initial EFS CSI driver for EKS

3 files changed, 68 insertions, 0 deletions

diff --git a/org-buetow-eks/Makefile b/org-buetow-eks/Makefile
new file mode 100644
index 0000000..ac16539
--- /dev/null
+++ b/org-buetow-eks/Makefile
@@ -0,0 +1,5 @@
+apply:
+	terraform apply -auto-approve
+destroy:
+	terraform destroy -auto-approve
+recreate: destroy apply
diff --git a/org-buetow-eks/efscsi.tf b/org-buetow-eks/efscsi.tf
new file mode 100644
index 0000000..dcf96c5
--- /dev/null
+++ b/org-buetow-eks/efscsi.tf
@@ -0,0 +1,62 @@
+data "aws_iam_policy_document" "efs_csi_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "elasticfilesystem:DescribeFileSystems"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "elasticfilesystem:CreateAccessPoint",
+      "elasticfilesystem:DeleteAccessPoint",
+      "elasticfilesystem:DescribeAccessPoints",
+      "elasticfilesystem:DescribeMountTargets"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "efs_csi_policy" {
+  name        = "AmazonEKS_EFS_CSI_DriverPolicy"
+  description = "Policy for EFS CSI Driver"
+  policy      = data.aws_iam_policy_document.efs_csi_policy.json
+}
+
+resource "aws_iam_role" "efs_csi_role" {
+  name = "AmazonEKS_EFS_CSI_DriverRole"
+
+  assume_role_policy = jsonencode({
+    Version : "2012-10-17"
+    Statement : [
+      {
+        Effect     : "Allow"
+        Principal  : {
+          Service : "eks.amazonaws.com"
+        }
+        Action     : "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "efs_csi_role_policy_attachment" {
+  role       = aws_iam_role.efs_csi_role.name
+  policy_arn = aws_iam_policy.efs_csi_policy.arn
+}
+
+resource "aws_eks_addon" "efs_csi_addon" {
+  cluster_name      = var.cluster_name
+  addon_name        = "aws-efs-csi-driver"
+  addon_version     = "v2.0.4-eksbuild.1"  # You can specify exact version if needed.
+  service_account_role_arn = aws_iam_role.efs_csi_role.arn
+
+  depends_on = [
+    # Ensure the add-on is installed after the role is c reated
+    aws_iam_role_policy_attachment.efs_csi_role_policy_attachment
+  ]
+}
+
+
diff --git a/org-buetow-eks/main.tf b/org-buetow-eks/main.tf
index b5de08e..c854b5c 100644
--- a/org-buetow-eks/main.tf
+++ b/org-buetow-eks/main.tf
@@ -16,3 +16,4 @@ provider "kubernetes" {
   cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
   token                  = data.aws_eks_cluster_auth.cluster.token
 }
+