fix(efs): client mount permissions are not granted by default (under feature flag)

[samyxdev]

Issue #33669 and #27374

Closes #33669 and #27374 . Inspired by #33671.

Reason for this change

EFS doesn't allow authentificated clients to mount the filesystem by default which makes it unusable when using defaults.

Description of changes

Added the elasticfilesystem:ClientMount permission by default when the client is authentificated, under the feature flag @aws-cdk/aws-efs:defaultAllowClientMount.

Describe any new or updated permissions being added

When the feature flag is enabled, the IAM permissions will now be set as:

new iam.PolicyStatement({
                principals: [new iam.AnyPrincipal()],
                actions: [
                  ClientAction.MOUNT,
                  ClientAction.WRITE,
                  ClientAction.ROOT_ACCESS,
                ],
                conditions: {
                  Bool: {
                    'elasticfilesystem:AccessedViaMountTarget': 'true',
                  },
                },

compared to the previously set:

new iam.PolicyStatement({
                principals: [new iam.AnyPrincipal()],
                actions: [
                  ClientAction.WRITE,
                  ClientAction.ROOT_ACCESS,
                ],
                conditions: {
                  Bool: {
                    'elasticfilesystem:AccessedViaMountTarget': 'true',
                  },
                },
              }));

Description of how you validated changes

Added an integration tests following the example from #33669: Leverages ECS to use a container that mounts the EFS.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 6a002a5
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[Abogical]

I don't believe this warrants adding a new feature flag. I don't think it's a breaking change, especially when the issue states that the defaults were unusable in the first place.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

Pull request has been modified.

[Abogical]

The PR has the effect of allowing anonymous access again to EFS filesystem, which is contradictory to the EFS Console default and what our previous PR (#35086) does. The issue that the PR aims to fix isn't really a bug, but intended behavior as a result of disallowing anonymous access by default.

I'm closing this PR as a result.

Related: #33669 (comment)

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.