Initial commit.

modules/eks-addon-csi-ebs/data.tf

@@ -0,0 +1,28 @@
+data "aws_eks_cluster_auth" "self" {
+  name = var.eks_cluster_id
+}
+
+data "aws_iam_policy_document" "self_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(var.eks_cluster_oidc_issuer_url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(var.eks_cluster_oidc_issuer_url, "https://", "")}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    principals {
+      identifiers = [
+        var.eks_oidc_provider_arn
+      ]
+      type = "Federated"
+    }
+  }
+}

modules/eks-addon-csi-ebs/eks.tf

@@ -0,0 +1,15 @@
+resource "kubernetes_storage_class" "self_encrypted" {
+  metadata {
+    name = "gp3-encrypted"
+  }
+  storage_provisioner = "ebs.csi.aws.com"
+  parameters = {
+    type      = "gp3"
+    encrypted = "true"
+  }
+
+  reclaim_policy = "Retain"
+
+  allow_volume_expansion = "true"
+  volume_binding_mode    = "WaitForFirstConsumer"
+}

modules/eks-addon-csi-ebs/main.tf

@@ -0,0 +1,17 @@
+resource "aws_iam_role" "self" {
+  assume_role_policy = data.aws_iam_policy_document.self_assume_role_policy.json
+  name               = "EksCsiEbsRole-${var.eks_cluster_id}"
+}
+
+resource "aws_iam_role_policy_attachment" "self" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+  role       = aws_iam_role.self.name
+}
+
+resource "aws_eks_addon" "self" {
+  cluster_name  = var.eks_cluster_id
+  addon_name    = "aws-ebs-csi-driver"
+  addon_version = var.addon_version
+
+  service_account_role_arn = aws_iam_role.self.arn
+}

modules/eks-addon-csi-ebs/provider.tf

@@ -0,0 +1,5 @@
+provider "kubernetes" {
+  host                   = var.eks_cluster_endpoint
+  cluster_ca_certificate = base64decode(var.eks_cluster_certificate_authority_data)
+  token                  = data.aws_eks_cluster_auth.self.token
+}

modules/eks-addon-csi-ebs/variables.tf

@@ -0,0 +1,30 @@
+variable "eks_cluster_id" {
+  type        = string
+  description = "The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready"
+}
+
+variable "eks_cluster_oidc_issuer_url" {
+  type        = string
+  description = "The EKS cluster OIDC issuer url"
+}
+
+variable "eks_oidc_provider_arn" {
+  type        = string
+  description = "The EKS cluster OIDC provider arn"
+}
+
+variable "eks_cluster_endpoint" {
+  type        = string
+  description = "Endpoint for your Kubernetes API server"
+}
+
+variable "eks_cluster_certificate_authority_data" {
+  type        = string
+  description = "Base64 encoded certificate data required to communicate with the cluster"
+}
+
+variable "addon_version" {
+  type        = string
+  description = "The addon version"
+  default     = "v1.5.2-eksbuild.1"
+}