Batiai-1173 Updated code and tested in EPPE (#5)

arunsanna · web-flow · commit eefa2125b009 · 2023-04-24T16:40:19.000-04:00
EFS IRSA permissions fix
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.terraform.lock.hcl
+.terraform/
diff --git a/iam.tf b/iam.tf
@@ -3,6 +3,8 @@ locals {
   k8s_service_account_name      = "aws-efs-csi-driver"
 }
 
+data "aws_caller_identity" "current" {}
+
 data "aws_iam_policy_document" "batcave_efscsidriver" {
   statement {
     actions = [
@@ -18,17 +20,10 @@ data "aws_iam_policy_document" "batcave_efscsidriver" {
       "elasticfilesystem:CreateAccessPoint",
       "elasticfilesystem:DeleteAccessPoint"
     ]
-    resources = ["*"]
-    condition {
-      test     = "ForAnyValue:StringEquals"
-      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
-      values   = ["true"]
-    }
-    condition {
-      test     = "ForAnyValue:StringEquals"
-      variable = "aws:RequestTag/cluster-name"
-      values   = ["${var.cluster_name}"]
-    }
+    resources = [
+      "arn:aws:elasticfilesystem:*:${data.aws_caller_identity.current.account_id}:file-system/${aws_efs_file_system.efs.id}",
+      "arn:aws:elasticfilesystem:*:${data.aws_caller_identity.current.account_id}:access-point/*"
+    ]
   }
 
 }
diff --git a/variables.tf b/variables.tf
@@ -24,13 +24,26 @@ variable "helm_namespace" {
 variable "imagerepo" {
   default = "602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver"
 }
+
 variable "efsid" {
   default = ""
-
 }
 
 variable "helm_name" {
   default = "aws-efs-csi-driver"
 }
 
 variable "cluster_oidc_issuer_url" {}
+
+variable "kms_key_id" {
+  default = ""
+}
+
+variable "vpc_id" {
+  default = ""
+}
+
+variable "private_subnet_ids" {
+  type    = list(any)
+  default = []
+}
