1

We have a CDK based code repo to generate AWS resources. We have an AWS Lambda for which the EFS was created, the code is written in CDK v1 (using aws-cdk/aws-efs ).

To that I want to add file system policy to Elastic File System (EFS) to enforce encryption in transit. The change itself is clear.

In CDK V2 (using aws-cdk-lib) this change would be simple as shown here.

import * as efs from "aws-cdk-lib/aws-efs"
....
    const fileSystemPolicy = new iam.PolicyDocument({
      statements: [new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        principals: [new iam.AnyPrincipal()],
        actions: [
          "elasticfilesystem:ClientRootAccess",
          "elasticfilesystem:ClientMount",
          "elasticfilesystem:ClientWrite"
        ],
        conditions: {
          Bool: { "aws:SecureTransport": "true" }
        }
      })]
    })

    const cfFs = new efs.FileSystem(this, 'MyLambdaFilesystem', {
      vpc: vpc,
      fileSystemPolicy: fileSystemPolicy
    });

However, I could not find a way to do it with CDK v1 which is what I need. Looked at this doc for lambda.FileSystem which mentions FileSystemConfig containing policies but seems like we cannot set that.

Note:

Deleted the Updates from the question here to avoid causing confusion, as the updated answer resolves this issue.

Kuldeep Jain
  • 8,409
  • 8
  • 48
  • 73
  • @fedonev Added the minimal policy that works with edits to the generated ones, pls take a look. thanks – Kuldeep Jain Aug 28 '23 at 17:18
  • Aha, try `fileSystemPolicy.toJSON()` in the property override. My override command synthesizes fine (using V2) without the added `toJSON()` method, but perhaps V1 needs it. – fedonev Aug 28 '23 at 18:21
  • Thank you. Absolutely, that generated the correct policy. However my tests are failing `npm ERR! code ELIFECYCLE npm ERR! errno 1 ` even though I updated them to match, that too it shows no diff there ` - Snapshot - 0 + Received + 0 ` I tried this but does not help: https://stackoverflow.com/a/49505612/948268. checking further – Kuldeep Jain Aug 28 '23 at 19:58
  • It was just an issue due to formatting, fixed by running `npm test -- -u` – Kuldeep Jain Aug 28 '23 at 20:44

1 Answers1

1

Release 2.72.0 added the fileSystemPolicy prop to the EFS FileSystem construct in March 2023.

For CDK v1, set the FileSystemPolicy manually with an escape hatch property override:

const cfFs = new efs.FileSystem(this, "MyLambdaFilesystem", {
  vpc: vpc
});

const cfnCfFs = cfFs.node.defaultChild as efs.CfnFileSystem;
cfnCfFs.addPropertyOverride("FileSystemPolicy", fileSystemPolicy.toJSON());

The above code produces the same synthesized CloudFormation output as OP's v2 code.

[Edit]: Here is the FileSystemPolicy from the CloudFormation template that cdk synth creates for me:

"MyLambdaFilesSystemEAD92DBE": {
 "Type": "AWS::EFS::FileSystem",
 "Properties": {
  "Encrypted": true,
  "FileSystemPolicy": {
   "Statement": [
    {
     "Action": [
      "elasticfilesystem:ClientMount",
      "elasticfilesystem:ClientRootAccess",
      "elasticfilesystem:ClientWrite"
     ],
     "Condition": {
      "Bool": {
       "aws:SecureTransport": "true"
      }
     },
     "Effect": "Allow",
     "Principal": {
      "AWS": "*"
     }
    }
   ],
   "Version": "2012-10-17"
  },
Kuldeep Jain
  • 8,409
  • 8
  • 48
  • 73
fedonev
  • 20,327
  • 2
  • 25
  • 34