cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard
verified publisher icon aws-cloudformation

AWS::EFS::FileSystem - FileSystemPolicy-needs separate resource

Open rectalogic opened this issue 4 years ago • 5 comments

AWS::EFS::FileSystem-FileSystemPolicy is currently a JSON document. It needs to also support a separate FileSystemPolicy CFN resource because the policy often references AWS::EFS::AccessPoint which references AWS::EFS::FileSystem which is circular dependency and so not useable. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html#cfn-efs-filesystem-filesystempolicy

2. Scope of request

new attribute for an existing resource and new resource is desired

4. Test case

See attached template, fails with:

Circular dependency between resources: [FileSystem8A8E25C0, FileSystemaw2AccessPointA083D7E1]

filesystempolicy.json.zip

6. Category (required) - Will help with tagging and be easier to find by other users to +1

Storage (EFS)

rectalogic avatar Jul 30 '21 14:07 rectalogic

Commenting in support as I'm facing this issue as well. Here is my snippet

  EFSAccessPoint:
    Type: AWS::EFS::AccessPoint
    Properties:
      FileSystemId: !Ref ElasticFileSystem
      PosixUser:
        Gid: "1001"
        Uid: "1001"
      RootDirectory:
        Path: "/"
        CreationInfo:
          OwnerGid: "1001"
          OwnerUid: "1001"
          Permissions: "775"

  ElasticFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      PerformanceMode: generalPurpose
      Encrypted: true
      FileSystemPolicy: 
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - elasticfilesystem:ClientWrite
            Principal:
              AWS: !GetAtt InstanceRole.Arn
            Condition:
              Bool:
                elasticfilesystem:AccessViaMountTarget: true
          - Effect: "Allow"
            Action:
              - elasticfilesystem:ClientMount
            Principal:
              AWS: !GetAtt InstanceRole.Arn
            Condition:
              StringEquals:
                elasticfilesystem:AccessPointArn: !GetAtt EFSAccessPoint.Arn

mahngiel avatar Aug 16 '21 18:08 mahngiel

This is still an issue. It is currently impossible to create file system policies that refer to access points, since that creates a circular dependency. The FileSystemPolicy needs to be broken out into a separate resource.

akremer avatar May 08 '23 19:05 akremer

Just started using CDK and encountered this issue. The idea that I can create an EFS and access points and then have to write a lambda to retrieve those in a separate stack just so that I can add some policies to govern the access points is crazy.

I think Terraform just splits them out.

JayeMcC avatar Sep 13 '23 04:09 JayeMcC

Using CDK 2.161.1 to create an EFS with access point and try to grant the resource based IAM policy by specifying access point id failed with same error.

I hope we can have a fix for this one

JiadongLiu avatar Oct 08 '24 13:10 JiadongLiu

I was able to test this using the attached template, which worked. Replace the (KMS Keys, UUID/GUID) from the template. Please modify accordingly as per your requirements.

AWSTemplateFormatVersion: 2010-09-09 Description: This template deploys EFS File Systems Parameters: EFSSecurityGroup: Type: AWS::EC2::SecurityGroup::Id Description: VPC Security group for the EFS file system. EFSSubNetId1: Type: AWS::EC2::Subnet::Id Description: VPC Subnet ID 1 for the EFS file system; this subnet should be apart of the VPC associated with the security group. EFSSubNetId2: Type: AWS::EC2::Subnet::Id Description: VPC Subnet ID 2 for the EFS file system; this subnet should be apart of the VPC associated with the security group.

Resources: EFSFileSystem: Type: AWS::EFS::FileSystem UpdateReplacePolicy: Retain Properties: BackupPolicy: Status: DISABLED PerformanceMode: generalPurpose ThroughputMode: bursting Encrypted: true KmsKeyId: arn:aws:kms:us-west-2:1234567890:key/abcder-b546-44e4-9055-ec32458610 FileSystemTags:

  • Key: data_residency Value: canada
  • Key: environment Value: dev FileSystemPolicy: Version: "2012-10-17" Statement:
  • Effect: "Allow" Action:
  • "elasticfilesystem:" Principal: AWS: "" Condition: Bool: 'elasticfilesystem:AccessedViaMountTarget': "true"
  • Effect: "Deny" Action:
  • "" Principal: AWS: "" Condition: Bool: 'aws:SecureTransport': "false"
  • Effect: "Allow" Principal: AWS: "" Action:
  • elasticfilesystem:ClientMount
  • elasticfilesystem:ClientWrite Resource: ""

MountTargetResource1: Type: AWS::EFS::MountTarget UpdateReplacePolicy: Retain Properties: FileSystemId: !Ref EFSFileSystem SubnetId: !Ref EFSSubNetId1 SecurityGroups:

  • !Ref EFSSecurityGroup

MountTargetResource2: Type: AWS::EFS::MountTarget UpdateReplacePolicy: Retain Properties: FileSystemId: !Ref EFSFileSystem SubnetId: !Ref EFSSubNetId2 SecurityGroups:

  • !Ref EFSSecurityGroup

EFSAccessPoint: Type: AWS::EFS::AccessPoint Properties: FileSystemId: !Ref EFSFileSystem PosixUser: Uid: "100" Gid: "100" RootDirectory: CreationInfo: OwnerGid: "708798" OwnerUid: "7987987" Permissions: "0755" Path: "/testcfn/abc"

kukkunuruanil avatar Jun 16 '25 18:06 kukkunuruanil