Search code examples
amazon-web-servicesaws-lambdaaws-cdkamazon-efs

Issue with adding EFS file system policy through CDK V1

We have a CDK based code repo to generate AWS resources. We have an AWS Lambda for which the EFS was created, the code is written in CDK v1 (using aws-cdk/aws-efs ).

To that I want to add file system policy to Elastic File System (EFS) to enforce encryption in transit. The change itself is clear.

In CDK V2 (using aws-cdk-lib) this change would be simple as shown here.

import * as efs from "aws-cdk-lib/aws-efs"
....
    const fileSystemPolicy = new iam.PolicyDocument({
      statements: [new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        principals: [new iam.AnyPrincipal()],
        actions: [
          "elasticfilesystem:ClientRootAccess",
          "elasticfilesystem:ClientMount",
          "elasticfilesystem:ClientWrite"
        ],
        conditions: {
          Bool: { "aws:SecureTransport": "true" }
        }
      })]
    })

    const cfFs = new efs.FileSystem(this, 'MyLambdaFilesystem', {
      vpc: vpc,
      fileSystemPolicy: fileSystemPolicy
    });

However, I could not find a way to do it with CDK v1 which is what I need. Looked at this doc for lambda.FileSystem which mentions FileSystemConfig containing policies but seems like we cannot set that.

Note:

Deleted the Updates from the question here to avoid causing confusion, as the updated answer resolves this issue.

Solution

  • Release 2.72.0 added the fileSystemPolicy prop to the EFS FileSystem construct in March 2023.

    For CDK v1, set the FileSystemPolicy manually with an escape hatch property override:

    const cfFs = new efs.FileSystem(this, "MyLambdaFilesystem", {
  vpc: vpc
});

const cfnCfFs = cfFs.node.defaultChild as efs.CfnFileSystem;
cfnCfFs.addPropertyOverride("FileSystemPolicy", fileSystemPolicy.toJSON());

    The above code produces the same synthesized CloudFormation output as OP's v2 code.

    [Edit]: Here is the FileSystemPolicy from the CloudFormation template that cdk synth creates for me:

    "MyLambdaFilesSystemEAD92DBE": {
 "Type": "AWS::EFS::FileSystem",
 "Properties": {
  "Encrypted": true,
  "FileSystemPolicy": {
   "Statement": [
    {
     "Action": [
      "elasticfilesystem:ClientMount",
      "elasticfilesystem:ClientRootAccess",
      "elasticfilesystem:ClientWrite"
     ],
     "Condition": {
      "Bool": {
       "aws:SecureTransport": "true"
      }
     },
     "Effect": "Allow",
     "Principal": {
      "AWS": "*"
     }
    }
   ],
   "Version": "2012-10-17"
  },