Skip to content

Commit

Permalink
Add AWS EFS CSI Driver
Browse files Browse the repository at this point in the history
Description:
- Currently assets are stored in `assets_efs` EFS after scanning by ClamAV prior to upload to S3. These are transferred via an NFS mount in each of their pods. We want to move away from this as `nfs` volume type isn't compatible with PSS restricted
- Install the EFS CSI Driver as a first step to migrate from NFS to PersistentVolumes
- As part of alphagov/govuk-helm-charts#1883
  • Loading branch information
nimalank7 committed Dec 5, 2024
1 parent a46ba9c commit 4a43d5f
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 0 deletions.
29 changes: 29 additions & 0 deletions terraform/deployments/cluster-infrastructure/aws_efs_csi_driver.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
resource "helm_release" "efs_csi_driver" {
chart = "aws-efs-csi-driver"
name = "aws-efs-csi-driver"
namespace = "kube-system"
repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver"
version = "3.1.1" # TODO: Dependabot or equivalent so this doesn't get neglected.

values = [yamlencode({
controller = {
serviceAccount = {
create = true
name = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.aws_efs_csi_driver_controller_service_account_name
annotations = {
"eks.amazonaws.com/role-arn" = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.aws_efs_csi_driver_iam_role_arn
}
}
}
storageClasses = [{
name = "assets_efs-efs-sc"
apiVersion = "storage.k8s.io/v1"
mountOptions = ["tls"]
parameters = {
fileSystemId = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.assets_efs_id # Non-sensitive value?
}
reclaimPolicy = "Retain"
volumeBindingMode = "WaitForFirstConsumer"
}]
})]
}
15 changes: 15 additions & 0 deletions terraform/deployments/cluster-infrastructure/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ output "aws_ebs_csi_driver_iam_role_arn" {
value = module.aws_ebs_csi_driver_iam_role.iam_role_arn
}

output "aws_efs_csi_driver_iam_role_arn" {
description = "IAM role ARN for AWS EFS CSI controller role"
value = module.aws_efs_csi_driver_iam_role.iam_role_arn
}

output "control_plane_security_group_id" {
description = "ID of the security group which contains the (AWS-owned) control plane nodes."
value = module.eks.cluster_primary_security_group_id
Expand Down Expand Up @@ -93,6 +98,11 @@ output "external_secrets_role_arn" {
value = module.external_secrets_iam_role.iam_role_arn
}

output "assets_efs_id" {
description = "EFS Filesystem ID for assets"
value = aws_efs_file_system.assets_efs.id
}

output "aws_lb_controller_role_arn" {
description = "IAM role ARN corresponding to the k8s service account for the AWS Load Balancer Controller."
value = module.aws_lb_controller_iam_role.iam_role_arn
Expand All @@ -108,6 +118,11 @@ output "aws_ebs_csi_driver_controller_service_account_name" {
value = local.ebs_csi_driver_controller_service_account_name
}

output "aws_efs_csi_driver_controller_service_account_name" {
description = "Name of the k8s service account for the AWS EFS CSI Controller"
value = local.efs_csi_driver_controller_service_account_name
}

output "grafana_iam_role_arn" {
description = "IAM role ARN corresponding to the k8s service account for Grafana."
value = module.grafana_iam_role.iam_role_arn
Expand Down

0 comments on commit 4a43d5f

Please sign in to comment.