Feature/upgrade eks (#7)

* chore: update aws provider * feat: adding eks addon for ebs csi driver * terraform-docs: automated action --------- Co-authored-by: fernandoataoldotcom <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
GlueOps · Feb 18, 2023 · 240b52e · 240b52e
1 parent bdb87e4
commit 240b52e
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -25,11 +25,14 @@ export AWS_DEFAULT_REGION=us-west-2
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 4.48.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 4.55.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.55.0 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | n/a |
 
 ## Modules
 
@@ -42,15 +45,22 @@ No providers.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_eks_addon.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/resources/eks_addon) | resource |
+| [aws_iam_role.eks_addon_ebs_csi_role](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_openid_connect_provider.provider](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/data-sources/iam_openid_connect_provider) | data source |
+| [aws_iam_policy_document.eks_assume_addon_role](https://registry.terraform.io/providers/hashicorp/aws/4.55.0/docs/data-sources/iam_policy_document) | data source |
+| [tls_certificate.cluster_addons](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_eks_node_group"></a> [eks\_node\_group](#input\_eks\_node\_group) | n/a | <pre>object({<br>    instance_types = list(string)<br>    desired_size   = number<br>    min_size       = number<br>    max_size       = number<br>  })</pre> | <pre>{<br>  "desired_size": 3,<br>  "instance_types": [<br>    "t3a.large"<br>  ],<br>  "max_size": 4,<br>  "min_size": 3<br>}</pre> | no |
+| <a name="input_eks_node_group"></a> [eks\_node\_group](#input\_eks\_node\_group) | n/a | <pre>object({<br>    instance_types = list(string)<br>    desired_size   = number<br>    min_size       = number<br>    max_size       = number<br>  })</pre> | <pre>{<br>  "desired_size": 3,<br>  "instance_types": [<br>    "t3a.medium"<br>  ],<br>  "max_size": 4,<br>  "min_size": 3<br>}</pre> | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes |
-| <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The CIDR block for the VPC | `string` | `"10.65.0.0./16"` | no |
+| <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The CIDR block for the VPC | `string` | `"10.65.0.0/16"` | no |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -6,7 +6,7 @@ variable "region" {
 variable "vpc_cidr_block" {
   type        = string
   description = "The CIDR block for the VPC"
-  default     = "10.65.0.0./16"
+  default     = "10.65.0.0/16"
 }
 
 variable "eks_node_group" {
@@ -17,7 +17,7 @@ variable "eks_node_group" {
     max_size       = number
   })
   default = {
-    instance_types = ["t3a.large"]
+    instance_types = ["t3a.medium"]
     desired_size   = 3
     min_size       = 3
     max_size       = 4
@@ -30,7 +30,7 @@ provider "aws" {
 
 locals {
   eks_cluster = {
-    cluster_version = "1.22"
+    cluster_version = "1.24"
     region          = var.region
   }
   vpc = {
@@ -101,6 +101,53 @@ module "kubernetes" {
   kubernetes_version    = local.eks_cluster.cluster_version
 }
 
+data "tls_certificate" "cluster_addons" {
+  url = module.kubernetes.eks_cluster_identity_oidc_issuer
+}
+
+data "aws_iam_openid_connect_provider" "provider" {
+  arn = module.kubernetes.eks_cluster_identity_oidc_issuer_arn
+}
+
+data "aws_iam_policy_document" "eks_assume_addon_role" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+    principals {
+      identifiers = [data.aws_iam_openid_connect_provider.provider.arn]
+      type        = "Federated"
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(data.aws_iam_openid_connect_provider.provider.url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(data.aws_iam_openid_connect_provider.provider.url, "https://", "")}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
 
 
+  }
+}
 
+resource "aws_iam_role" "eks_addon_ebs_csi_role" {
+  assume_role_policy = data.aws_iam_policy_document.eks_assume_addon_role.json
+  name               = "AmazonEKS_EBS_CSI_DriverRole"
+}
+
+resource "aws_iam_role_policy_attachment" "ebs_csi" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+  role       = aws_iam_role.eks_addon_ebs_csi_role.name
+}
+
+resource "aws_eks_addon" "ebs_csi" {
+  cluster_name      = module.kubernetes.eks_cluster_id
+  addon_name        = "aws-ebs-csi-driver"
+  addon_version     = "v1.15.0-eksbuild.1"
+  resolve_conflicts = "OVERWRITE"
+  service_account_role_arn = aws_iam_role.eks_addon_ebs_csi_role.arn
+  depends_on = [aws_iam_role_policy_attachment.ebs_csi, module.node_pool]
+}
diff --git a/versions.tf b/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "4.48.0"
+      version = "4.55.0"
     }
   }
 }