Manage the EBS CSI add-on for the Archivematica cluster from terraform

liam-lloyd · liam-lloyd · commit a7d4e8108888 · 2025-10-22T12:36:44.000-07:00
Our Archivematica cluster uses the EBS CSI add-on to handle interactions
with EBS volumes. I originally added it through the dashboard, but this
led to some troublesome differences between environments. This commit
adds it to our Terraform configuration to ensure it's the same across
environments.
diff --git a/archivematica/prod_cluster/eks-cluster.tf b/archivematica/prod_cluster/eks-cluster.tf
@@ -22,6 +22,28 @@ module "eks" {
     }
   }
 
+  addons = {
+    coredns = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
+    }
+    kube-proxy = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
+    }
+    vpc-cni = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
+    }
+    aws-ebs-csi-driver = {
+      most_recent = true
+      service_account_role_arn = module.ebs_csi_irsa.iam_role_arn
+    }
+  }
+
   eks_managed_node_groups = {
     one = {
       name     = "node-group-1"
@@ -49,6 +71,21 @@ module "eks" {
   }
 }
 
+module "ebs_csi_irsa" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.60.0"
+
+  role_name_prefix = "${local.cluster_name}-ebs-csi-"
+  attach_ebs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+    }
+  }
+}
+
 resource "kubernetes_cluster_role_binding" "eks_admins_cluster_admin" {
   metadata {
     name = "eks-admins-cluster-admin"
diff --git a/archivematica/test_cluster/eks-cluster.tf b/archivematica/test_cluster/eks-cluster.tf
@@ -38,6 +38,10 @@ module "eks" {
       resolve_conflicts_on_create = "OVERWRITE"
       resolve_conflicts           = "OVERWRITE"
     }
+    aws-ebs-csi-driver = {
+      most_recent = true
+      service_account_role_arn = module.ebs_csi_irsa.iam_role_arn
+    }
   }
 
   eks_managed_node_groups = {
@@ -68,6 +72,21 @@ module "eks" {
   }
 }
 
+module "ebs_csi_irsa" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.60.0"
+
+  role_name_prefix = "${local.cluster_name}-ebs-csi-"
+  attach_ebs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+    }
+  }
+}
+
 resource "kubernetes_storage_class" "gp3" {
   metadata {
     name = "gp3"
