Expose EFS toggle

[blancharda]

The upstream blueprint module for EKS addons exposes enable_aws_efs_csi_driver as an input.

It would be nice to be able to toggle it on in our module, similar to EBS.

[blancharda]

We may also want to consider setting the helm chart config to add a storage class.
Pretty sure this can be accomplished with something like:

aws_efs_csi_driver_helm_config = {
    storageClasses = [
        {
            name = "efs-dyn-sc"
            ...
        }
   ]
}

[blancharda]

For reference, @ntwkninja found an example usage of it here.

Note the addition of some supplemental resources (namely, a storage class, and some security group goodness):

#####################
# Supporting Resources
#####################

resource "kubernetes_storage_class_v1" "efs" {
  metadata {
    name = "efs-dyn-sc"
  }

  storage_provisioner = "efs.csi.aws.com"
  parameters = {
    provisioningMode = "efs-ap" # Dynamic provisioning
    fileSystemId     = module.efs.id
    directoryPerms   = "700"
  }

  mount_options = [
    "iam"
  ]

  depends_on = [
    module.eks
  ]
}

module "efs" {
  source  = "terraform-aws-modules/efs/aws"
  version = "~> 1.0"

  creation_token = local.name
  name           = local.name

  # Mount targets / security group
  mount_targets = {
    for k, v in zipmap(module.vpc.azs, module.vpc.private_subnets) : k => { subnet_id = v }
  }
  security_group_description = "${local.name} EFS security group"
  security_group_vpc_id      = module.vpc.vpc_id
  security_group_rules = {
    vpc = {
      # relying on the defaults provdied for EFS/NFS (2049/TCP + ingress)
      description = "NFS ingress from VPC private subnets"
      cidr_blocks = module.vpc.private_subnets_cidr_blocks
    }
  }

  tags = local.tags
}

Note, the above snippet has been adjusted to match the naming/structure of our examples.

[blancharda]

One last(™️) one..
Might be worth also adding the EFS endpoint to the VPC module like so:

    efs = {
      service             = "elasticfilesystem"
      private_dns_enabled = true
      subnet_ids          = module.vpc.private_subnets
      security_group_ids  = [aws_security_group.vpc_tls.id]
    },

[JaseKoonce]

@blancharda, was there a use case you had in mind for adding the EFS endpoint?

[blancharda]

This isn't just the endpoint, it installs the EFS storage driver (as an alternative to EBS) which allows provisioning flexible storage backends and volumes that support RWM mounts -- if I understand correctly, enabling the endpoint would just allow us to access the EFS api from our private VPC without traversing out to the public internet.

[JaseKoonce]

@blancharda Thanks for explaining the endpoint purpose. My understanding (could definitely be flawed) is that because the mount targets point towards the EKS AZs and also because they live in the same VPC the traffic should all stay private/not need to leave the VPC, but I will look into that to verify.

[blancharda]

(Very possible I don't understand the purpose of the endpoint correctly 😆 -- but it seems worth looking into)

[JaseKoonce]

@blancharda, It definitely looks like you are correct about traffic traversing the public internet to reach the efs api without the vpc endpoint . I will go ahead and add that into the branch

[blancharda]

The supporting resources (particularly resource "kubernetes_storage_class_v1" "efs") should include a way to adjust the reclaim_policy.

reclaim_policy is a field in the storage class resource