infrastructure/base/modules/aws/eks/ebs.tf
resource "aws_eks_addon" "aws_ebs_csi_driver" {
cluster_name = aws_eks_cluster.eks_cluster.name
addon_name = "aws-ebs-csi-driver"
addon_version = var.ebs_csi_addon_version
service_account_role_arn = aws_iam_role.ebs_csi_iam_role.arn
}
data "aws_caller_identity" "current" {}
data "external" "thumbprint" {
program = ["${path.module}/thumbprint.sh", var.aws_region]
}
resource "aws_iam_openid_connect_provider" "example" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.external.thumbprint.result.thumbprint]
url = aws_eks_cluster.eks_cluster.identity.0.oidc.0.issuer
}
resource "aws_iam_role" "ebs_csi_iam_role" {
name = "AmazonEKS_EBS_CSI_DriverRole"
assume_role_policy = jsonencode({
Version : "2012-10-17",
Statement : [
{
Effect : "Allow",
Principal : {
"Federated" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/oidc.eks.${var.aws_region}.amazonaws.com/id/${local.oicd_id}"
},
Action : "sts:AssumeRoleWithWebIdentity",
Condition : {
StringEquals : {
"oidc.eks.${var.aws_region}.amazonaws.com/id/${local.oicd_id}:aud" : "sts.amazonaws.com",
"oidc.eks.${var.aws_region}.amazonaws.com/id/${local.oicd_id}:sub" : "system:serviceaccount:kube-system:ebs-csi-controller-sa"
}
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "ebs-csi-service-role-AmazonEKS_EBS_CSI_DriverRole" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
role = aws_iam_role.ebs_csi_iam_role.name
}
resource "aws_iam_role_policy_attachment" "eks-node-group-admin-AmazonEKS_EBS_CSI_DriverRole" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
role = aws_iam_role.eks-node-group-iam-role.name
}