First release of the CSI (#1)

* cosmetic edits

* install chart

* terraform-docs: automated action

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

README.md

@@ -1,16 +1,9 @@
-# cloud-platform-terraform-_template_
+# cloud-platform-terraform-efs-csi
 
-_note: Please remove all comments in italics and fill where required>_
-
-_Please change the urls in the release badge below_
-[![Releases](https://img.shields.io/github/release/ministryofjustice/cloud-platform-terraform-template/all.svg?style=flat-square)](https://github.com/ministryofjustice/cloud-platform-terraform-template/releases)
-
-_Short describion of the module_
-_This Terraform module ......_
+EFS (NFS compatible) storage backend for Kubernetes
 
 ## Usage
 
-_Describe how to use the module_
 See the [examples/](examples/) folder.
 
 <!--- BEGIN_TF_DOCS --->
@@ -25,21 +18,27 @@ See the [examples/](examples/) folder.
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | n/a |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_efs_irsa"></a> [efs\_irsa](#module\_efs\_irsa) | github.com/ministryofjustice/cloud-platform-terraform-irsa | 1.0.3 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_iam_policy.efs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [helm_release.aws_efs](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [aws_iam_policy_document.efs_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_eks_cluster"></a> [eks\_cluster](#input\_eks\_cluster) | cluster name | `string` | n/a | yes |
 
 ## Outputs
 
@@ -59,8 +58,9 @@ Some of the inputs are tags. All infrastructure resources need to be tagged acco
 | infrastructure-support | The team responsible for managing the infrastructure. Should be of the form team-email | string | - | yes |
 | is-production |  | string | `false` | yes |
 | team_name |  | string | - | yes |
-| sqs_name |  | string | - | yes |
 
 ## Reading Material
 
-_add link to external source_
+Chart: https://kubernetes-sigs.github.io/aws-efs-csi-driver/index.yaml
+
+Installation docs: https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/docs

examples/main.tf

@@ -5,5 +5,5 @@ provider "aws" {
 
 module "template" {
   source = "../"
-
+  eks_cluster = "test"
 }

main.tf

@@ -1,2 +1,73 @@
-data "aws_caller_identity" "current" {}
-data "aws_region" "current" {}
+data "aws_iam_policy_document" "efs_doc" {
+  statement {
+    actions = [
+      "elasticfilesystem:DescribeAccessPoints",
+      "elasticfilesystem:DescribeFileSystems",
+      "elasticfilesystem:DescribeMountTargets",
+      "ec2:DescribeAvailabilityZones",
+      "sts:AssumeRoleWithWebIdentity"
+    ]
+    resources = [
+      "*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "elasticfilesystem:CreateAccessPoint"
+    ]
+    resources = [
+      "*",
+    ]
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/efs.csi.aws.com/cluster"
+      values = ["true"]
+    }
+  }
+
+  statement {
+    actions = [
+      "elasticfilesystem:DeleteAccessPoint"
+    ]
+    resources = [
+      "*",
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+      values = ["true"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "efs_policy" {
+  name        = "efs-csi-policy-${var.eks_cluster}"
+  path        = "/cloud-platform/"
+  policy      = data.aws_iam_policy_document.efs_doc.json
+  description = "Policy for EFS CSI driver"
+}
+
+module "efs_irsa" {
+  source = "github.com/ministryofjustice/cloud-platform-terraform-irsa?ref=1.0.3"
+
+  eks_cluster      = var.eks_cluster
+  namespace        = "kube-system"
+  service_account  = "efs-csi-controller-sa"
+  role_policy_arns = [aws_iam_policy.efs_policy.arn]
+}
+
+resource "helm_release" "aws_efs" {
+  name       = "aws-efs-csi-driver"
+  chart      = "aws-efs-csi-driver"
+  repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver"
+  namespace  = "kube-system"
+  version    = "2.2.7"
+
+  set {
+    name  = "controller.serviceAccount.create"
+    value = "false"
+  }
+
+  depends_on = [module.efs_irsa]
+}

variables.tf

@@ -0,0 +1,4 @@
+variable "eks_cluster" {
+  type        = string
+  description = "cluster name"
+}

versions.tf

@@ -6,6 +6,12 @@ terraform {
     kubernetes = {
       source = "hashicorp/kubernetes"
     }
+    helm = {
+      source = "hashicorp/helm"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+    }
   }
   required_version = ">= 0.14"
 }