boris/Nomad CSI on AWS.md

## controller.nomad
job "plugin-aws-csi-controller" {
  datacenters = ["dc1"]

  group "controller" {
    task "plugin" {
      driver = "docker"

      config {
        image = "amazon/aws-ebs-csi-driver:v0.10.1"

        args = [
          "controller",
          "--endpoint=unix://csi/csi.sock",
          "--logtostderr",
          "--v=5",
        ]
      }

      csi_plugin {
        id        = "aws-ebs0"
        type      = "controller"
        mount_dir = "/csi"
      }

      resources {
        cpu    = 500
        memory = 256
      }
    }
  }
}

## main.tf
provider "aws" {
  region = "us-east-1"
}

resource "aws_iam_instance_profile" "demoCSI" {
  name = "demoCSI_profile"
  role = aws_iam_role.demoCSI.name
}

resource "aws_iam_role" "demoCSI" {
  name        = "demoCSI"
  path        = "/"
  description = "Allows EC2 instances to call AWS services on your behalf."

  assume_role_policy = jsonencode(
    {
      Statement = [
        {
          Action = "sts:AssumeRole"
          Effect = "Allow"
          Principal = {
            Service = "ec2.amazonaws.com"
          }
        },
      ]
      Version = "2012-10-17"
    }
  )
}

resource "aws_iam_role_policy" "mount_ebs_volumes" {
  name   = "mount-ebs-volumes"
  role   = aws_iam_role.demoCSI.id
  policy = data.aws_iam_policy_document.mount_ebs_volumes.json
}

data "aws_iam_policy_document" "mount_ebs_volumes" {
  statement {
    effect = "Allow"

    actions = [
      "ec2:DescribeInstances",
      "ec2:DescribeTags",
      "ec2:DescribeVolumes",
      "ec2:AttachVolume",
      "ec2:DetachVolume",
    ]
    resources = ["*"]
  }

  statement {
    effect = "Allow"

    actions = [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:DescribeKey",
    ]

    resources = ["*"]
  }
}

resource "aws_ebs_volume" "demo_csi" {
  availability_zone = "us-east-1f"
  size              = 40

}

output "ebs_volume" {
  value = <<EOM
# volume registration
type = "csi"
id = "demo_csi"
name = "demo_csi"
external_id = "${aws_ebs_volume.demo_csi.id}"
plugin_id = "aws-ebs0"
capability {
  access_mode = "single-node-writer"
  attachment_mode = "file-system"
}
EOM
}

## nodes.nomad
job "plugin-aws-csi-nodes" {
  datacenters = ["dc1"]

  # you can run node plugins as service jobs as well, but this ensures
  # that all nodes in the DC have a copy.
  type = "system"

  group "nodes" {
    task "plugin" {
      driver = "docker"

      config {
        image = "amazon/aws-ebs-csi-driver:v0.10.1"

        args = [
          "node",
          "--endpoint=unix://csi/csi.sock",
          "--logtostderr",
          "--v=5",
        ]

        # node plugins must run as privileged jobs because they
        # mount disks to the host
        privileged = true
      }

      csi_plugin {
        id        = "aws-ebs0"
        type      = "node"
        mount_dir = "/csi"
      }

      resources {
        cpu    = 500
        memory = 256
      }
    }
  }
}

## Nomad CSI on AWS.md

      
    Raw
  

              Nomad CSI on AWS.md
            
          
    Information related to this gist is avaiable on my personal page.

  
## volume.hcl
type = "csi"
id = "demo_csi"
name = "demo_csi"
external_id = "vol-0f42ee17f72114529"
plugin_id = "aws-ebs0"

capability {
  access_mode = "single-node-writer"
  attachment_mode = "file-system"
}

mount_options {
  fs_type = "ext4"
  mount_flags = ["noatime"]
}
	job "plugin-aws-csi-controller" {
	datacenters = ["dc1"]

	group "controller" {
	task "plugin" {
	driver = "docker"

	config {
	image = "amazon/aws-ebs-csi-driver:v0.10.1"

	args = [
	"controller",
	"--endpoint=unix://csi/csi.sock",
	"--logtostderr",
	"--v=5",
	]
	}

	csi_plugin {
	id = "aws-ebs0"
	type = "controller"
	mount_dir = "/csi"
	}

	resources {
	cpu = 500
	memory = 256
	}
	}
	}
	}
	provider "aws" {
	region = "us-east-1"
	}

	resource "aws_iam_instance_profile" "demoCSI" {
	name = "demoCSI_profile"
	role = aws_iam_role.demoCSI.name
	}

	resource "aws_iam_role" "demoCSI" {
	name = "demoCSI"
	path = "/"
	description = "Allows EC2 instances to call AWS services on your behalf."

	assume_role_policy = jsonencode(
	{
	Statement = [
	{
	Action = "sts:AssumeRole"
	Effect = "Allow"
	Principal = {
	Service = "ec2.amazonaws.com"
	}
	},
	]
	Version = "2012-10-17"
	}
	)
	}

	resource "aws_iam_role_policy" "mount_ebs_volumes" {
	name = "mount-ebs-volumes"
	role = aws_iam_role.demoCSI.id
	policy = data.aws_iam_policy_document.mount_ebs_volumes.json
	}

	data "aws_iam_policy_document" "mount_ebs_volumes" {
	statement {
	effect = "Allow"

	actions = [
	"ec2:DescribeInstances",
	"ec2:DescribeTags",
	"ec2:DescribeVolumes",
	"ec2:AttachVolume",
	"ec2:DetachVolume",
	]
	resources = ["*"]
	}

	statement {
	effect = "Allow"

	actions = [
	"kms:Encrypt",
	"kms:Decrypt",
	"kms:DescribeKey",
	]

	resources = ["*"]
	}
	}

	resource "aws_ebs_volume" "demo_csi" {
	availability_zone = "us-east-1f"
	size = 40

	}

	output "ebs_volume" {
	value = <<EOM
	# volume registration
	type = "csi"
	id = "demo_csi"
	name = "demo_csi"
	external_id = "${aws_ebs_volume.demo_csi.id}"
	plugin_id = "aws-ebs0"
	capability {
	access_mode = "single-node-writer"
	attachment_mode = "file-system"
	}
	EOM
	}
	job "plugin-aws-csi-nodes" {
	datacenters = ["dc1"]

	# you can run node plugins as service jobs as well, but this ensures
	# that all nodes in the DC have a copy.
	type = "system"

	group "nodes" {
	task "plugin" {
	driver = "docker"

	config {
	image = "amazon/aws-ebs-csi-driver:v0.10.1"

	args = [
	"node",
	"--endpoint=unix://csi/csi.sock",
	"--logtostderr",
	"--v=5",
	]

	# node plugins must run as privileged jobs because they
	# mount disks to the host
	privileged = true
	}

	csi_plugin {
	id = "aws-ebs0"
	type = "node"
	mount_dir = "/csi"
	}

	resources {
	cpu = 500
	memory = 256
	}
	}
	}
	}