feat(iam-role-for-service-accounts-eks): support ebs csi fast snapsho…

…t restore

examples/iam-role-for-service-accounts-eks/main.tf

@@ -107,8 +107,9 @@ module "cluster_autoscaler_irsa_role" {
 module "ebs_csi_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "ebs-csi"
-  attach_ebs_csi_policy = true
+  role_name                     = "ebs-csi"
+  attach_ebs_csi_policy         = true
+  ebs_csi_fast_snapshot_restore = true
 
   oidc_providers = {
     ex = {

modules/iam-role-for-service-accounts-eks/README.md

@@ -214,6 +214,7 @@ No modules.
 | <a name="input_cluster_autoscaler_cluster_ids"></a> [cluster\_autoscaler\_cluster\_ids](#input\_cluster\_autoscaler\_cluster\_ids) | [Deprecated - use `cluster_autoscaler_cluster_names`] List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no |
 | <a name="input_cluster_autoscaler_cluster_names"></a> [cluster\_autoscaler\_cluster\_names](#input\_cluster\_autoscaler\_cluster\_names) | List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no |
+| <a name="input_ebs_csi_fast_snapshot_restore"></a> [ebs\_csi\_fast\_snapshot\_restore](#input\_ebs\_csi\_fast\_snapshot\_restore) | Determines whether to attach addition IAM policy to enable fast snapshot restores for EBS CSI | `bool` | `false` | no |
 | <a name="input_ebs_csi_kms_cmk_ids"></a> [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
 | <a name="input_enable_karpenter_instance_profile_creation"></a> [enable\_karpenter\_instance\_profile\_creation](#input\_enable\_karpenter\_instance\_profile\_creation) | Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1/v0.32+) | `bool` | `false` | no |
 | <a name="input_external_dns_hosted_zone_arns"></a> [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | <pre>[<br>  "arn:aws:route53:::hostedzone/*"<br>]</pre> | no |

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -331,6 +331,17 @@ data "aws_iam_policy_document" "ebs_csi" {
       resources = var.ebs_csi_kms_cmk_ids
     }
   }
+
+  # https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/fast-snapshot-restores.md#prerequisites
+  dynamic "statement" {
+    for_each = var.ebs_csi_fast_snapshot_restore ? [1] : []
+    content {
+      actions = [
+        "ec2:EnableFastSnapshotRestores"
+      ]
+      resources = ["*"]
+    }
+  }
 }
 
 resource "aws_iam_policy" "ebs_csi" {

modules/iam-role-for-service-accounts-eks/variables.tf

@@ -132,6 +132,12 @@ variable "attach_ebs_csi_policy" {
   default     = false
 }
 
+variable "ebs_csi_fast_snapshot_restore" {
+  description = "Determines whether to attach addition IAM policy to enable fast snapshot restores for EBS CSI"
+  type        = bool
+  default     = false
+}
+
 variable "ebs_csi_kms_cmk_ids" {
   description = "KMS CMK IDs to allow EBS CSI to manage encrypted volumes"
   type        = list(string)

wrappers/iam-role-for-service-accounts-eks/main.tf

@@ -29,6 +29,7 @@ module "wrapper" {
   cluster_autoscaler_cluster_ids                                  = try(each.value.cluster_autoscaler_cluster_ids, var.defaults.cluster_autoscaler_cluster_ids, [])
   cluster_autoscaler_cluster_names                                = try(each.value.cluster_autoscaler_cluster_names, var.defaults.cluster_autoscaler_cluster_names, [])
   create_role                                                     = try(each.value.create_role, var.defaults.create_role, true)
+  ebs_csi_fast_snapshot_restore                                   = try(each.value.ebs_csi_fast_snapshot_restore, var.defaults.ebs_csi_fast_snapshot_restore, false)
   ebs_csi_kms_cmk_ids                                             = try(each.value.ebs_csi_kms_cmk_ids, var.defaults.ebs_csi_kms_cmk_ids, [])
   enable_karpenter_instance_profile_creation                      = try(each.value.enable_karpenter_instance_profile_creation, var.defaults.enable_karpenter_instance_profile_creation, false)
   external_dns_hosted_zone_arns                                   = try(each.value.external_dns_hosted_zone_arns, var.defaults.external_dns_hosted_zone_arns, ["arn:aws:route53:::hostedzone/*"])