feat(ecs): add EfsVolumeConfiguration to Volume (#8467)

The PR is adding EfsVolumeConfiguration options to TaskDefinition as described on https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config Full documentation is missing from CloudFormation documentation and is therefore not referenced. While the unit test is passing, I haven't add the possibility to test this feature in practice. fixes #6918 closes #8448 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Aug 18, 2020 · 85ff9fd · 85ff9fd
1 parent 36c8678
commit 85ff9fd
Show file tree

Hide file tree

Showing 5 changed files with 185 additions and 0 deletions.
diff --git a/packages/@aws-cdk/aws-ecs/README.md b/packages/@aws-cdk/aws-ecs/README.md
@@ -218,6 +218,21 @@ container.addPortMappings({
 })
 ```
 
+To add data volumes to a task definition, call `addVolume()`:
+
+```ts
+const volume = ecs.Volume("Volume", {
+  // Use an Elastic FileSystem
+  name: "mydatavolume",
+  efsVolumeConfiguration: ecs.EfsVolumeConfiguration({
+    fileSystemId: "EFS"
+    // ... other options here ...
+  })
+});
+
+const container = fargateTaskDefinition.addVolume("mydatavolume");
+```
+
 To use a TaskDefinition that can be used with either Amazon EC2 or
 AWS Fargate launch types, use the `TaskDefinition` construct.
 

diff --git a/packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts b/packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts
@@ -617,6 +617,19 @@ export interface Volume {
    * To use bind mounts, specify a host instead.
    */
   readonly dockerVolumeConfiguration?: DockerVolumeConfiguration;
+
+  /**
+   * This property is specified when you are using Amazon EFS.
+   *
+   * When specifying Amazon EFS volumes in tasks using the Fargate launch type,
+   * Fargate creates a supervisor container that is responsible for managing the Amazon EFS volume.
+   * The supervisor container uses a small amount of the task's memory.
+   * The supervisor container is visible when querying the task metadata version 4 endpoint,
+   * but is not visible in CloudWatch Container Insights.
+   *
+   * @default No Elastic FileSystem is setup
+   */
+  readonly efsVolumeConfiguration?: EfsVolumeConfiguration;
 }
 
 /**
@@ -707,6 +720,71 @@ export interface DockerVolumeConfiguration {
   readonly scope: Scope;
 }
 
+/**
+ * The authorization configuration details for the Amazon EFS file system.
+ */
+export interface AuthorizationConfig {
+  /**
+   * The access point ID to use.
+   * If an access point is specified, the root directory value will be
+   * relative to the directory set for the access point.
+   * If specified, transit encryption must be enabled in the EFSVolumeConfiguration.
+   *
+   * @default No id
+   */
+  readonly accessPointId?: string;
+  /**
+   * Whether or not to use the Amazon ECS task IAM role defined
+   * in a task definition when mounting the Amazon EFS file system.
+   * If enabled, transit encryption must be enabled in the EFSVolumeConfiguration.
+   *
+   * Valid values: ENABLED | DISABLED
+   *
+   * @default If this parameter is omitted, the default value of DISABLED is used.
+   */
+  readonly iam?: string;
+}
+
+/**
+ * The configuration for an Elastic FileSystem volume.
+ */
+export interface EfsVolumeConfiguration {
+  /**
+   * The Amazon EFS file system ID to use.
+   */
+  readonly fileSystemId: string;
+  /**
+   * The directory within the Amazon EFS file system to mount as the root directory inside the host.
+   * Specifying / will have the same effect as omitting this parameter.
+   *
+   * @default The root of the Amazon EFS volume
+   */
+  readonly rootDirectory?: string;
+  /**
+   * Whether or not to enable encryption for Amazon EFS data in transit between
+   * the Amazon ECS host and the Amazon EFS server.
+   * Transit encryption must be enabled if Amazon EFS IAM authorization is used.
+   *
+   * Valid values: ENABLED | DISABLED
+   *
+   * @default DISABLED
+   */
+  readonly transitEncryption?: string;
+  /**
+   * The port to use when sending encrypted data between
+   * the Amazon ECS host and the Amazon EFS server. EFS mount helper uses.
+   *
+   * @default Port selection strategy that the Amazon EFS mount helper uses.
+   */
+  readonly transitEncryptionPort?: number;
+  /**
+   * The authorization configuration details for the Amazon EFS file system.
+   *
+   * @default No configuration.
+   */
+  readonly authorizationConfig?: AuthorizationConfig;
+}
+
 /**
  * The scope for the Docker volume that determines its lifecycle.
  * Docker volumes that are scoped to a task are automatically provisioned when the task starts and destroyed when the task stops.

diff --git a/packages/@aws-cdk/aws-ecs/package.json b/packages/@aws-cdk/aws-ecs/package.json
@@ -153,6 +153,7 @@
       "docs-public-apis:@aws-cdk/aws-ecs.ScratchSpace.sourcePath",
       "props-default-doc:@aws-cdk/aws-ecs.Tmpfs.mountOptions",
       "props-default-doc:@aws-cdk/aws-ecs.Volume.dockerVolumeConfiguration",
+      "props-default-doc:@aws-cdk/aws-ecs.Volume.efsVolumeConfiguration",
       "props-default-doc:@aws-cdk/aws-ecs.Volume.host",
       "docs-public-apis:@aws-cdk/aws-ecs.Capability.ALL",
       "docs-public-apis:@aws-cdk/aws-ecs.Capability.AUDIT_CONTROL",

diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/test.ec2-task-definition.ts b/packages/@aws-cdk/aws-ecs/test/ec2/test.ec2-task-definition.ts
@@ -981,6 +981,39 @@ export = {
 
       test.done();
     },
+
+    'correctly sets efsVolumeConfiguration'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const volume = {
+        name: 'scratch',
+        efsVolumeConfiguration: {
+          fileSystemId: 'local',
+        },
+      };
+
+      const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', {
+        volumes: [volume],
+      });
+
+      taskDefinition.addContainer('web', {
+        image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+        memoryLimitMiB: 512,
+      });
+
+      // THEN
+      expect(stack).to(haveResourceLike('AWS::ECS::TaskDefinition', {
+        Family: 'Ec2TaskDef',
+        Volumes: [{
+          Name: 'scratch',
+          EfsVolumeConfiguration: {
+            FileSystemId: 'local',
+          },
+        }],
+      }));
+
+      test.done();
+    },
   },
 
   'throws when setting proxyConfiguration without networkMode AWS_VPC'(test: Test) {

diff --git a/packages/@aws-cdk/cfnspec/spec-source/000_CloudFormationResourceSpecification.json b/packages/@aws-cdk/cfnspec/spec-source/000_CloudFormationResourceSpecification.json
@@ -13430,6 +13430,58 @@
         }
       }
     },
+    "AWS::ECS::TaskDefinition.EfsVolumeConfiguration": {
+      "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+      "Properties": {
+        "FileSystemId": {
+          "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+          "PrimitiveType": "String",
+          "Required": true,
+          "UpdateType": "Immutable"
+        },
+        "RootDirectory": {
+          "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+          "PrimitiveType": "String",
+          "Required": false,
+          "UpdateType": "Immutable"
+        },
+        "TransitEncryption": {
+          "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+          "PrimitiveType": "String",
+          "Required": false,
+          "UpdateType": "Immutable"
+        },
+        "TransitEncryptionPort": {
+          "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+          "PrimitiveType": "Integer",
+          "Required": false,
+          "UpdateType": "Immutable"
+        },
+        "AuthorizationConfig": {
+          "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+          "Type": "AuthorizationConfig",
+          "Required": false,
+          "UpdateType": "Immutable"
+        }
+      }
+    },
+    "AWS::ECS::TaskDefinition.AuthorizationConfig": {
+      "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+      "Properties": {
+        "AccessPointId": {
+          "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+          "PrimitiveType": "String",
+          "Required": false,
+          "UpdateType": "Immutable"
+        },
+        "Iam": {
+          "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+          "PrimitiveType": "String",
+          "Required": false,
+          "UpdateType": "Immutable"
+        }
+      }
+    },
     "AWS::ECS::TaskDefinition.FirelensConfiguration": {
       "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-firelensconfiguration.html",
       "Properties": {
@@ -13857,6 +13909,12 @@
           "PrimitiveType": "String",
           "Required": false,
           "UpdateType": "Immutable"
+        },
+        "EfsVolumeConfiguration": {
+          "Documentation": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#specify-efs-config",
+          "Required": false,
+          "Type": "EfsVolumeConfiguration",
+          "UpdateType": "Immutable"
         }
       }
     },