Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS::EFS::FileSystem - FileSystemPolicy-needs separate resource #900

Open
rectalogic opened this issue Jul 30, 2021 · 4 comments
Open

AWS::EFS::FileSystem - FileSystemPolicy-needs separate resource #900

rectalogic opened this issue Jul 30, 2021 · 4 comments
Labels
enhancement New feature or request

Comments

@rectalogic
Copy link

AWS::EFS::FileSystem-FileSystemPolicy is currently a JSON document. It needs to also support a separate FileSystemPolicy CFN resource because the policy often references AWS::EFS::AccessPoint which references AWS::EFS::FileSystem which is circular dependency and so not useable.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html#cfn-efs-filesystem-filesystempolicy

2. Scope of request

new attribute for an existing resource and new resource is desired

4. Test case

See attached template, fails with:

Circular dependency between resources: [FileSystem8A8E25C0, FileSystemaw2AccessPointA083D7E1]

filesystempolicy.json.zip

6. Category (required) - Will help with tagging and be easier to find by other users to +1

Storage (EFS)
@WaelA WaelA changed the title AWS::EFS::FileSystem-FileSystemPolicy-needs separate resource AWS::EFS::FileSystem - FileSystemPolicy-needs separate resource Jul 30, 2021
@WaelA WaelA added the Coverage label Aug 3, 2021
@rohits-spec rohits-spec added enhancement New feature or request and removed Coverage labels Aug 4, 2021
@mahngiel
Copy link

Commenting in support as I'm facing this issue as well. Here is my snippet

  EFSAccessPoint:
    Type: AWS::EFS::AccessPoint
    Properties:
      FileSystemId: !Ref ElasticFileSystem
      PosixUser:
        Gid: "1001"
        Uid: "1001"
      RootDirectory:
        Path: "/"
        CreationInfo:
          OwnerGid: "1001"
          OwnerUid: "1001"
          Permissions: "775"

  ElasticFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      PerformanceMode: generalPurpose
      Encrypted: true
      FileSystemPolicy: 
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - elasticfilesystem:ClientWrite
            Principal:
              AWS: !GetAtt InstanceRole.Arn
            Condition:
              Bool:
                elasticfilesystem:AccessViaMountTarget: true
          - Effect: "Allow"
            Action:
              - elasticfilesystem:ClientMount
            Principal:
              AWS: !GetAtt InstanceRole.Arn
            Condition:
              StringEquals:
                elasticfilesystem:AccessPointArn: !GetAtt EFSAccessPoint.Arn

@akremer
Copy link

akremer commented May 8, 2023

This is still an issue. It is currently impossible to create file system policies that refer to access points, since that creates a circular dependency. The FileSystemPolicy needs to be broken out into a separate resource.

@JayeMcC
Copy link

JayeMcC commented Sep 13, 2023
edited
Loading

Just started using CDK and encountered this issue. The idea that I can create an EFS and access points and then have to write a lambda to retrieve those in a separate stack just so that I can add some policies to govern the access points is crazy.

I think Terraform just splits them out.

@JayeMcC JayeMcC mentioned this issue Sep 13, 2023
Closed
2 tasks
@JiadongLiu
Copy link

JiadongLiu commented Oct 8, 2024
edited
Loading

Using CDK 2.161.1 to create an EFS with access point and try to grant the resource based IAM policy by specifying access point id failed with same error.

I hope we can have a fix for this one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@rectalogic @akremer @mahngiel @JiadongLiu @WaelA @rohits-spec @JayeMcC