mountpoint_s3_csi_bucket_arns" {
+  description = "List of S3 Bucket ARNs that Mountpoint S3 CSI needs access to list"
+  type        = list(string)
+  default     = []
+}
+
+variable "mountpoint_s3_csi_bucket_path_arns" {
+  description = "S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true`"
+  type        = list(string)
+  default     = []
+}
+
 # Velero
 variable "attach_velero_policy" {
   description = "Determines whether to attach the Velero IAM policy to the role"
@@ -431,8 +456,8 @@ variable "velero_s3_bucket_arns" {
   default     = []
 }
 
-variable "velero_s3_bucket_paths" {
-  description = "List of S3 Bucket paths that Velero needs access to in order to backup and restore cluster resources"
+variable "velero_s3_bucket_path_arns" {
+  description = "S3 path ARNs to allow Velero to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true`"
   type        = list(string)
   default     = []
 }
diff --git a/velero.tf b/velero.tf
@@ -33,7 +33,7 @@ data "aws_iam_policy_document" "velero" {
       "s3:AbortMultipartUpload",
       "s3:ListMultipartUploadParts",
     ]
-    resources = var.velero_s3_bucket_paths
+    resources = var.velero_s3_bucket_path_arns
   }
 
   statement {