From 10d87c47a33189e21f390f4561182bf1c5f4b927 Mon Sep 17 00:00:00 2001
From: LearningNewbie <35469293+LearningNewbie@users.noreply.github.com>
Date: Tue, 4 Feb 2025 10:15:01 -0500
Subject: [PATCH 1/7] Create eks_addon_efs_csi_driver.tf

---
 .../eks_addon_efs_csi_driver.tf               | 82 +++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 examples/resources/awscc_eks_addon/eks_addon_efs_csi_driver.tf

diff --git a/examples/resources/awscc_eks_addon/eks_addon_efs_csi_driver.tf b/examples/resources/awscc_eks_addon/eks_addon_efs_csi_driver.tf
new file mode 100644
index 000000000..f6b3f146e
--- /dev/null
+++ b/examples/resources/awscc_eks_addon/eks_addon_efs_csi_driver.tf
@@ -0,0 +1,82 @@
+# AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block.This creates a local variable for it:
+
+locals {
+  oidc_provider = replace(awscc_eks_cluster.eks_cluster.open_id_connect_issuer_url, "https://", "")
+}
+
+# Optional Custom policy for KMS support and EBS CSI Driver Role
+
+resource "awscc_iam_managed_policy" "efs_csi_kms_policy" {
+  managed_policy_name = "AmazonEKS_EFS_CSI_KMS_Policy"
+  policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:CreateGrant",
+          "kms:ListGrants",
+          "kms:RevokeGrant"
+        ]
+        Resource = awscc_kms_key.example.arn
+        Condition = {
+          Bool = {
+            "kms:GrantIsForAWSResource" = "true"
+          }
+        }
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = awscc_kms_key.example.arn
+      }
+    ]
+  })
+}
+
+# Create IAM role for EBS CSI Driver
+resource "awscc_iam_role" "efs_csi_role" {
+  role_name = "AmazonEKS_EFS_CSI_Driver_Role"
+  assume_role_policy_document = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRoleWithWebIdentity"
+      Effect = "Allow"
+      Principal = {
+        Federated = awscc_iam_oidc_provider.eks.arn
+        # Example: "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
+      }
+      Condition = {
+        StringEquals = {
+          "${local.oidc_provider}:sub" = "system:serviceaccount:kube-system:efs-csi-controller-sa"
+          "${local.oidc_provider}:aud" = "sts.amazonaws.com"
+        }
+      }
+    }]
+    Version = "2012-10-17"
+  })
+  
+managed_policy_arns = [
+    awscc_iam_managed_policy.efs_csi_kms_policy.arn,
+    "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
+  ]
+}
+
+# Once the IAM role is ready, create EFS CSI addon
+
+resource "awscc_eks_addon" "efs_csi" {
+  cluster_name             = awscc_eks_cluster.cluster_name
+  addon_name               = "aws-efs-csi-driver"
+  addon_version            = "v2.1.4-eksbuild.1"    #Change version to required
+  service_account_role_arn = awscc_iam_role.efs_csi_role.arn
+  resolve_conflicts        = "OVERWRITE"
+  tags = [{
+    key   = "Modified By"
+    value = "AWSCC"
+  }]
+}

From 7f503edaf29c7146ac484ca76f77429a496305a9 Mon Sep 17 00:00:00 2001
From: LearningNewbie <35469293+LearningNewbie@users.noreply.github.com>
Date: Tue, 4 Feb 2025 10:24:34 -0500
Subject: [PATCH 2/7] Update eks_addon.md.tmpl

---
 templates/resources/eks_addon.md.tmpl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/templates/resources/eks_addon.md.tmpl b/templates/resources/eks_addon.md.tmpl
index 2db3992f5..cfd658abc 100644
--- a/templates/resources/eks_addon.md.tmpl
+++ b/templates/resources/eks_addon.md.tmpl
@@ -17,6 +17,9 @@ description: |-
 ### Create EBS CSI addon
 {{ tffile (printf "examples/resources/%s/eks_addon_ebs_csi_driver.tf" .Name)}}
 
+### Create EFS CSI addon
+{{ tffile (printf "examples/resources/%s/eks_addon_efs_csi_driver.tf" .Name)}}
+
 ### Create VPC CNI addon
 {{ tffile (printf "examples/resources/%s/eks_addon_vpc_cni.tf" .Name)}}
 

From 52689b134137465b7947c9e83044dfa05710bbc3 Mon Sep 17 00:00:00 2001
From: LearningNewbie <35469293+LearningNewbie@users.noreply.github.com>
Date: Tue, 4 Feb 2025 10:38:09 -0500
Subject: [PATCH 3/7] Update eks_addon.md

---
 docs/resources/eks_addon.md | 86 +++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)

diff --git a/docs/resources/eks_addon.md b/docs/resources/eks_addon.md
index 7177dbdc7..00bf7d31e 100644
--- a/docs/resources/eks_addon.md
+++ b/docs/resources/eks_addon.md
@@ -102,6 +102,92 @@ resource "awscc_eks_addon" "ebs_csi" {
 }
 ```
 
+### Create EBS CSI addon
+```terraform
+# AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block. This creates a local variable for it:
+
+locals {
+  oidc_provider = replace(awscc_eks_cluster.eks_cluster.open_id_connect_issuer_url, "https://", "")
+}
+
+# Optional Custom policy for KMS support and EBS CSI Driver Role
+
+resource "awscc_iam_managed_policy" "efs_csi_kms_policy" {
+  managed_policy_name = "AmazonEKS_EFS_CSI_KMS_Policy"
+  policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:CreateGrant",
+          "kms:ListGrants",
+          "kms:RevokeGrant"
+        ]
+        Resource = awscc_kms_key.example.arn
+        Condition = {
+          Bool = {
+            "kms:GrantIsForAWSResource" = "true"
+          }
+        }
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = awscc_kms_key.example.arn
+      }
+    ]
+  })
+}
+
+# Create IAM role for EBS CSI Driver
+resource "awscc_iam_role" "efs_csi_role" {
+  role_name = "AmazonEKS_EFS_CSI_Driver_Role"
+  assume_role_policy_document = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRoleWithWebIdentity"
+      Effect = "Allow"
+      Principal = {
+        Federated = awscc_iam_oidc_provider.eks.arn
+        # Example: "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
+      }
+      Condition = {
+        StringEquals = {
+          "${local.oidc_provider}:sub" = "system:serviceaccount:kube-system:efs-csi-controller-sa"
+          "${local.oidc_provider}:aud" = "sts.amazonaws.com"
+        }
+      }
+    }]
+    Version = "2012-10-17"
+  })
+  
+managed_policy_arns = [
+    awscc_iam_managed_policy.efs_csi_kms_policy.arn,
+    "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
+  ]
+}
+
+# Once the IAM role is ready, create EFS CSI addon
+
+resource "awscc_eks_addon" "efs_csi" {
+  cluster_name             = awscc_eks_cluster.cluster_name
+  addon_name               = "aws-efs-csi-driver"
+  addon_version            = "v2.1.4-eksbuild.1"    #Change version to required
+  service_account_role_arn = awscc_iam_role.efs_csi_role.arn
+  resolve_conflicts        = "OVERWRITE"
+  tags = [{
+    key   = "Modified By"
+    value = "AWSCC"
+  }]
+}
+```
+
 ### Create VPC CNI addon
 ```terraform
 # AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block. 

From d1afceb3233040cff51330ed61db4619da26dbbc Mon Sep 17 00:00:00 2001
From: LearningNewbie <35469293+LearningNewbie@users.noreply.github.com>
Date: Tue, 4 Feb 2025 10:38:35 -0500
Subject: [PATCH 4/7] Update eks_addon.md

---
 docs/resources/eks_addon.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/resources/eks_addon.md b/docs/resources/eks_addon.md
index 00bf7d31e..a682c2f9d 100644
--- a/docs/resources/eks_addon.md
+++ b/docs/resources/eks_addon.md
@@ -102,7 +102,7 @@ resource "awscc_eks_addon" "ebs_csi" {
 }
 ```
 
-### Create EBS CSI addon
+### Create EFS CSI addon
 ```terraform
 # AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block. This creates a local variable for it:
 

From aa810800da39dd195f00f0e2136d79d50006645b Mon Sep 17 00:00:00 2001
From: LearningNewbie <35469293+LearningNewbie@users.noreply.github.com>
Date: Tue, 4 Feb 2025 16:53:08 -0500
Subject: [PATCH 5/7] Update eks_addon.md

---
 docs/resources/eks_addon.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/resources/eks_addon.md b/docs/resources/eks_addon.md
index a682c2f9d..90c8b3fc3 100644
--- a/docs/resources/eks_addon.md
+++ b/docs/resources/eks_addon.md
@@ -104,7 +104,7 @@ resource "awscc_eks_addon" "ebs_csi" {
 
 ### Create EFS CSI addon
 ```terraform
-# AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block. This creates a local variable for it:
+# AWS IAM expects the OIDC provider URL without the `https://` prefix in the condition block.This creates a local variable for it:
 
 locals {
   oidc_provider = replace(awscc_eks_cluster.eks_cluster.open_id_connect_issuer_url, "https://", "")

From 120dfe440abf7b5aacd899bd1ba08d9fcd6f15db Mon Sep 17 00:00:00 2001
From: LearningNewbie <35469293+LearningNewbie@users.noreply.github.com>
Date: Tue, 4 Mar 2025 17:06:12 -0500
Subject: [PATCH 6/7] Update eks_addon_efs_csi_driver.tf

---
 .../resources/awscc_eks_addon/eks_addon_efs_csi_driver.tf   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/resources/awscc_eks_addon/eks_addon_efs_csi_driver.tf b/examples/resources/awscc_eks_addon/eks_addon_efs_csi_driver.tf
index f6b3f146e..2b9af3720 100644
--- a/examples/resources/awscc_eks_addon/eks_addon_efs_csi_driver.tf
+++ b/examples/resources/awscc_eks_addon/eks_addon_efs_csi_driver.tf
@@ -60,8 +60,8 @@ resource "awscc_iam_role" "efs_csi_role" {
     }]
     Version = "2012-10-17"
   })
-  
-managed_policy_arns = [
+
+  managed_policy_arns = [
     awscc_iam_managed_policy.efs_csi_kms_policy.arn,
     "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
   ]
@@ -72,7 +72,7 @@ managed_policy_arns = [
 resource "awscc_eks_addon" "efs_csi" {
   cluster_name             = awscc_eks_cluster.cluster_name
   addon_name               = "aws-efs-csi-driver"
-  addon_version            = "v2.1.4-eksbuild.1"    #Change version to required
+  addon_version            = "v2.1.4-eksbuild.1" #Change version to required
   service_account_role_arn = awscc_iam_role.efs_csi_role.arn
   resolve_conflicts        = "OVERWRITE"
   tags = [{

From 06d03ff10dcf590f1ce48fb9b12b1dbbe1390a7a Mon Sep 17 00:00:00 2001
From: LearningNewbie <35469293+LearningNewbie@users.noreply.github.com>
Date: Tue, 4 Mar 2025 17:15:27 -0500
Subject: [PATCH 7/7] Update eks_addon.md

---
 docs/resources/eks_addon.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/resources/eks_addon.md b/docs/resources/eks_addon.md
index 90c8b3fc3..a871b2fa6 100644
--- a/docs/resources/eks_addon.md
+++ b/docs/resources/eks_addon.md
@@ -166,8 +166,8 @@ resource "awscc_iam_role" "efs_csi_role" {
     }]
     Version = "2012-10-17"
   })
-  
-managed_policy_arns = [
+
+  managed_policy_arns = [
     awscc_iam_managed_policy.efs_csi_kms_policy.arn,
     "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
   ]
@@ -178,7 +178,7 @@ managed_policy_arns = [
 resource "awscc_eks_addon" "efs_csi" {
   cluster_name             = awscc_eks_cluster.cluster_name
   addon_name               = "aws-efs-csi-driver"
-  addon_version            = "v2.1.4-eksbuild.1"    #Change version to required
+  addon_version            = "v2.1.4-eksbuild.1" #Change version to required
   service_account_role_arn = awscc_iam_role.efs_csi_role.arn
   resolve_conflicts        = "OVERWRITE"
   tags = [{