Skip to content

Commit

Permalink
feat(efs): support file system policy (#24196)
Browse files Browse the repository at this point in the history
Add support EFS File System Policy.

Closes #24042.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
zorrofox authored Feb 16, 2023
1 parent 844d407 commit 5e0f44b
Show file tree
Hide file tree
Showing 12 changed files with 1,817 additions and 0 deletions.
27 changes: 27 additions & 0 deletions packages/@aws-cdk/aws-efs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,33 @@ const importedFileSystem = efs.FileSystem.fromFileSystemAttributes(this, 'existi
});
```

### IAM to control file system data access

You can use both IAM identity policies and resource policies to control client access to Amazon EFS resources in a way that is scalable and optimized for cloud environments. Using IAM, you can permit clients to perform specific actions on a file system, including read-only, write, and root access.

```ts
const myFileSystemPolicy = new PolicyDocument({
statements: [new PolicyStatement({
actions: [
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientMount',
],
principals: [new AccountRootPrincipal()],
resources: ['*'],
conditions: {
Bool: {
'elasticfilesystem:AccessedViaMountTarget': 'true',
},
},
})],
});

const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
vpc: new ec2.Vpc(this, 'VPC'),
fileSystemPolicy: myFileSystemPolicy,
});
```

### Permissions

If you need to grant file system permissions to another resource, you can use the `.grant()` API.
Expand Down
8 changes: 8 additions & 0 deletions packages/@aws-cdk/aws-efs/lib/efs-file-system.ts
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,13 @@ export interface FileSystemProps {
* @default false
*/
readonly enableAutomaticBackups?: boolean;

/**
* File system policy is an IAM resource policy used to control NFS access to an EFS file system.
*
* @default none
*/
readonly fileSystemPolicy?: iam.PolicyDocument;
}

/**
Expand Down Expand Up @@ -371,6 +378,7 @@ export class FileSystem extends FileSystemBase {
throughputMode: props.throughputMode,
provisionedThroughputInMibps: props.provisionedThroughputPerSecond?.toMebibytes(),
backupPolicy: props.enableAutomaticBackups ? { status: 'ENABLED' } : undefined,
fileSystemPolicy: props.fileSystemPolicy,
});
filesystem.applyRemovalPolicy(props.removalPolicy);

Expand Down
44 changes: 44 additions & 0 deletions packages/@aws-cdk/aws-efs/test/efs-file-system.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -414,3 +414,47 @@ test('can create when using a VPC with multiple subnets per availability zone',
// make sure only one mount target is created.
Template.fromStack(stack).resourceCountIs('AWS::EFS::MountTarget', 1);
});

test('can specify file system policy', () => {
// WHEN
const myFileSystemPolicy = new iam.PolicyDocument({
statements: [new iam.PolicyStatement({
actions: [
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientMount',
],
principals: [new iam.ArnPrincipal('arn:aws:iam::111122223333:role/Testing_Role')],
resources: ['arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd'],
conditions: {
Bool: {
'elasticfilesystem:AccessedViaMountTarget': 'true',
},
},
})],
});
new FileSystem(stack, 'EfsFileSystem', { vpc, fileSystemPolicy: myFileSystemPolicy });

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::EFS::FileSystem', {
FileSystemPolicy: {
Statement: [
{
Effect: 'Allow',
Principal: {
AWS: 'arn:aws:iam::111122223333:role/Testing_Role',
},
Action: [
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientMount',
],
Resource: 'arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd',
Condition: {
Bool: {
'elasticfilesystem:AccessedViaMountTarget': 'true',
},
},
},
],
},
});
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"version": "30.0.0",
"files": {
"21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
"source": {
"path": "FileSystemPolicyTestDefaultTestDeployAssertD0596FC1.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
}
},
"dockerImages": {}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"version":"30.0.0"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"version": "30.0.0",
"testCases": {
"FileSystemPolicyTest/DefaultTest": {
"stacks": [
"test-efs-integ"
],
"assertionStack": "FileSystemPolicyTest/DefaultTest/DeployAssert",
"assertionStackName": "FileSystemPolicyTestDefaultTestDeployAssertD0596FC1"
}
}
}
Loading

0 comments on commit 5e0f44b

Please sign in to comment.