From 19db454758800c857f8ad048d404cf5c68b3ea28 Mon Sep 17 00:00:00 2001 From: eomkyeongmun Date: Wed, 27 May 2026 14:32:36 +0900 Subject: [PATCH] =?UTF-8?q?feat:=20EBS=20CSI=20Driver=20EKS=20addon=20?= =?UTF-8?q?=EC=B6=94=EA=B0=80=20(closes=20#35)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit EKS 1.23+에서 동적 EBS 프로비저닝이 동작하려면 별도 add-on이 필요. IRSA(AmazonEBSCSIDriverPolicy 관리형 정책 사용)와 함께 aws-ebs-csi-driver addon을 구성. Co-Authored-By: Claude Opus 4.7 (1M context) --- terraform/ebs-csi.tf | 64 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 terraform/ebs-csi.tf diff --git a/terraform/ebs-csi.tf b/terraform/ebs-csi.tf new file mode 100644 index 0000000..270a72d --- /dev/null +++ b/terraform/ebs-csi.tf @@ -0,0 +1,64 @@ +# ────────────────────────────────────────── +# EBS CSI Driver IRSA 역할 +# ────────────────────────────────────────── +data "aws_iam_policy_document" "ebs_csi_assume_role" { + statement { + effect = "Allow" + + principals { + type = "Federated" + identifiers = [aws_iam_openid_connect_provider.eks.arn] + } + + actions = ["sts:AssumeRoleWithWebIdentity"] + + condition { + test = "StringEquals" + variable = "${local.oidc_provider}:aud" + values = ["sts.amazonaws.com"] + } + + condition { + test = "StringEquals" + variable = "${local.oidc_provider}:sub" + values = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] + } + } +} + +resource "aws_iam_role" "ebs_csi" { + name = "${var.project_name}-ebs-csi-role" + assume_role_policy = data.aws_iam_policy_document.ebs_csi_assume_role.json + + tags = { + Name = "${var.project_name}-ebs-csi-role" + Environment = var.environment + } +} + +resource "aws_iam_role_policy_attachment" "ebs_csi" { + role = aws_iam_role.ebs_csi.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" +} + +# ────────────────────────────────────────── +# EBS CSI Driver EKS Addon +# ────────────────────────────────────────── +resource "aws_eks_addon" "ebs_csi" { + cluster_name = aws_eks_cluster.main.name + addon_name = "aws-ebs-csi-driver" + service_account_role_arn = aws_iam_role.ebs_csi.arn + + resolve_conflicts_on_create = "OVERWRITE" + resolve_conflicts_on_update = "OVERWRITE" + + tags = { + Name = "${var.project_name}-ebs-csi-addon" + Environment = var.environment + } + + depends_on = [ + aws_eks_node_group.main, + aws_iam_role_policy_attachment.ebs_csi, + ] +}