From 38a115d3be86a9e8fb274a50702347bb7b673a9e Mon Sep 17 00:00:00 2001
From: David Houck <dhoucgitter@users.noreply.github.com>
Date: Fri, 1 Dec 2023 11:08:34 -0500
Subject: [PATCH] fix: (IAC-1162) AWS warns of misconfigured EFS mounts (#505)

---
 roles/baseline/defaults/main.yml                     | 11 +++++++++++
 .../tasks/nfs-subdir-external-provisioner.yaml       | 12 ++++++++++++
 roles/common/tasks/main.yaml                         |  6 ++++++
 3 files changed, 29 insertions(+)

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
index d9cd7636..7f87225d 100644
--- a/roles/baseline/defaults/main.yml
+++ b/roles/baseline/defaults/main.yml
@@ -111,6 +111,17 @@ NFS_CLIENT_CONFIG:
   storageClass:
     archiveOnDelete: "false"
     name: sas
+# EFS best practice NFS mount options for the aws provider
+NFS_EFS_CLIENT_CONFIG:
+  nfs:
+    mountOptions:
+      - noresvport
+      - rsize=1048576
+      - wsize=1048576
+      - soft
+      - timeo=600
+      - retrans=2
+      - _netdev
 
 ## pg-storage storage class config
 PG_NFS_CLIENT_NAME: nfs-subdir-external-provisioner-pg-storage
diff --git a/roles/baseline/tasks/nfs-subdir-external-provisioner.yaml b/roles/baseline/tasks/nfs-subdir-external-provisioner.yaml
index c2bf3c6e..c499966d 100644
--- a/roles/baseline/tasks/nfs-subdir-external-provisioner.yaml
+++ b/roles/baseline/tasks/nfs-subdir-external-provisioner.yaml
@@ -36,6 +36,18 @@
     - uninstall
     - update
 
+- name: Update NFS_CLIENT_CONFIG configurations for EFS
+  set_fact:
+    NFS_CLIENT_CONFIG: "{{ NFS_CLIENT_CONFIG | combine(NFS_EFS_CLIENT_CONFIG, recursive=True) }}"
+    PG_NFS_CLIENT_CONFIG: "{{ PG_NFS_CLIENT_CONFIG | combine(NFS_EFS_CLIENT_CONFIG, recursive=True) }}"
+  when:
+    - PROVIDER == "aws"
+    - STORAGE_TYPE_BACKEND is defined
+    - STORAGE_TYPE_BACKEND == "efs"
+  tags:
+    - install
+    - update
+
 - name: Deploy nfs-subdir-external-provisioner-sas
   kubernetes.core.helm:
     name: "{{ NFS_CLIENT_NAME }}"
diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml
index ef3eae9a..698488c8 100644
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@@ -192,6 +192,12 @@
       when:
         - tfstate.ssh_private_key is defined
         - tfstate.ssh_private_key.value|length > 0
+    - name: tfstate - storage type backend var # noqa: name[casing]
+      set_fact:
+        STORAGE_TYPE_BACKEND: "{{ tfstate.storage_type_backend.value }}"
+      when:
+        - tfstate.storage_type_backend is defined
+        - tfstate.storage_type_backend.value|length > 0
     ### Deprecations
     - name: tfstate - postgres admin # noqa: name[casing]
       set_fact: