diff --git a/README.md b/README.md
index 89b1a95..219f3a1 100644
--- a/README.md
+++ b/README.md
@@ -286,6 +286,22 @@ module "amazon_managed_service_prometheus_pod_identity" {
}
```
+### [Mountpoint S3 CSI Driver](https://github.com/awslabs/mountpoint-s3)
+
+module "mountpoint_s3_csi_pod_identity" {
+ source = "terraform-aws-modules/eks-pod-identity/aws"
+
+ name = "mountpoint-s3-csi"
+
+ attach_mountpoint_s3_csi_policy = true
+ mountpoint_s3_csi_bucket_arns = ["arn:aws:s3:::mountpoint-s3"]
+ mountpoint_s3_csi_bucket_path_arns = ["arn:aws:s3:::mountpoint-s3/example/*"]
+
+ tags = {
+ Environment = "dev"
+ }
+}
+
### [AWS Node Termination Handler](https://github.com/aws/aws-node-termination-handler)
```hcl
@@ -327,9 +343,9 @@ module "velero_pod_identity" {
name = "velero"
- attach_velero_policy = true
- velero_s3_bucket_arns = ["arn:aws:s3:::velero-backups"]
- velero_s3_bucket_paths = ["arn:aws:s3:::velero-backups/example/*"]
+ attach_velero_policy = true
+ velero_s3_bucket_arns = ["arn:aws:s3:::velero-backups"]
+ velero_s3_bucket_path_arns = ["arn:aws:s3:::velero-backups/example/*"]
tags = {
Environment = "dev"
@@ -414,6 +430,7 @@ No modules.
| [aws_iam_policy.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.lb_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.lb_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.mountpoint_s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -434,6 +451,7 @@ No modules.
| [aws_iam_role_policy_attachment.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.lb_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.lb_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.mountpoint_s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -454,6 +472,7 @@ No modules.
| [aws_iam_policy_document.fsx_lustre_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.lb_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.lb_controller_targetgroup_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.mountpoint_s3_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -486,6 +505,7 @@ No modules.
| [attach\_custom\_policy](#input\_attach\_custom\_policy) | Determines whether to attach the custom IAM policy to the role | `bool` | `false` | no |
| [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
| [attach\_external\_secrets\_policy](#input\_attach\_external\_secrets\_policy) | Determines whether to attach the External Secrets policy to the role | `bool` | `false` | no |
+| [attach\_mountpoint\_s3\_csi\_policy](#input\_attach\_mountpoint\_s3\_csi\_policy) | Determines whether to attach the Mountpoint S3 CSI IAM policy to the role | `bool` | `false` | no |
| [attach\_velero\_policy](#input\_attach\_velero\_policy) | Determines whether to attach the Velero IAM policy to the role | `bool` | `false` | no |
| [aws\_ebs\_csi\_kms\_arns](#input\_aws\_ebs\_csi\_kms\_arns) | KMS key ARNs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
| [aws\_ebs\_csi\_policy\_name](#input\_aws\_ebs\_csi\_policy\_name) | Custom name of the EBS CSI IAM policy | `string` | `null` | no |
@@ -518,6 +538,9 @@ No modules.
| [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | `[]` | no |
| [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | `[]` | no |
| [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
+| [mountpoint\_s3\_csi\_bucket\_arns](#input\_mountpoint\_s3\_csi\_bucket\_arns) | List of S3 Bucket ARNs that Mountpoint S3 CSI needs access to list | `list(string)` | `[]` | no |
+| [mountpoint\_s3\_csi\_bucket\_path\_arns](#input\_mountpoint\_s3\_csi\_bucket\_path\_arns) | S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no |
+| [mountpoint\_s3\_csi\_policy\_name](#input\_mountpoint\_s3\_csi\_policy\_name) | Custom name of the Mountpoint S3 CSI IAM policy | `string` | `null` | no |
| [name](#input\_name) | Name of IAM role | `string` | `""` | no |
| [override\_policy\_documents](#input\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document | `list(string)` | `[]` | no |
| [path](#input\_path) | Path of IAM role | `string` | `"/"` | no |
@@ -530,7 +553,7 @@ No modules.
| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether the role name and policy name(s) are used as a prefix | `string` | `true` | no |
| [velero\_policy\_name](#input\_velero\_policy\_name) | Custom name of the Velero IAM policy | `string` | `null` | no |
| [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to list | `list(string)` | `[]` | no |
-| [velero\_s3\_bucket\_paths](#input\_velero\_s3\_bucket\_paths) | List of S3 Bucket paths that Velero needs access to in order to backup and restore cluster resources | `list(string)` | `[]` | no |
+| [velero\_s3\_bucket\_path\_arns](#input\_velero\_s3\_bucket\_path\_arns) | S3 path ARNs to allow Velero to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no |
## Outputs
diff --git a/examples/complete/README.md b/examples/complete/README.md
index 211250a..8254dea 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -52,6 +52,7 @@ Note that this example may create resources which will incur monetary charges on
| [disabled](#module\_disabled) | ../../ | n/a |
| [external\_dns\_pod\_identity](#module\_external\_dns\_pod\_identity) | ../../ | n/a |
| [external\_secrets\_pod\_identity](#module\_external\_secrets\_pod\_identity) | ../../ | n/a |
+| [mountpoint\_s3\_csi\_pod\_identity](#module\_mountpoint\_s3\_csi\_pod\_identity) | ../../ | n/a |
| [velero\_pod\_identity](#module\_velero\_pod\_identity) | ../../ | n/a |
## Resources
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index dee7a4a..e1623c3 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -185,6 +185,18 @@ module "amazon_managed_service_prometheus_pod_identity" {
tags = local.tags
}
+module "mountpoint_s3_csi_pod_identity" {
+ source = "../../"
+
+ name = "mountpoint-s3-csi"
+
+ attach_mountpoint_s3_csi_policy = true
+ mountpoint_s3_csi_bucket_arns = ["arn:aws:s3:::mountpoint-s3"]
+ mountpoint_s3_csi_bucket_path_arns = ["arn:aws:s3:::mountpoint-s3/example/*"]
+
+ tags = local.tags
+}
+
module "aws_node_termination_handler_pod_identity" {
source = "../../"
@@ -212,9 +224,9 @@ module "velero_pod_identity" {
name = "velero"
- attach_velero_policy = true
- velero_s3_bucket_arns = ["arn:aws:s3:::velero-backups"]
- velero_s3_bucket_paths = ["arn:aws:s3:::velero-backups/example/*"]
+ attach_velero_policy = true
+ velero_s3_bucket_arns = ["arn:aws:s3:::velero-backups"]
+ velero_s3_bucket_path_arns = ["arn:aws:s3:::velero-backups/example/*"]
tags = local.tags
}
diff --git a/mountpoint_s3_csi.tf b/mountpoint_s3_csi.tf
new file mode 100644
index 0000000..fb7aad8
--- /dev/null
+++ b/mountpoint_s3_csi.tf
@@ -0,0 +1,52 @@
+################################################################################
+# Mountpoint S3 CSI Driver Policy
+################################################################################
+
+#https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions
+
+data "aws_iam_policy_document" "mountpoint_s3_csi" {
+ count = var.create && var.attach_mountpoint_s3_csi_policy ? 1 : 0
+
+ source_policy_documents = [data.aws_iam_policy_document.base[0].json]
+ override_policy_documents = var.override_policy_documents
+
+ statement {
+ sid = "MountpointFullBucketAccess"
+ actions = ["s3:ListBucket"]
+ resources = coalescelist(var.mountpoint_s3_csi_bucket_arns, ["arn:${local.partition}:s3:::*"])
+ }
+
+ statement {
+ sid = "MountpointFullObjectAccess"
+ actions = [
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:AbortMultipartUpload",
+ "s3:DeleteObject"
+ ]
+ resources = var.mountpoint_s3_csi_bucket_path_arns
+ }
+}
+
+locals {
+ mountpoint_s3_csi_policy_name = coalesce(var.mountpoint_s3_csi_policy_name, "${var.policy_name_prefix}MountpointS3CSI")
+}
+
+resource "aws_iam_policy" "mountpoint_s3_csi" {
+ count = var.create && var.attach_mountpoint_s3_csi_policy ? 1 : 0
+
+ name = var.use_name_prefix ? null : local.mountpoint_s3_csi_policy_name
+ name_prefix = var.use_name_prefix ? "${local.mountpoint_s3_csi_policy_name}-" : null
+ path = var.path
+ description = "Permissions for Mountpoint S3 CSI Driver"
+ policy = data.aws_iam_policy_document.mountpoint_s3_csi[0].json
+
+ tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "mountpoint_s3_csi" {
+ count = var.create && var.attach_mountpoint_s3_csi_policy ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+ policy_arn = aws_iam_policy.mountpoint_s3_csi[0].arn
+}
diff --git a/variables.tf b/variables.tf
index ec3c044..29f0c98 100644
--- a/variables.tf
+++ b/variables.tf
@@ -412,6 +412,31 @@ variable "external_secrets_create_permission" {
default = false
}
+# Mountpoint S3 CSI
+variable "attach_mountpoint_s3_csi_policy" {
+ description = "Determines whether to attach the Mountpoint S3 CSI IAM policy to the role"
+ type = bool
+ default = false
+}
+
+variable "mountpoint_s3_csi_policy_name" {
+ description = "Custom name of the Mountpoint S3 CSI IAM policy"
+ type = string
+ default = null
+}
+
+variable "mountpoint_s3_csi_bucket_arns" {
+ description = "List of S3 Bucket ARNs that Mountpoint S3 CSI needs access to list"
+ type = list(string)
+ default = []
+}
+
+variable "mountpoint_s3_csi_bucket_path_arns" {
+ description = "S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true`"
+ type = list(string)
+ default = []
+}
+
# Velero
variable "attach_velero_policy" {
description = "Determines whether to attach the Velero IAM policy to the role"
@@ -431,8 +456,8 @@ variable "velero_s3_bucket_arns" {
default = []
}
-variable "velero_s3_bucket_paths" {
- description = "List of S3 Bucket paths that Velero needs access to in order to backup and restore cluster resources"
+variable "velero_s3_bucket_path_arns" {
+ description = "S3 path ARNs to allow Velero to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true`"
type = list(string)
default = []
}
diff --git a/velero.tf b/velero.tf
index 9764106..4a07cd9 100644
--- a/velero.tf
+++ b/velero.tf
@@ -33,7 +33,7 @@ data "aws_iam_policy_document" "velero" {
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
]
- resources = var.velero_s3_bucket_paths
+ resources = var.velero_s3_bucket_path_arns
}
statement {