hashicorp · sharon-raphael · Jul 1, 2025 · Jul 1, 2025 · Oct 8, 2025
@@ -0,0 +1,3 @@
+```release-note:enhancement
+Add `fs_group_policy` field for `kubernetes_csi_driver`
+```
@@ -50,6 +50,7 @@ Required:
 
 Optional:
 
+- `fs_group_policy` (String) Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Defaults to `ReadWriteOnceWithFSType`. Valid options are `File`, `None`, and `ReadWriteOnceWithFSType`.
 - `pod_info_on_mount` (Boolean) Indicates that the CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations
 - `volume_lifecycle_modes` (List of String) Defines what kind of volumes this CSI volume driver supports
 
@@ -68,6 +69,7 @@ resource "kubernetes_csi_driver" "example" {
     attach_required        = true
     pod_info_on_mount      = true
     volume_lifecycle_modes = ["Ephemeral"]
+    fs_group_policy        = "File"
   }
 }
 ```

@@ -50,6 +50,7 @@ Required:
 
 Optional:
 
+- `fs_group_policy` (String) Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Defaults to `ReadWriteOnceWithFSType`. Valid options are `File`, `None`, and `ReadWriteOnceWithFSType`.
 - `pod_info_on_mount` (Boolean) Indicates that the CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations
 - `volume_lifecycle_modes` (List of String) Defines what kind of volumes this CSI volume driver supports
 
@@ -68,6 +69,7 @@ resource "kubernetes_csi_driver_v1" "example" {
     attach_required        = true
     pod_info_on_mount      = true
     volume_lifecycle_modes = ["Ephemeral"]
+    fs_group_policy        = "File"
   }
 }
 ```

@@ -7,5 +7,6 @@ resource "kubernetes_csi_driver" "example" {
     attach_required        = true
     pod_info_on_mount      = true
     volume_lifecycle_modes = ["Ephemeral"]
+    fs_group_policy        = "File"
   }
 }
@@ -7,5 +7,6 @@ resource "kubernetes_csi_driver_v1" "example" {
     attach_required        = true
     pod_info_on_mount      = true
     volume_lifecycle_modes = ["Ephemeral"]
+    fs_group_policy        = "File"
   }
 }
@@ -64,6 +64,17 @@ func resourceKubernetesCSIDriverV1() *schema.Resource {
 								}, false),
 							},
 						},
+						"fs_group_policy": {
+							Type:        schema.TypeString,
+							Description: "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Defaults to `ReadWriteOnceWithFSType`. Valid options are `File`, `None`, and `ReadWriteOnceWithFSType`.",
+							Optional:    true,
+							Default:     "ReadWriteOnceWithFSType",
+							ValidateFunc: validation.StringInSlice([]string{
+								string(storage.ReadWriteOnceWithFSTypeFSGroupPolicy),
+								string(storage.NoneFSGroupPolicy),
+								string(storage.FileFSGroupPolicy),
+							}, false),
+						},
 					},
 				},
 			},

@@ -38,6 +38,7 @@ func TestAccKubernetesCSIDriverV1_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "spec.0.attach_required", "true"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.pod_info_on_mount", "true"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.volume_lifecycle_modes.0", "Ephemeral"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.fs_group_policy", "File"),
 				),
 			},
 			{
@@ -107,6 +108,7 @@ func testAccKubernetesCSIDriverV1BasicConfig(name string, attached bool) string
     attach_required        = %[2]t
     pod_info_on_mount      = %[2]t
     volume_lifecycle_modes = ["Ephemeral"]
+    fs_group_policy        = "File"
   }
 }
 `, name, attached)

@@ -13,8 +13,10 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
-	storage "k8s.io/api/storage/v1beta1"
+
 	"k8s.io/apimachinery/pkg/api/errors"
+
+	storage "k8s.io/api/storage/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	pkgApi "k8s.io/apimachinery/pkg/types"
 )
@@ -60,6 +62,17 @@ func resourceKubernetesCSIDriverV1Beta1() *schema.Resource {
 								}, false),
 							},
 						},
+						"fs_group_policy": {
+							Type:        schema.TypeString,
+							Description: "Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Defaults to `ReadWriteOnceWithFSType`. Valid options are `File`, `None`, and `ReadWriteOnceWithFSType`.",
+							Optional:    true,
+							Default:     "ReadWriteOnceWithFSType",
+							ValidateFunc: validation.StringInSlice([]string{
+								string(storage.ReadWriteOnceWithFSTypeFSGroupPolicy),
+								string(storage.NoneFSGroupPolicy),
+								string(storage.FileFSGroupPolicy),
+							}, false),
+						},
 					},
 				},
 			},

@@ -37,6 +37,7 @@ func TestAccKubernetesCSIDriverV1Beta1_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "spec.0.attach_required", "true"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.pod_info_on_mount", "true"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.volume_lifecycle_modes.0", "Ephemeral"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.fs_group_policy", "File"),
 				),
 			},
 			{
@@ -107,6 +108,7 @@ func testAccKubernetesCSIDriverBasicV1Beta1Config(name string, attached bool) st
     attach_required        = %[2]t
     pod_info_on_mount      = %[2]t
     volume_lifecycle_modes = ["Ephemeral"]
+    fs_group_policy        = "File"
   }
 }
 `, name, attached)

@@ -28,6 +28,10 @@ func expandCSIDriverSpec(l []interface{}) storage.CSIDriverSpec {
 		obj.VolumeLifecycleModes = expandCSIDriverVolumeLifecycleModes(v)
 	}
 
+	if v, ok := in["fs_group_policy"].(string); ok && v != "" {
+		obj.FSGroupPolicy = ptr.To(storage.FSGroupPolicy(v))
+	}
+
 	return obj
 }
 
@@ -52,6 +56,10 @@ func flattenCSIDriverSpec(in storage.CSIDriverSpec) []interface{} {
 		att["volume_lifecycle_modes"] = in.VolumeLifecycleModes
 	}
 
+	if in.FSGroupPolicy != nil {
+		att["fs_group_policy"] = in.FSGroupPolicy
+	}
+
 	return []interface{}{att}
 }
 
@@ -78,5 +86,12 @@ func patchCSIDriverSpec(keyPrefix, pathPrefix string, d *schema.ResourceData) *P
 		})
 	}
 
+	if d.HasChange(keyPrefix + "fs_group_policy") {
+		ops = append(ops, &ReplaceOperation{
+			Path:  pathPrefix + "/fsGroupPolicy",
+			Value: d.Get(keyPrefix + "fs_group_policy").(string),
+		})
+	}
+
 	return &ops
 }
@@ -28,6 +28,10 @@ func expandCSIDriverV1Spec(l []interface{}) storage.CSIDriverSpec {
 		obj.VolumeLifecycleModes = expandCSIDriverV1VolumeLifecycleModes(v)
 	}
 
+	if v, ok := in["fs_group_policy"].(string); ok && v != "" {
+		obj.FSGroupPolicy = ptr.To(storage.FSGroupPolicy(v))
+	}
+
 	return obj
 }
 
@@ -52,6 +56,10 @@ func flattenCSIDriverV1Spec(in storage.CSIDriverSpec) []interface{} {
 		att["volume_lifecycle_modes"] = in.VolumeLifecycleModes
 	}
 
+	if in.FSGroupPolicy != nil {
+		att["fs_group_policy"] = in.FSGroupPolicy
+	}
+
 	return []interface{}{att}
 }
 
@@ -78,5 +86,12 @@ func patchCSIDriverV1Spec(keyPrefix, pathPrefix string, d *schema.ResourceData)
 		})
 	}
 
+	if d.HasChange(keyPrefix + "fs_group_policy") {
+		ops = append(ops, &ReplaceOperation{
+			Path:  pathPrefix + "/fsGroupPolicy",
+			Value: d.Get(keyPrefix + "fs_group_policy").(string),
+		})
+	}
+
 	return &ops
 }