Merge pull request #211 from PermanentOrg/manage_ebs_csi_add_on_from_terraform

liam-lloyd · web-flow · commit 77b4fd6c5e0d · 2025-10-23T12:50:29.000-07:00
Manage ebs csi add on from terraform
diff --git a/archivematica/prod_cluster/eks-cluster.tf b/archivematica/prod_cluster/eks-cluster.tf
@@ -22,6 +22,29 @@ module "eks" {
     }
   }
 
+  addons = {
+    coredns = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
+    }
+    kube-proxy = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
+    }
+    vpc-cni = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
+    }
+    aws-ebs-csi-driver = {
+      most_recent              = true
+      service_account_role_arn = module.ebs_csi_irsa.iam_role_arn
+      resolve_conflicts        = "OVERWRITE"
+    }
+  }
+
   eks_managed_node_groups = {
     one = {
       name     = "node-group-1"
@@ -49,6 +72,21 @@ module "eks" {
   }
 }
 
+module "ebs_csi_irsa" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.60.0"
+
+  role_name_prefix = "${local.cluster_name}-ebs-csi-"
+  attach_ebs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+    }
+  }
+}
+
 resource "kubernetes_cluster_role_binding" "eks_admins_cluster_admin" {
   metadata {
     name = "eks-admins-cluster-admin"
diff --git a/archivematica/test_cluster/eks-cluster.tf b/archivematica/test_cluster/eks-cluster.tf
@@ -38,6 +38,11 @@ module "eks" {
       resolve_conflicts_on_create = "OVERWRITE"
       resolve_conflicts           = "OVERWRITE"
     }
+    aws-ebs-csi-driver = {
+      most_recent              = true
+      service_account_role_arn = module.ebs_csi_irsa.iam_role_arn
+      resolve_conflicts        = "OVERWRITE"
+    }
   }
 
   eks_managed_node_groups = {
@@ -68,6 +73,21 @@ module "eks" {
   }
 }
 
+module "ebs_csi_irsa" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.60.0"
+
+  role_name_prefix = "${local.cluster_name}-ebs-csi-"
+  attach_ebs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+    }
+  }
+}
+
 resource "kubernetes_storage_class" "gp3" {
   metadata {
     name = "gp3"
diff --git a/archivematica/test_cluster/staging_archivematica_deployment.tf b/archivematica/test_cluster/staging_archivematica_deployment.tf
@@ -31,7 +31,7 @@ resource "kubernetes_deployment" "archivematica_staging" {
           fs_group_change_policy = "OnRootMismatch"
         }
         container {
-          image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:storage-service-main-30826d7"
+          image = local.desired_images["archivematica-storage-service-staging"]
           name  = "archivematica-storage-service-staging"
           env {
             name  = "SS_GUNICORN_BIND"
@@ -123,7 +123,7 @@ resource "kubernetes_deployment" "archivematica_staging" {
           }
         }
         container {
-          image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:dashboard-main-0025af3"
+          image = local.desired_images["archivematica-dashboard-staging"]
           name  = "archivematica-dashboard-staging"
           env {
             name  = "AM_GUNICORN_BIND"
@@ -240,7 +240,7 @@ resource "kubernetes_deployment" "archivematica_staging" {
           }
         }
         container {
-          image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:mcp-server-main-0025af3"
+          image = local.desired_images["archivematica-mcp-server-staging"]
           name  = "archivematica-mcp-server-staging"
           env {
             name  = "DJANGO_SECRET_KEY"
@@ -324,7 +324,7 @@ resource "kubernetes_deployment" "archivematica_staging" {
           }
         }
         init_container {
-          image   = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:storage-service-main-30826d7"
+          image = local.desired_images["archivematica-storage-service-staging"]
           name    = "archivematica-storage-service-migrations"
           command = ["sh"]
           args    = ["-c", "python manage.py migrate --noinput"]
@@ -364,7 +364,7 @@ resource "kubernetes_deployment" "archivematica_staging" {
           }
         }
         init_container {
-          image   = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:storage-service-main-30826d7"
+          image = local.desired_images["archivematica-storage-service-staging"]
           name  = "archivematica-storage-service-create-user"
           env {
             name  = "DJANGO_SETTINGS_MODULE"
@@ -432,7 +432,7 @@ resource "kubernetes_deployment" "archivematica_staging" {
           args    = ["-c", "python manage.py create_user --username=$(AM_SS_USERNAME) --password='$(AM_SS_PASSWORD)' --email=$(AM_SS_EMAIL) --api-key='$(AM_SS_API_KEY)' --superuser"]
         }
         init_container {
-          image   = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:dashboard-main-0025af3"
+          image = local.desired_images["archivematica-dashboard-staging"]
           name    = "archivematica-dashboard-migration"
           command = ["sh"]
           args    = ["-c", "python /src/src/dashboard/src/manage.py migrate --noinput"]
@@ -494,7 +494,7 @@ resource "kubernetes_deployment" "archivematica_staging" {
           }
         }
         init_container {
-          image   = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:storage-service-main-30826d7"
+          image = local.desired_images["archivematica-storage-service-staging"]
           name    = "archivematica-rclone-configuration"
           command = ["sh"]
           args    = ["-c", "rclone config create permanentb2 b2 account $(BACKBLAZE_KEY_ID) key $(BACKBLAZE_APPLICATION_KEY) --obscure"]
@@ -591,7 +591,7 @@ resource "kubernetes_deployment" "mcp_client_staging" {
       }
       spec {
         container {
-          image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:mcp-client-main-0025af3"
+          image = local.desired_images["archivematica-mcp-client-staging"]
           name  = "archivematica-mcp-client-staging"
           env {
             name = "DJANGO_SECRET_KEY"

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ resource "kubernetes_deployment" "archivematica_staging" {`
`31`	`31`	`fs_group_change_policy = "OnRootMismatch"`
`32`	`32`	`}`
`33`	`33`	`container {`
`34`		`- image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:storage-service-main-30826d7"`
	`34`	`+ image = local.desired_images["archivematica-storage-service-staging"]`
`35`	`35`	`name = "archivematica-storage-service-staging"`
`36`	`36`	`env {`
`37`	`37`	`name = "SS_GUNICORN_BIND"`
`@@ -123,7 +123,7 @@ resource "kubernetes_deployment" "archivematica_staging" {`
`123`	`123`	`}`
`124`	`124`	`}`
`125`	`125`	`container {`
`126`		`- image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:dashboard-main-0025af3"`
	`126`	`+ image = local.desired_images["archivematica-dashboard-staging"]`
`127`	`127`	`name = "archivematica-dashboard-staging"`
`128`	`128`	`env {`
`129`	`129`	`name = "AM_GUNICORN_BIND"`
`@@ -240,7 +240,7 @@ resource "kubernetes_deployment" "archivematica_staging" {`
`240`	`240`	`}`
`241`	`241`	`}`
`242`	`242`	`container {`
`243`		`- image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:mcp-server-main-0025af3"`
	`243`	`+ image = local.desired_images["archivematica-mcp-server-staging"]`
`244`	`244`	`name = "archivematica-mcp-server-staging"`
`245`	`245`	`env {`
`246`	`246`	`name = "DJANGO_SECRET_KEY"`
`@@ -324,7 +324,7 @@ resource "kubernetes_deployment" "archivematica_staging" {`
`324`	`324`	`}`
`325`	`325`	`}`
`326`	`326`	`init_container {`
`327`		`- image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:storage-service-main-30826d7"`
	`327`	`+ image = local.desired_images["archivematica-storage-service-staging"]`
`328`	`328`	`name = "archivematica-storage-service-migrations"`
`329`	`329`	`command = ["sh"]`
`330`	`330`	`args = ["-c", "python manage.py migrate --noinput"]`
`@@ -364,7 +364,7 @@ resource "kubernetes_deployment" "archivematica_staging" {`
`364`	`364`	`}`
`365`	`365`	`}`
`366`	`366`	`init_container {`
`367`		`- image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:storage-service-main-30826d7"`
	`367`	`+ image = local.desired_images["archivematica-storage-service-staging"]`
`368`	`368`	`name = "archivematica-storage-service-create-user"`
`369`	`369`	`env {`
`370`	`370`	`name = "DJANGO_SETTINGS_MODULE"`
`@@ -432,7 +432,7 @@ resource "kubernetes_deployment" "archivematica_staging" {`
`432`	`432`	`args = ["-c", "python manage.py create_user --username=$(AM_SS_USERNAME) --password='$(AM_SS_PASSWORD)' --email=$(AM_SS_EMAIL) --api-key='$(AM_SS_API_KEY)' --superuser"]`
`433`	`433`	`}`
`434`	`434`	`init_container {`
`435`		`- image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:dashboard-main-0025af3"`
	`435`	`+ image = local.desired_images["archivematica-dashboard-staging"]`
`436`	`436`	`name = "archivematica-dashboard-migration"`
`437`	`437`	`command = ["sh"]`
`438`	`438`	`args = ["-c", "python /src/src/dashboard/src/manage.py migrate --noinput"]`
`@@ -494,7 +494,7 @@ resource "kubernetes_deployment" "archivematica_staging" {`
`494`	`494`	`}`
`495`	`495`	`}`
`496`	`496`	`init_container {`
`497`		`- image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:storage-service-main-30826d7"`
	`497`	`+ image = local.desired_images["archivematica-storage-service-staging"]`
`498`	`498`	`name = "archivematica-rclone-configuration"`
`499`	`499`	`command = ["sh"]`
`500`	`500`	`args = ["-c", "rclone config create permanentb2 b2 account $(BACKBLAZE_KEY_ID) key $(BACKBLAZE_APPLICATION_KEY) --obscure"]`
`@@ -591,7 +591,7 @@ resource "kubernetes_deployment" "mcp_client_staging" {`
`591`	`591`	`}`
`592`	`592`	`spec {`
`593`	`593`	`container {`
`594`		`- image = "364159549467.dkr.ecr.us-west-2.amazonaws.com/archivematica:mcp-client-main-0025af3"`
	`594`	`+ image = local.desired_images["archivematica-mcp-client-staging"]`
`595`	`595`	`name = "archivematica-mcp-client-staging"`
`596`	`596`	`env {`
`597`	`597`	`name = "DJANGO_SECRET_KEY"`