Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(efs): client mount permissions for EFS filesystem are not permitted by default (under feature flag) #33671

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

fix(efs): client mount permissions for EFS filesystem are not permitted by default (under feature flag) #33671

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3385a64
fix(efs): client mount permissions for EFS filesystem are not permitt…
mazyu36 Mar 2, 2025
fd90aa2
unit test
mazyu36 Mar 2, 2025
f4d6abb
docs
mazyu36 Mar 2, 2025
9662d7c
Merge remote-tracking branch 'upstream/main' into fix/efs
mazyu36 Mar 8, 2025
7f2c362
update
mazyu36 Mar 8, 2025
daab82d
update integ
mazyu36 Mar 8, 2025
2df9aab
update integ
mazyu36 Mar 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
unit test
  • Loading branch information
@mazyu36
mazyu36 committed Mar 2, 2025
commit fd90aa2fa4a0d67e2aa2172d8833ae569ce5adce
81 changes: 80 additions & 1 deletion packages/aws-cdk-lib/aws-efs/test/efs-file-system.test.ts
View file
Original file line number Diff line number Diff line change
@@ -1005,7 +1005,7 @@ test('one zone file system with vpcSubnets.availabilityZones empty.', () => {

test.each([
ReplicationOverwriteProtection.ENABLED, ReplicationOverwriteProtection.DISABLED,
])('create read-only file system for replication destination', ( replicationOverwriteProtection ) => {
])('create read-only file system for replication destination', (replicationOverwriteProtection) => {
// WHEN
new FileSystem(stack, 'EfsFileSystem', {
vpc,
@@ -1106,3 +1106,82 @@ describe('replication configuration', () => {
}).toThrow('Cannot configure \'replicationConfiguration\' when \'replicationOverwriteProtection\' is set to \'DISABLED\'');
});
});

describe('test EFS_DEFAULT_ALLOW_CLIENT_MOUNT feature flag', () => {
test.each([false, undefined])('FileSystem Policy should not include ClientMount action when flag is %s', (value) => {
// WHEN
const app = new App({
context: {
[cxapi.EFS_DEFAULT_ALLOW_CLIENT_MOUNT]: value,
},
});
const customStack = new Stack(app);
const customVpc = new ec2.Vpc(customStack, 'VPC');
new FileSystem(customStack, 'EfsFileSystem', {
vpc: customVpc,
allowAnonymousAccess: false,
});

// THEN
Template.fromStack(customStack).hasResourceProperties('AWS::EFS::FileSystem', {
FileSystemPolicy: {
Statement: [
{
Effect: 'Allow',
Principal: {
AWS: '*',
},
Action: [
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientRootAccess',
],
Condition: {
Bool: {
'elasticfilesystem:AccessedViaMountTarget': 'true',
},
},
},
],
},
});
});

test('FileSystem Policy should include ClientMount action when flag is true', () => {
// WHEN
const app = new App({
context: {
[cxapi.EFS_DEFAULT_ALLOW_CLIENT_MOUNT]: true,
},
});
const customStack = new Stack(app);
const customVpc = new ec2.Vpc(customStack, 'VPC');
new FileSystem(customStack, 'EfsFileSystem', {
vpc: customVpc,
allowAnonymousAccess: false,
});

// THEN
Template.fromStack(customStack).hasResourceProperties('AWS::EFS::FileSystem', {
FileSystemPolicy: {
Statement: [
{
Effect: 'Allow',
Principal: {
AWS: '*',
},
Action: [
'elasticfilesystem:ClientMount',
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientRootAccess',
],
Condition: {
Bool: {
'elasticfilesystem:AccessedViaMountTarget': 'true',
},
},
},
],
},
});
});
});