feat(efs): add grantRead and grantReadWrite, grantRootAccess to FileS…

…ystem (#25486) ## What change I added `grantRead()` and `grantReadWrite()`, `grantRootAccess()` to `efs.FileSystem` as Beta1 method. ## Why need this change? To make IAM authentication easier for clients. Currently, v2.78.0 has implemented `grant()` method in `efs.FileSystem`. However, EFS can't restrict only granted client even when customers only use the `grant()` method. Because EFS default file system policy grants full access to any anonymous client that can connect to the file system using a mount target. To avoid this issue, customers must set file system policies that not grant anonymous clients, to EFS. In this PR, when using the `grantXxx` method that allows IAM authentication for clients, a file system policy that does not allow anonymous clients is set to `efs.FileSystem` by default to suit the customer's use case. Next example is grant read and write access to EC2 Instance. ```ts declare const client: ec2.Instance; const fileSystem = new efs.FileSystem(this, 'FileSystem', { vpc: new ec2.Vpc(this, 'VPC'), }); fileSystem.grantReadWrite(client); ``` ## How do I continue to allow anonymous access? You can use `allowAnonymousAccess` props for allow anonymous access. ```ts declare const client: ec2.Instance; const fileSystem = new efs.FileSystem(this, 'FileSystem', { vpc: new ec2.Vpc(this, 'VPC'), allowAnonymousAccess: true, }); fileSystem.grantRead(client); ``` ## Others The file system policies created to prevent anonymous clients are based on the AWS Management Console. <img width="1326" alt="image" src="https://user-images.githubusercontent.com/49480575/236891324-e0aa4caf-91e2-45dc-9cfe-50cae0ca67bb.png"> ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Aug 23, 2023 · 9c12199 · 9c12199
1 parent 0dbcea8
commit 9c12199
Show file tree

Hide file tree

Showing 55 changed files with 70,200 additions and 517 deletions.
diff --git a/...t/aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/aws-ecs-fargate-efs.assets.json b/...t/aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/aws-ecs-fargate-efs.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "32.0.0",
+  "version": "33.0.0",
   "files": {
-    "05d98682f5d66455a18d98d3c7e029a00681556556eee8d8afa4dd1f954b184a": {
+    "63486a0554805ca4072510e265297dd8bf9ff2a0cf9819ae857eebfe1e6f89f9": {
       "source": {
         "path": "aws-ecs-fargate-efs.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "05d98682f5d66455a18d98d3c7e029a00681556556eee8d8afa4dd1f954b184a.json",
+          "objectKey": "63486a0554805ca4072510e265297dd8bf9ff2a0cf9819ae857eebfe1e6f89f9.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/aws-ecs-fargate-efs.template.json b/...aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/aws-ecs-fargate-efs.template.json
@@ -18,9 +18,6 @@
   "VpcPublicSubnet1Subnet5C2D37C4": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
-    "VpcId": {
-     "Ref": "Vpc8378EB38"
-    },
     "AvailabilityZone": {
      "Fn::Select": [
       0,
@@ -44,21 +41,24 @@
       "Key": "Name",
       "Value": "aws-ecs-fargate-efs/Vpc/PublicSubnet1"
      }
-    ]
+    ],
+    "VpcId": {
+     "Ref": "Vpc8378EB38"
+    }
    }
   },
   "VpcPublicSubnet1RouteTable6C95E38E": {
    "Type": "AWS::EC2::RouteTable",
    "Properties": {
-    "VpcId": {
-     "Ref": "Vpc8378EB38"
-    },
     "Tags": [
      {
       "Key": "Name",
       "Value": "aws-ecs-fargate-efs/Vpc/PublicSubnet1"
      }
-    ]
+    ],
+    "VpcId": {
+     "Ref": "Vpc8378EB38"
+    }
    }
   },
   "VpcPublicSubnet1RouteTableAssociation97140677": {
@@ -75,12 +75,12 @@
   "VpcPublicSubnet1DefaultRoute3DA9E72A": {
    "Type": "AWS::EC2::Route",
    "Properties": {
-    "RouteTableId": {
-     "Ref": "VpcPublicSubnet1RouteTable6C95E38E"
-    },
     "DestinationCidrBlock": "0.0.0.0/0",
     "GatewayId": {
      "Ref": "VpcIGWD7BA715C"
+    },
+    "RouteTableId": {
+     "Ref": "VpcPublicSubnet1RouteTable6C95E38E"
     }
    },
    "DependsOn": [
@@ -102,15 +102,15 @@
   "VpcPublicSubnet1NATGateway4D7517AA": {
    "Type": "AWS::EC2::NatGateway",
    "Properties": {
-    "SubnetId": {
-     "Ref": "VpcPublicSubnet1Subnet5C2D37C4"
-    },
     "AllocationId": {
      "Fn::GetAtt": [
       "VpcPublicSubnet1EIPD7E02669",
       "AllocationId"
      ]
     },
+    "SubnetId": {
+     "Ref": "VpcPublicSubnet1Subnet5C2D37C4"
+    },
     "Tags": [
      {
       "Key": "Name",
@@ -126,9 +126,6 @@
   "VpcPublicSubnet2Subnet691E08A3": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
-    "VpcId": {
-     "Ref": "Vpc8378EB38"
-    },
     "AvailabilityZone": {
      "Fn::Select": [
       1,
@@ -152,21 +149,24 @@
       "Key": "Name",
       "Value": "aws-ecs-fargate-efs/Vpc/PublicSubnet2"
      }
-    ]
+    ],
+    "VpcId": {
+     "Ref": "Vpc8378EB38"
+    }
    }
   },
   "VpcPublicSubnet2RouteTable94F7E489": {
    "Type": "AWS::EC2::RouteTable",
    "Properties": {
-    "VpcId": {
-     "Ref": "Vpc8378EB38"
-    },
     "Tags": [
      {
       "Key": "Name",
       "Value": "aws-ecs-fargate-efs/Vpc/PublicSubnet2"
      }
-    ]
+    ],
+    "VpcId": {
+     "Ref": "Vpc8378EB38"
+    }
    }
   },
   "VpcPublicSubnet2RouteTableAssociationDD5762D8": {
@@ -183,12 +183,12 @@
   "VpcPublicSubnet2DefaultRoute97F91067": {
    "Type": "AWS::EC2::Route",
    "Properties": {
-    "RouteTableId": {
-     "Ref": "VpcPublicSubnet2RouteTable94F7E489"
-    },
     "DestinationCidrBlock": "0.0.0.0/0",
     "GatewayId": {
      "Ref": "VpcIGWD7BA715C"
+    },
+    "RouteTableId": {
+     "Ref": "VpcPublicSubnet2RouteTable94F7E489"
     }
    },
    "DependsOn": [
@@ -210,15 +210,15 @@
   "VpcPublicSubnet2NATGateway9182C01D": {
    "Type": "AWS::EC2::NatGateway",
    "Properties": {
-    "SubnetId": {
-     "Ref": "VpcPublicSubnet2Subnet691E08A3"
-    },
     "AllocationId": {
      "Fn::GetAtt": [
       "VpcPublicSubnet2EIP3C605A87",
       "AllocationId"
      ]
     },
+    "SubnetId": {
+     "Ref": "VpcPublicSubnet2Subnet691E08A3"
+    },
     "Tags": [
      {
       "Key": "Name",
@@ -234,9 +234,6 @@
   "VpcPrivateSubnet1Subnet536B997A": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
-    "VpcId": {
-     "Ref": "Vpc8378EB38"
-    },
     "AvailabilityZone": {
      "Fn::Select": [
       0,
@@ -260,21 +257,24 @@
       "Key": "Name",
       "Value": "aws-ecs-fargate-efs/Vpc/PrivateSubnet1"
      }
-    ]
+    ],
+    "VpcId": {
+     "Ref": "Vpc8378EB38"
+    }
    }
   },
   "VpcPrivateSubnet1RouteTableB2C5B500": {
    "Type": "AWS::EC2::RouteTable",
    "Properties": {
-    "VpcId": {
-     "Ref": "Vpc8378EB38"
-    },
     "Tags": [
      {
       "Key": "Name",
       "Value": "aws-ecs-fargate-efs/Vpc/PrivateSubnet1"
      }
-    ]
+    ],
+    "VpcId": {
+     "Ref": "Vpc8378EB38"
+    }
    }
   },
   "VpcPrivateSubnet1RouteTableAssociation70C59FA6": {
@@ -291,21 +291,18 @@
   "VpcPrivateSubnet1DefaultRouteBE02A9ED": {
    "Type": "AWS::EC2::Route",
    "Properties": {
-    "RouteTableId": {
-     "Ref": "VpcPrivateSubnet1RouteTableB2C5B500"
-    },
     "DestinationCidrBlock": "0.0.0.0/0",
     "NatGatewayId": {
      "Ref": "VpcPublicSubnet1NATGateway4D7517AA"
+    },
+    "RouteTableId": {
+     "Ref": "VpcPrivateSubnet1RouteTableB2C5B500"
     }
    }
   },
   "VpcPrivateSubnet2Subnet3788AAA1": {
    "Type": "AWS::EC2::Subnet",
    "Properties": {
-    "VpcId": {
-     "Ref": "Vpc8378EB38"
-    },
     "AvailabilityZone": {
      "Fn::Select": [
       1,
@@ -329,21 +326,24 @@
       "Key": "Name",
       "Value": "aws-ecs-fargate-efs/Vpc/PrivateSubnet2"
      }
-    ]
+    ],
+    "VpcId": {
+     "Ref": "Vpc8378EB38"
+    }
    }
   },
   "VpcPrivateSubnet2RouteTableA678073B": {
    "Type": "AWS::EC2::RouteTable",
    "Properties": {
-    "VpcId": {
-     "Ref": "Vpc8378EB38"
-    },
     "Tags": [
      {
       "Key": "Name",
       "Value": "aws-ecs-fargate-efs/Vpc/PrivateSubnet2"
      }
-    ]
+    ],
+    "VpcId": {
+     "Ref": "Vpc8378EB38"
+    }
    }
   },
   "VpcPrivateSubnet2RouteTableAssociationA89CAD56": {
@@ -360,12 +360,12 @@
   "VpcPrivateSubnet2DefaultRoute060D2087": {
    "Type": "AWS::EC2::Route",
    "Properties": {
-    "RouteTableId": {
-     "Ref": "VpcPrivateSubnet2RouteTableA678073B"
-    },
     "DestinationCidrBlock": "0.0.0.0/0",
     "NatGatewayId": {
      "Ref": "VpcPublicSubnet2NATGateway9182C01D"
+    },
+    "RouteTableId": {
+     "Ref": "VpcPrivateSubnet2RouteTableA678073B"
     }
    }
   },
@@ -383,18 +383,38 @@
   "VpcVPCGWBF912B6E": {
    "Type": "AWS::EC2::VPCGatewayAttachment",
    "Properties": {
-    "VpcId": {
-     "Ref": "Vpc8378EB38"
-    },
     "InternetGatewayId": {
      "Ref": "VpcIGWD7BA715C"
+    },
+    "VpcId": {
+     "Ref": "Vpc8378EB38"
     }
    }
   },
   "etcdata80702D7D": {
    "Type": "AWS::EFS::FileSystem",
    "Properties": {
     "Encrypted": true,
+    "FileSystemPolicy": {
+     "Statement": [
+      {
+       "Action": [
+        "elasticfilesystem:ClientRootAccess",
+        "elasticfilesystem:ClientWrite"
+       ],
+       "Condition": {
+        "Bool": {
+         "elasticfilesystem:AccessedViaMountTarget": "true"
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": "*"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
     "FileSystemTags": [
      {
       "Key": "Name",

diff --git a/...fargate-with-efs.js.snapshot/awsecsfargatetestDefaultTestDeployAssert78ECD46B.assets.json b/...fargate-with-efs.js.snapshot/awsecsfargatetestDefaultTestDeployAssert78ECD46B.assets.json
@@ -1,5 +1,5 @@
 {
-  "version": "32.0.0",
+  "version": "33.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {

diff --git a/...ting/framework-integ/test/aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/cdk.out b/...ting/framework-integ/test/aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"32.0.0"}
+{"version":"33.0.0"}
diff --git a/...g/framework-integ/test/aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/integ.json b/...g/framework-integ/test/aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "32.0.0",
+  "version": "33.0.0",
   "testCases": {
     "aws-ecs-fargate-test/DefaultTest": {
       "stacks": [

diff --git a/...ramework-integ/test/aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/manifest.json b/...ramework-integ/test/aws-ecs/test/fargate/integ.fargate-with-efs.js.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "32.0.0",
+  "version": "33.0.0",
   "artifacts": {
     "aws-ecs-fargate-efs.assets": {
       "type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/05d98682f5d66455a18d98d3c7e029a00681556556eee8d8afa4dd1f954b184a.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/63486a0554805ca4072510e265297dd8bf9ff2a0cf9819ae857eebfe1e6f89f9.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [