Skip to content
This repository has been archived by the owner on Sep 7, 2022. It is now read-only.

aws-samples/amazon-efs-integrations

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
bin
 
 
lib
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Amazon EFS Integrations

This repository provides examples of some of the various Amazon EFS integrations available, beginning with ECS on EC2 and ECS on AWS Fargate.

Usage

  1. Install the Amazon Cloud Development Kit (CDK).
  2. Clone this repository and cd into it.
  3. Modify the arguments to the AmazonEfsIntegrationsStack constructor in $/bin/cdk.ts according to your environment.
    • The default settings will get you to the environment state at the beginning of the demo video linked below. The demo scenario has two running ECS services, but no EFS file system.
    • Alternatively, if you'd like to deploy the full setup, you can set all of the createXXXXX arguments to true.
  4. Execute the following:
    • npm install
    • npm run cdk bootstrap
    • npm run cdk deploy
  5. Visit the load balancer URLs and explore the AWS console within the ECS and EFS services to see how everything works, or follow along in the demo video to build the rest of the solution yourself.

Cleanup

Execute npm run cdk destroy to delete resources pertaining to this example.

You will also need to delete the following manually:

Demo

Demo

Example EFS file system policy

If you're looking the example of the EFS file system policy mentioned in the demo video to use as a reference, it can be found below. Please note the values enclosed <WITHIN_ANGLE_BRACKETS>, which would need to be modified to suit your particular deployment.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DisableRootAccessAndEnforceReadOnlyByDefault",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "elasticfilesystem:ClientMount",
            "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/<EFS_FILESYSTEM_ID>",
        },
        {
            "Sid": "EnforceInTransitEncryption",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/<EFS_FILESYSTEM_ID>",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Sid": "EcsOnEc2CloudCmdTaskReadWriteAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${AWS::AccountId}:role/<ECS_ON_EC2_TASK_ROLE>"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/<EFS_FILESYSTEM_ID>",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn": [
                        "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/<COMMON_AP_ID>",
                        "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/<ECS_PRIVATE_AP_ID>",
                        "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/<ECS_SHARED_AP_ID>"
                    ]
                }
            }
        },
        {
            "Sid": "EcsOnEc2CloudCmdTaskReadAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${AWS::AccountId}:role/<ECS_ON_EC2_TASK_ROLE>"
            },
            "Action": "elasticfilesystem:ClientMount",
            "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/<EFS_FILESYSTEM_ID>",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/<FARGATE_SHARED_AP_ID>"
                }
            }
        },
        {
            "Sid": "EcsOnFargateCloudCmdTaskReadWriteAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${AWS::AccountId}:role/<ECS_ON_FARGATE_TASK_ROLE>"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/<EFS_FILESYSTEM_ID>",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn": [
                        "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/<COMMON_AP_ID>",
                        "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/<FARGATE_PRIVATE_AP_ID>",
                        "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/<FARGATE_SHARED_AP_ID>"
                    ]
                }
            }
        },
        {
            "Sid": "EcsOnFargateCloudCmdTaskReadAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${AWS::AccountId}:role/<ECS_ON_FARGATE_TASK_ROLE>"
            },
            "Action": "elasticfilesystem:ClientMount",
            "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/<EFS_FILESYSTEM_ID>",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/<ECS_SHARED_AP_ID>"
                }
            }
        }
    ]
}

License

This library is licensed under the MIT-0 License. See the LICENSE file.

About

Amazon EFS Integrations

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published