Open
Description
Describe the bug
Creating an EFS filesystem using defaults currently creates an unusable filesystem because, by default, the elasticfilesystem:ClientMount action is not present in the access policy of the file system.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Version
No response
Expected Behavior
elasticfilesystem:ClientMount should be present by default in the EFS access policy.
Current Behavior
elasticfilesystem:ClientMount does not exist in the EFS access policy without providing your custom policy.
Reproduction Steps
Any barebones example for ECS and EFS that does not use a custom policy will face this issue.
const vpc = new ec2.Vpc(this, "AppVPC", {});
const filesystem = new efs.FileSystem(this, "ApplicationEFS", {
vpc,
});
const efsSecurityGroup = new ec2.SecurityGroup(this, "EfsSecurityGroup", {
vpc,
description: "Allow EFS access",
});
efsSecurityGroup.addIngressRule(
ec2.Peer.anyIpv4(),
ec2.Port.tcp(2049),
"Allow NFS traffic"
);
const cluster = new ecs.Cluster(this, "ApplicationCluster", { vpc });
const taskDefinition = new ecs.FargateTaskDefinition(this, "TaskDef");
taskDefinition.addVolume({
name: "efs-volume",
efsVolumeConfiguration: {
fileSystemId: fileSystem.fileSystemId,
transitEncryption: "ENABLED",
},
});
const container = taskDefinition.addContainer("AppContainer", {
image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
});
container.addMountPoints({
sourceVolume: "efs-volume",
containerPath: "/mnt/efs",
readOnly: false,
});
new ecs.FargateService(this, "MyService", {
cluster,
taskDefinition,
desiredCount: 1,
securityGroups: [efsSecurityGroup],
});Possible Solution
This should be a 1 line change where we add mount to the default policy.
Additional Information/Context
No response
CDK CLI Version
2.1001.0 (build 130445d)
Framework Version
No response
Node.js Version
v20.18.3
OS
Arch Linux
Language
TypeScript
Language Version
No response
Other information
No response