Skip to content

Instantly share code, notes, and snippets.

@boris
Last active September 18, 2022 02:44
Show Gist options
  • Save boris/50adea438e6026f7b1b615862f73fa4c to your computer and use it in GitHub Desktop.
Save boris/50adea438e6026f7b1b615862f73fa4c to your computer and use it in GitHub Desktop.
Nomad CSI on AWS
job "plugin-aws-csi-controller" {
datacenters = ["dc1"]
group "controller" {
task "plugin" {
driver = "docker"
config {
image = "amazon/aws-ebs-csi-driver:v0.10.1"
args = [
"controller",
"--endpoint=unix://csi/csi.sock",
"--logtostderr",
"--v=5",
]
}
csi_plugin {
id = "aws-ebs0"
type = "controller"
mount_dir = "/csi"
}
resources {
cpu = 500
memory = 256
}
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_iam_instance_profile" "demoCSI" {
name = "demoCSI_profile"
role = aws_iam_role.demoCSI.name
}
resource "aws_iam_role" "demoCSI" {
name = "demoCSI"
path = "/"
description = "Allows EC2 instances to call AWS services on your behalf."
assume_role_policy = jsonencode(
{
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
Version = "2012-10-17"
}
)
}
resource "aws_iam_role_policy" "mount_ebs_volumes" {
name = "mount-ebs-volumes"
role = aws_iam_role.demoCSI.id
policy = data.aws_iam_policy_document.mount_ebs_volumes.json
}
data "aws_iam_policy_document" "mount_ebs_volumes" {
statement {
effect = "Allow"
actions = [
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DetachVolume",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
]
resources = ["*"]
}
}
resource "aws_ebs_volume" "demo_csi" {
availability_zone = "us-east-1f"
size = 40
}
output "ebs_volume" {
value = <<EOM
# volume registration
type = "csi"
id = "demo_csi"
name = "demo_csi"
external_id = "${aws_ebs_volume.demo_csi.id}"
plugin_id = "aws-ebs0"
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
EOM
}
job "plugin-aws-csi-nodes" {
datacenters = ["dc1"]
# you can run node plugins as service jobs as well, but this ensures
# that all nodes in the DC have a copy.
type = "system"
group "nodes" {
task "plugin" {
driver = "docker"
config {
image = "amazon/aws-ebs-csi-driver:v0.10.1"
args = [
"node",
"--endpoint=unix://csi/csi.sock",
"--logtostderr",
"--v=5",
]
# node plugins must run as privileged jobs because they
# mount disks to the host
privileged = true
}
csi_plugin {
id = "aws-ebs0"
type = "node"
mount_dir = "/csi"
}
resources {
cpu = 500
memory = 256
}
}
}
}

Information related to this gist is avaiable on my personal page.

type = "csi"
id = "demo_csi"
name = "demo_csi"
external_id = "vol-0f42ee17f72114529"
plugin_id = "aws-ebs0"
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
mount_options {
fs_type = "ext4"
mount_flags = ["noatime"]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment