Create IAM role for dynamic volume provisioning support

Optionally sets up an IAM role that is required for dynamic volume provisioning to work on AWS.

Related to #379

assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/controllers.tf

@@ -13,6 +13,68 @@ resource "aws_route53_record" "etcds" {
   records = [aws_instance.controllers[count.index].private_ip]
 }
 
+# IAM Policy
+resource "aws_iam_instance_profile" "csi-driver" {
+  count = var.enable_csi ? 1 : 0
+  role  = join("", aws_iam_role.csi-driver.*.name)
+}
+
+resource "aws_iam_role_policy" "csi-driver" {
+  count = var.enable_csi ? 1 : 0
+  role  = join("", aws_iam_role.csi-driver.*.id)
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Action": [
+          "ec2:AttachVolume",
+          "ec2:CreateSnapshot",
+          "ec2:CreateTags",
+          "ec2:CreateVolume",
+          "ec2:DeleteSnapshot",
+          "ec2:DeleteTags",
+          "ec2:DeleteVolume",
+          "ec2:DescribeAvailabilityZones",
+          "ec2:DescribeInstances",
+          "ec2:DescribeSnapshots",
+          "ec2:DescribeTags",
+          "ec2:DescribeVolumes",
+          "ec2:DescribeVolumesModifications",
+          "ec2:DetachVolume",
+          "ec2:ModifyVolume"
+        ],
+        "Effect": "Allow",
+        "Resource": "*"
+      }
+    ]
+  }
+  EOF
+}
+
+resource "aws_iam_role" "csi-driver" {
+  count = var.enable_csi ? 1 : 0
+  path  = "/"
+  tags  = var.tags
+
+  assume_role_policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+  }
+  EOF
+}
+
 # Controller instances
 resource "aws_instance" "controllers" {
   count = var.controller_count
@@ -23,8 +85,9 @@ resource "aws_instance" "controllers" {
 
   instance_type = var.controller_type
 
-  ami       = local.ami_id
-  user_data = data.ct_config.controller-ignitions[count.index].rendered
+  ami                  = local.ami_id
+  user_data            = data.ct_config.controller-ignitions[count.index].rendered
+  iam_instance_profile = join("", aws_iam_instance_profile.csi-driver.*.name)
 
   # storage
   root_block_device {

assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/variables.tf

@@ -92,6 +92,12 @@ variable "tags" {
   description = "Optional details to tag on AWS resources"
 }
 
+variable "enable_csi" {
+  type        = bool
+  default     = false
+  description = "Set up IAM role needed for dynamic volumes provisioning to work on AWS"
+}
+
 # configuration
 
 variable "ssh_keys" {

docs/configuration-reference/platforms/aws.md

@@ -91,6 +91,8 @@ cluster "aws" {
 
   dns_zone_id = route53_zone_id
 
+  enable_csi = true
+
   expose_nodeports = false
 
   ssh_pubkeys = var.ssh_public_keys
@@ -202,6 +204,7 @@ worker_pool "my-worker-pool" {
 | `oidc.client_id`              | A client id that all tokens must be issued for.                                                                                                                                            | "gangway"       | false    |
 | `oidc.username_claim`         | JWT claim to use as the user name.                                                                                                                                                         | "email"         | false    |
 | `oidc.groups_claim`           | JWT claim to use as the user’s group.                                                                                                                                                      | "groups"        | false    |
+| `enable_csi`     | Set up IAM role needed for dynamic volumes provisioning to work on AWS                                                                                                                     | false           | false    |
 | `expose_nodeports`            | Expose node ports `30000-32767` in the security group, if set to `true`.                                                                                                                   | false           | false    |
 | `ssh_pubkeys`                 | List of SSH public keys for user `core`. Each element must be specified in a valid OpenSSH public key format, as defined in RFC 4253 Section 6.6, e.g. "ssh-rsa AAAAB3N...".               | -               | true     |
 | `controller_count`            | Number of controller nodes.                                                                                                                                                                | 1               | false    |

pkg/platform/aws/aws.go

@@ -74,6 +74,7 @@ type config struct {
 	HostCIDR                 string            `hcl:"host_cidr,optional"`
 	PodCIDR                  string            `hcl:"pod_cidr,optional"`
 	ServiceCIDR              string            `hcl:"service_cidr,optional"`
+	EnableCSI                bool              `hcl:"enable_csi,optional"`
 	ClusterDomainSuffix      string            `hcl:"cluster_domain_suffix,optional"`
 	EnableReporting          bool              `hcl:"enable_reporting,optional"`
 	CertsValidityPeriodHours int               `hcl:"certs_validity_period_hours,optional"`

pkg/platform/aws/template.go

@@ -30,6 +30,7 @@ module "aws-{{.Config.ClusterName}}" {
   tags         = {{.Tags}}
   dns_zone     = "{{.Config.DNSZone}}"
   dns_zone_id  = "{{.Config.DNSZoneID}}"
+  enable_csi   = {{.Config.EnableCSI}}
   {{- if .Config.ClusterDomainSuffix }}
   cluster_domain_suffix = "{{.Config.ClusterDomainSuffix}}"
   {{- end }}