diff --git a/terraform/ebs-csi.tf b/terraform/ebs-csi.tf new file mode 100644 index 0000000..270a72d --- /dev/null +++ b/terraform/ebs-csi.tf @@ -0,0 +1,64 @@ +# ────────────────────────────────────────── +# EBS CSI Driver IRSA 역할 +# ────────────────────────────────────────── +data "aws_iam_policy_document" "ebs_csi_assume_role" { + statement { + effect = "Allow" + + principals { + type = "Federated" + identifiers = [aws_iam_openid_connect_provider.eks.arn] + } + + actions = ["sts:AssumeRoleWithWebIdentity"] + + condition { + test = "StringEquals" + variable = "${local.oidc_provider}:aud" + values = ["sts.amazonaws.com"] + } + + condition { + test = "StringEquals" + variable = "${local.oidc_provider}:sub" + values = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] + } + } +} + +resource "aws_iam_role" "ebs_csi" { + name = "${var.project_name}-ebs-csi-role" + assume_role_policy = data.aws_iam_policy_document.ebs_csi_assume_role.json + + tags = { + Name = "${var.project_name}-ebs-csi-role" + Environment = var.environment + } +} + +resource "aws_iam_role_policy_attachment" "ebs_csi" { + role = aws_iam_role.ebs_csi.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" +} + +# ────────────────────────────────────────── +# EBS CSI Driver EKS Addon +# ────────────────────────────────────────── +resource "aws_eks_addon" "ebs_csi" { + cluster_name = aws_eks_cluster.main.name + addon_name = "aws-ebs-csi-driver" + service_account_role_arn = aws_iam_role.ebs_csi.arn + + resolve_conflicts_on_create = "OVERWRITE" + resolve_conflicts_on_update = "OVERWRITE" + + tags = { + Name = "${var.project_name}-ebs-csi-addon" + Environment = var.environment + } + + depends_on = [ + aws_eks_node_group.main, + aws_iam_role_policy_attachment.ebs_csi, + ] +}