-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add new post aws-ebs-csi-driver-terraform
- Loading branch information
1 parent
f8d3133
commit c59415d
Showing
1 changed file
with
92 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
--- | ||
title: "Amazon EBS CSI driver with terraform" | ||
date: "2024-04-07T15:20:23-04:00" | ||
draft: false | ||
comments: true | ||
toc: false | ||
author: "Dave Gallant" | ||
tags: ['aws', 'eks', 'ebs', 'aws-ebs-csi-driver', 'oidc'] | ||
--- | ||
|
||
I recently configured the Amazon EBS CSI driver and found the setup with terraform to be more effort than expected. I wanted to avoid third-party modules and keep it as simple as possible, while remaining least privilege. | ||
|
||
<!--more--> | ||
|
||
The [Amazon EBS CSI driver docs](https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html) mention that the following are needed: | ||
- an existing EKS cluster | ||
- IAM role (that allows communication to the EC2 API) | ||
- EKS add-on (aws-ebs-csi-driver) | ||
- OIDC provider | ||
|
||
This sounded simple enough but I was unable to find a "grab-and-go" terraform example that followed the recommendations in the docs. I saw some suggestions about attaching an `AmazonEBSCSIDriverPolicy` policy to the node groups but did not think this was the best idea since this would allow many pods to potentially have access to the EC2 API. | ||
|
||
After a few minutes of prompting an LLM, I was unimpressed with the results. I began to piece together the config myself, and after some trial and error, this is the terraform that I came up with: | ||
|
||
```hcl | ||
# TLS needed for the thumbprint | ||
provider "tls" {} | ||
data "tls_certificate" "oidc" { | ||
url = aws_eks_cluster.main.identity[0].oidc[0].issuer | ||
} | ||
# EKS addon | ||
resource "aws_eks_addon" "ebs_csi_driver" { | ||
cluster_name = aws_eks_cluster.main.name | ||
addon_name = "aws-ebs-csi-driver" | ||
addon_version = "v1.29.1-eksbuild.1" | ||
service_account_role_arn = aws_iam_role.ebs_csi_driver.arn | ||
} | ||
# AWS Identity and Access Management (IAM) OpenID Connect (OIDC) provider | ||
resource "aws_iam_openid_connect_provider" "eks" { | ||
url = aws_eks_cluster.main.identity.0.oidc.0.issuer | ||
client_id_list = ["sts.amazonaws.com"] | ||
thumbprint_list = [data.tls_certificate.oidc.certificates[0].sha1_fingerprint] | ||
} | ||
# IAM | ||
resource "aws_iam_role" "ebs_csi_driver" { | ||
name = "${var.environment_name}-ebs-csi-driver" | ||
assume_role_policy = data.aws_iam_policy_document.ebs_csi_driver_assume_role.json | ||
} | ||
data "aws_iam_policy_document" "ebs_csi_driver_assume_role" { | ||
statement { | ||
effect = "Allow" | ||
principals { | ||
type = "Federated" | ||
identifiers = [aws_iam_openid_connect_provider.eks.arn] | ||
} | ||
actions = [ | ||
"sts:AssumeRoleWithWebIdentity", | ||
] | ||
condition { | ||
test = "StringEquals" | ||
variable = "${aws_iam_openid_connect_provider.eks.url}:aud" | ||
values = ["sts.amazonaws.com"] | ||
} | ||
condition { | ||
test = "StringEquals" | ||
variable = "${aws_iam_openid_connect_provider.eks.url}:sub" | ||
values = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] | ||
} | ||
} | ||
} | ||
resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" { | ||
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" | ||
role = aws_iam_role.ebs_csi_driver.name | ||
} | ||
``` | ||
|
||
The above configuration follows the docs, binding an IAM role to the service account _kube-system/ebs-csi-controller-sa_ using an OpenID connect provider. | ||
|
||
After applying the changes above, I deployed [the sample application](https://docs.aws.amazon.com/eks/latest/userguide/ebs-sample-app.html) and noticed that the persistent volume claims were bound to EBS volumes. |