fix: allow efs volumes to have multiple mount points in a single serv…

…ice (#5631) This is the easiest possible fix for the issue, we got an internal ticket requesting a fix for this so I wanted to get a basic fix out for review first and iterate if this causes issues. Related #2921 By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
aws · Jan 23, 2024 · c3e4249 · c3e4249
1 parent e277979
commit c3e4249
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 7 deletions.
diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml
@@ -83,7 +83,12 @@ storage:
       path: '/etc/mount1'
       efs:
         id:
-         from_cfn: stack-fs-12345
+          from_cfn: stack-fs-12345
+    externalEFSVolume2:
+      path: '/etc/mount2'
+      efs:
+        id:
+          from_cfn: stack-fs-12345
 
 # Optional fields for more advanced use-cases.
 #

diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml
@@ -90,7 +90,12 @@ Metadata:
           path: '/etc/mount1'
           efs:
             id:
-             from_cfn: stack-fs-12345
+              from_cfn: stack-fs-12345
+        externalEFSVolume2:
+          path: '/etc/mount2'
+          efs:
+            id:
+              from_cfn: stack-fs-12345
 
     # Optional fields for more advanced use-cases.
     #
@@ -190,7 +195,7 @@ Resources:
                   yourtopicyourtopicfifoURL: !Ref yourtopicyourtopicfifoEventsQueue
                   nonfifotopicnonfifotopicURL: !Ref nonfifotopicnonfifotopicEventsQueue
             - Name: COPILOT_MOUNT_POINTS
-              Value: '{"externalEFSVolume":"/etc/mount1"}'
+              Value: '{"externalEFSVolume":"/etc/mount1","externalEFSVolume2":"/etc/mount2"}'
           EnvironmentFiles:
           - !If
             - HasEnvFile
@@ -207,6 +212,9 @@ Resources:
             - ContainerPath: '/etc/mount1'
               ReadOnly: true
               SourceVolume: externalEFSVolume
+            - ContainerPath: '/etc/mount2'
+              ReadOnly: true
+              SourceVolume: externalEFSVolume2
       Volumes:
         - Name: externalEFSVolume
           EFSVolumeConfiguration:
@@ -215,6 +223,13 @@ Resources:
             TransitEncryption: ENABLED
             AuthorizationConfig:
               IAM: DISABLED
+        - Name: externalEFSVolume2
+          EFSVolumeConfiguration:
+            FilesystemId: !ImportValue 'stack-fs-12345'
+            RootDirectory: '/'
+            TransitEncryption: ENABLED
+            AuthorizationConfig:
+              IAM: DISABLED
   ExecutionRole:
     Metadata:
       'aws:copilot:description': 'An IAM Role for the Fargate agent to make AWS API calls on your behalf'
@@ -319,7 +334,16 @@ Resources:
               - Effect: 'Allow'
                 Action: ["logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents"]
                 Resource: "*"
-        - PolicyName: !Join ['', ['GrantEFSAccess', !ImportValue 'stack-fs-12345']]
+        - PolicyName: !Join ['', ['GrantEFSAccess', !ImportValue 'stack-fs-12345', '-0']]
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: 'Allow'
+                Action:
+                  - 'elasticfilesystem:ClientMount'
+                Resource:
+                  - !Join ['/', [!Sub 'arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system', !ImportValue 'stack-fs-12345']]
+        - PolicyName: !Join ['', ['GrantEFSAccess', !ImportValue 'stack-fs-12345', '-1']]
           PolicyDocument:
             Version: '2012-10-17'
             Statement:

diff --git a/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml b/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml
@@ -46,11 +46,11 @@ TaskRole:
               Resource: "*"
       {{- end }}
       {{- if .Storage}}
-      {{- range $EFS := .Storage.EFSPerms}}
+      {{- range $i, $EFS := .Storage.EFSPerms}}
       {{- if not $EFS.FilesystemID.RequiresImport}}
-      - PolicyName: 'GrantEFSAccess{{$EFS.FilesystemID.Value}}'
+      - PolicyName: 'GrantEFSAccess{{$EFS.FilesystemID.Value}}-{{$i}}'
       {{- else}}
-      - PolicyName: !Join ['',[ 'GrantEFSAccess', !ImportValue {{$EFS.FilesystemID.Value}}]]
+      - PolicyName: !Join ['',[ 'GrantEFSAccess', !ImportValue {{$EFS.FilesystemID.Value}}, '-{{$i}}']]
       {{- end}}
         PolicyDocument: 
           Version: '2012-10-17'