-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathefs.tf
111 lines (102 loc) · 2.8 KB
/
efs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
resource "aws_iam_policy" "efs" {
name_prefix = "${var.cluster_name}-access-to-efs"
description = "EFS Access policy for cluster"
policy = data.aws_iam_policy_document.efs.json
tags = local.tags
}
resource "aws_efs_file_system_policy" "this" {
file_system_id = module.efs.id
bypass_policy_lockout_safety_check = false
policy = data.aws_iam_policy_document.efs_file_system_policy.json
}
# https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json
data "aws_iam_policy_document" "efs" {
statement {
effect = "Allow"
actions = [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones"
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"elasticfilesystem:DeleteAccessPoint"
]
resources = [
"*"
]
condition {
test = "StringEquals"
values = ["true"]
variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
}
}
statement {
effect = "Allow"
actions = [
"elasticfilesystem:TagResource"
]
resources = [
"*"
]
condition {
test = "StringLike"
values = ["true"]
variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
}
}
statement {
effect = "Allow"
actions = [
"elasticfilesystem:CreateAccessPoint",
]
resources = [
"*"
]
condition {
test = "StringLike"
values = ["true"]
variable = "aws:RequestTag/efs.csi.aws.com/cluster"
}
}
}
# EFS file system policy
data "aws_iam_policy_document" "efs_file_system_policy" {
statement {
effect = "Allow"
actions = ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientRootAccess"]
principals {
type = "AWS"
identifiers = [var.efs_node_iam_role_arn]
}
condition {
test = "Bool"
values = ["true"]
variable = "elasticfilesystem:AccessedViaMountTarget"
}
resources = [module.efs.arn]
}
}
module "efs" {
source = "cloudposse/efs/aws"
version = "1.1.0"
region = var.region
vpc_id = var.vpc_id
subnets = var.private_subnets_id
allow_all_egress = false
allowed_cidr_blocks = var.private_subnets_cidrs
create_security_group = true
name = "${var.cluster_name}-efs"
security_group_description = "${var.cluster_name} EFS"
bypass_policy_lockout_safety_check = false
throughput_mode = var.throughput_mode
performance_mode = var.performance_mode
efs_backup_policy_enabled = var.enable_backup_policy
tags = merge(
local.tags
)
}