aws_efs (Python): Incorrect File System Policy defaults #27374
Description
Describe the bug
When creating an EFS FileSystem in Python, a default file system policy is created regardless of the value passed to file_system_policy. If you specify a specific file system property, then it adds the custom policy to the default policy instead of replacing it. This all works as expected when deploying an EFS filesystem in TypeScript. I do not know if other languages also have the same issue.
Expected Behavior
I would expect the file_system_policy to reflect what was specified in the code.
Current Behavior
This policy is always applied or added to an EFS FileSystem:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite"
],
"Resource": "arn:aws:elasticfilesystem:us-east-1:<ACCN>:file-system/fs-0e8468d3b11778c73",
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
}
]
}Reproduction Steps
Deploy the following python CDK code, Browse to the console and you will see that there is an additional policy beyond the policy that was specified.
import aws_cdk as cdk
from aws_cdk import (
Stack,
aws_ec2 as ec2,
aws_efs as efs,
aws_iam as iam,
RemovalPolicy
)
from constructs import Construct
class EFSConstruct(Construct):
def __init__(
self, scope: Construct, id: str,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.file_system_name = "TestFileSystem"
self.fs_policy = iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=["elasticfilesystem:*"],
principals=[iam.AccountRootPrincipal()],
resources=["*"]
)
]
)
self.file_system = efs.FileSystem(
self, "test_file_system",
file_system_name=self.file_system_name,
vpc=ec2.Vpc(self, "efs_test_vpc"),
encrypted=True,
performance_mode=efs.PerformanceMode.GENERAL_PURPOSE,
enable_automatic_backups=True,
file_system_policy=self.fs_policy,
removal_policy=RemovalPolicy.DESTROY
)
class CdkEfsTestStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
self.efs = EFSConstruct(
self, "efs"
)
app = cdk.App()
CdkEfsTestStack(app, "CdkEfsTestStack")
app.synth()Deploy the following python CDK code, Browse to the console and you will see that there is a default policy, even though the file_system_policy was set to None (which according to the documentation, is the default value).
import aws_cdk as cdk
from aws_cdk import (
Stack,
aws_ec2 as ec2,
aws_efs as efs,
aws_iam as iam,
RemovalPolicy
)
from constructs import Construct
class EFSConstruct(Construct):
def __init__(
self, scope: Construct, id: str,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.file_system_name = "TestFileSystem"
self.file_system = efs.FileSystem(
self, "test_file_system",
file_system_name=self.file_system_name,
vpc=ec2.Vpc(self, "efs_test_vpc"),
encrypted=True,
performance_mode=efs.PerformanceMode.GENERAL_PURPOSE,
enable_automatic_backups=True,
file_system_policy=None,
removal_policy=RemovalPolicy.DESTROY
)
class CdkEfsTestStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
self.efs = EFSConstruct(
self, "efs"
)
app = cdk.App()
CdkEfsTestStack(app, "CdkEfsTestStack")
app.synth()Possible Solution
No response
Additional Information/Context
I discovered this bug while trying to create an EFS backed ECS Fargate container. The default policy doesn't allow containers to access the file system
CDK CLI Version
2.99.0 (build 0aa1096)
Framework Version
No response
Node.js Version
v20.7.0
OS
MacOS
Language
Python
Language Version
Python 3.11.5
Other information
No response