├── cdk.json ├── .npmignore ├── .github └── demo-video.png ├── cdk.context.json ├── .gitignore ├── CODE_OF_CONDUCT.md ├── tslint.json ├── bin └── cdk.ts ├── tsconfig.json ├── package.json ├── LICENSE ├── lib ├── amazon-efs-integrations │ ├── efs-access-points.ts │ ├── efs-filesystem-policy.ts │ └── ecs-service.ts └── amazon-efs-integrations-stack.ts ├── CONTRIBUTING.md └── README.md /cdk.json: -------------------------------------------------------------------------------- 1 | { 2 | "app": "npx ts-node bin/cdk.ts" 3 | } 4 | -------------------------------------------------------------------------------- /.npmignore: -------------------------------------------------------------------------------- 1 | *.ts 2 | !*.d.ts 3 | 4 | # CDK asset staging directory 5 | .cdk.staging 6 | cdk.out 7 | -------------------------------------------------------------------------------- /.github/demo-video.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/amazon-efs-integrations/HEAD/.github/demo-video.png -------------------------------------------------------------------------------- /cdk.context.json: -------------------------------------------------------------------------------- 1 | { 2 | "@aws-cdk/core:enableStackNameDuplicates": "true", 3 | "aws-cdk:enableDiffNoFail": "true" 4 | } 5 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.js 2 | *.d.ts 3 | node_modules 4 | 5 | # CDK asset staging directory 6 | .cdk.staging 7 | cdk.out 8 | 9 | # Parcel build directories 10 | .cache 11 | .build 12 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /tslint.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultSeverity": "error", 3 | "extends": [ 4 | "tslint:recommended" 5 | ], 6 | "jsRules": {}, 7 | "rules": { 8 | "interface-name": [true, "never-prefix"], 9 | "object-literal-sort-keys": false, 10 | "quotemark": [true, "single"], 11 | "whitespace": [true, "check-module"] 12 | }, 13 | "rulesDirectory": [] 14 | } 15 | -------------------------------------------------------------------------------- /bin/cdk.ts: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | import * as cdk from '@aws-cdk/core'; 3 | import { AmazonEfsIntegrationsStack } from '../lib/amazon-efs-integrations-stack'; 4 | 5 | const app = new cdk.App(); 6 | 7 | /* tslint:disable-next-line:no-unused-expression */ 8 | new AmazonEfsIntegrationsStack(app, 'AmazonEfsIntegrationsStack', { 9 | createEcsOnEc2Service: true, 10 | createEcsOnFargateService: true, 11 | createEfsFilesystem: false, 12 | createEfsAccessPoints: false, 13 | }); 14 | -------------------------------------------------------------------------------- /tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target":"ES2018", 4 | "module": "commonjs", 5 | "lib": ["es2018"], 6 | "declaration": true, 7 | "strict": true, 8 | "noImplicitAny": true, 9 | "strictNullChecks": true, 10 | "noImplicitThis": true, 11 | "alwaysStrict": true, 12 | "noUnusedLocals": false, 13 | "noUnusedParameters": false, 14 | "noImplicitReturns": true, 15 | "noFallthroughCasesInSwitch": false, 16 | "inlineSourceMap": true, 17 | "inlineSources": true, 18 | "experimentalDecorators": true, 19 | "strictPropertyInitialization":false, 20 | "typeRoots": ["./node_modules/@types"] 21 | }, 22 | "exclude": ["cdk.out"] 23 | } 24 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "amazon-efs-integrations", 3 | "version": "0.1.0", 4 | "bin": { 5 | "cdk": "bin/cdk.js" 6 | }, 7 | "scripts": { 8 | "build": "tsc", 9 | "watch": "tsc -w", 10 | "cdk": "cdk", 11 | "lint": "tslint --project ." 12 | }, 13 | "devDependencies": { 14 | "@types/node": "14.0.5", 15 | "aws-cdk": "1.41.0", 16 | "ts-node": "^8.10.1", 17 | "tslint": "^6.1.2", 18 | "typescript": "~3.9.3" 19 | }, 20 | "dependencies": { 21 | "@aws-cdk/aws-ec2": "1.41.0", 22 | "@aws-cdk/aws-ecs": "1.41.0", 23 | "@aws-cdk/aws-ecs-patterns": "1.41.0", 24 | "@aws-cdk/aws-efs": "1.41.0", 25 | "@aws-cdk/core": "1.41.0", 26 | "@aws-cdk/custom-resources": "1.41.0", 27 | "source-map-support": "^0.5.19", 28 | "var_dump": "^1.0.5" 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /lib/amazon-efs-integrations/efs-access-points.ts: -------------------------------------------------------------------------------- 1 | import { FileSystem } from '@aws-cdk/aws-efs'; 2 | import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from '@aws-cdk/custom-resources'; 3 | 4 | /** 5 | * We use a collection of `AwsCustomResource` constructs, indexed by their name, to create 6 | * the EFS Access Points via the AWS SDK. This is a stop-gap until support for creating 7 | * EFS Access Points via CloudFormation and CDK is available. 8 | */ 9 | export class EfsAccessPoints extends Map { 10 | constructor( 11 | fileSystem: FileSystem, 12 | createEcsOnEc2AccessPoints: boolean, 13 | createFargateAccessPoints: boolean, 14 | ) { 15 | super() 16 | 17 | /* 18 | Configuration for the Access Points we're going to be creating so that we can do so iteratively. 19 | Note that the "Common" Access Point is always created. 20 | */ 21 | const accessPointConfigs = [ 22 | {name: 'Common', posixId: 6000, path: '/common'}, 23 | ...(createEcsOnEc2AccessPoints ? [{name: 'EcsShared', posixId: 3000, path: '/shared/ecs'}] : []), 24 | ...(createEcsOnEc2AccessPoints ? [{name: 'EcsPrivate', posixId: 3000, path: '/private/ecs'}] : []), 25 | ...(createFargateAccessPoints ? [{name: 'FargateShared', posixId: 7000, path: '/shared/fargate'}] : []), 26 | ...(createFargateAccessPoints ? [{name: 'FargatePrivate', posixId: 7000, path: '/private/fargate'}] : []), 27 | ]; 28 | 29 | /* 30 | Use a `AwsCustomResource` to create each EFS Access Point based on the `accessPointConfigs` array above 31 | via the AWS SDK. They'll each be keyed by their name for easy access using .get(...). 32 | */ 33 | accessPointConfigs.forEach((config: {name: string, posixId: number, path: string}) => { 34 | this.set( 35 | config.name, 36 | new AwsCustomResource( 37 | fileSystem.stack, 38 | 'EfsAccessPoint' + config.name, { 39 | onUpdate: { 40 | action: 'createAccessPoint', 41 | parameters: { 42 | FileSystemId: fileSystem.fileSystemId, 43 | PosixUser: { 44 | Gid: config.posixId, 45 | Uid: config.posixId, 46 | }, 47 | RootDirectory: { 48 | CreationInfo: { 49 | OwnerGid: config.posixId, 50 | OwnerUid: config.posixId, 51 | Permissions: 750, 52 | }, 53 | Path: config.path, 54 | }, 55 | Tags: [{Key: 'Name', Value: config.name}, 56 | ], 57 | }, 58 | physicalResourceId: PhysicalResourceId.fromResponse('AccessPointArn'), 59 | service: 'EFS', 60 | }, 61 | policy: AwsCustomResourcePolicy.fromSdkCalls({ 62 | resources: AwsCustomResourcePolicy.ANY_RESOURCE, 63 | }), 64 | }, 65 | ) 66 | ) 67 | }); 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *master* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | 61 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 62 | -------------------------------------------------------------------------------- /lib/amazon-efs-integrations-stack.ts: -------------------------------------------------------------------------------- 1 | import { InstanceType, Port, SecurityGroup, Vpc } from '@aws-cdk/aws-ec2'; 2 | import { Cluster } from '@aws-cdk/aws-ecs'; 3 | import { FileSystem } from '@aws-cdk/aws-efs'; 4 | import { Construct, Stack, StackProps } from '@aws-cdk/core'; 5 | import { EfsAccessPoints } from './amazon-efs-integrations/efs-access-points'; 6 | import { EfsFileSystemPolicy } from './amazon-efs-integrations/efs-filesystem-policy'; 7 | import { EcsEfsIntegrationService, ServiceType } from './amazon-efs-integrations/ecs-service'; 8 | import { ApplicationLoadBalancedFargateService, ApplicationLoadBalancedEc2Service } from '@aws-cdk/aws-ecs-patterns'; 9 | 10 | export interface AmazonEfsIntegrationsStackProps extends StackProps { 11 | /** 12 | * Whether or not to create the ECS on EC2 service to show the EFS integration 13 | */ 14 | readonly createEcsOnEc2Service: boolean; 15 | /** 16 | * Whether or not to create the ECS on EC2 service to show the EFS integration 17 | */ 18 | readonly createEcsOnFargateService: boolean; 19 | /** 20 | * Whether or not to create the EFS filesystem to show the EFS integration 21 | */ 22 | readonly createEfsFilesystem: boolean; 23 | 24 | /** 25 | * Whether or not to create the EFS access points to show the EFS integration 26 | */ 27 | readonly createEfsAccessPoints: boolean; 28 | } 29 | 30 | export class AmazonEfsIntegrationsStack extends Stack { 31 | constructor(scope: Construct, id: string, props: AmazonEfsIntegrationsStackProps) { 32 | if (props.createEfsAccessPoints && !props.createEfsFilesystem) { 33 | throw new Error('`createEfsFileSystem` must be set to true if `createEfsAccessPoints` is true'); 34 | } 35 | 36 | super(scope, id, props); 37 | 38 | const vpc = new Vpc(this, 'EfsIntegrationDemo', {maxAzs: 2}); 39 | const efsSecurityGroup = new SecurityGroup(this, 'EfsSecurityGroup', {securityGroupName: 'efs-demo-fs', vpc}); 40 | 41 | let fileSystem; 42 | let efsAccessPoints; 43 | 44 | if (props.createEfsFilesystem) { 45 | /* tslint:disable-next-line:no-unused-expression */ 46 | fileSystem = new FileSystem(this, 'EfsIntegrationDemoFileSystem', { 47 | encrypted: true, 48 | fileSystemName: 'efs-demo-fs', 49 | securityGroup: efsSecurityGroup, 50 | vpc, 51 | }); 52 | 53 | if (props.createEfsAccessPoints) { 54 | efsAccessPoints = new EfsAccessPoints( 55 | fileSystem, 56 | props.createEcsOnEc2Service, 57 | props.createEcsOnFargateService, 58 | ); 59 | } 60 | } 61 | 62 | if (props.createEcsOnEc2Service || props.createEcsOnFargateService) { 63 | const cluster = new Cluster(this, 'EcsCluster', {vpc}); 64 | let ecsOnEc2Service; 65 | let ecsOnFargateService; 66 | 67 | if (props.createEcsOnEc2Service) { 68 | cluster.addCapacity('DefaultAutoScalingGroup', { 69 | instanceType: new InstanceType('t2.large'), 70 | maxCapacity: 2, 71 | minCapacity: 2, 72 | }); 73 | 74 | ecsOnEc2Service = EcsEfsIntegrationService.create( 75 | ServiceType.EC2, 76 | cluster, 77 | fileSystem, 78 | efsAccessPoints 79 | ) as ApplicationLoadBalancedEc2Service; 80 | efsSecurityGroup.connections.allowFrom(ecsOnEc2Service.service, Port.tcp(2049)); 81 | } 82 | 83 | if (props.createEcsOnFargateService) { 84 | ecsOnFargateService = EcsEfsIntegrationService.create( 85 | ServiceType.FARGATE, 86 | cluster, 87 | fileSystem, 88 | efsAccessPoints 89 | ) as ApplicationLoadBalancedFargateService; 90 | efsSecurityGroup.connections.allowFrom(ecsOnFargateService.service, Port.tcp(2049)); 91 | } 92 | 93 | if (props.createEfsAccessPoints && fileSystem && efsAccessPoints) { 94 | // tslint:disable-next-line: no-unused-expression 95 | new EfsFileSystemPolicy( 96 | fileSystem, 97 | efsAccessPoints, 98 | ecsOnEc2Service, 99 | ecsOnFargateService, 100 | ); 101 | } 102 | } 103 | } 104 | } 105 | -------------------------------------------------------------------------------- /lib/amazon-efs-integrations/efs-filesystem-policy.ts: -------------------------------------------------------------------------------- 1 | import { FileSystem } from '@aws-cdk/aws-efs'; 2 | import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from '@aws-cdk/custom-resources'; 3 | import { Arn } from '@aws-cdk/core'; 4 | import { EfsAccessPoints } from './efs-access-points'; 5 | import { ApplicationLoadBalancedEc2Service, ApplicationLoadBalancedFargateService } from '@aws-cdk/aws-ecs-patterns'; 6 | 7 | /** 8 | * We use this `AwsCustomResource` construct to create the EFS filesystem policy via the AWS SDK. This 9 | * is a stop-gap until support for creating EFS filesystem policies via CloudFormation and CDK is available. 10 | */ 11 | export class EfsFileSystemPolicy extends AwsCustomResource { 12 | constructor( 13 | fileSystem: FileSystem, 14 | accessPoints: EfsAccessPoints, 15 | ecsOnEc2Service?: ApplicationLoadBalancedEc2Service, 16 | ecsOnFargateService?: ApplicationLoadBalancedFargateService, 17 | ) { 18 | // We'll be using this value several times throughout. 19 | const fileSystemArn = Arn.format( 20 | {service: 'elasticfilesystem', resource: 'file-system', resourceName: fileSystem.fileSystemId}, 21 | fileSystem.stack, 22 | ); 23 | 24 | /* 25 | Initialize statement list with equivalent of: 26 | * Disable root access by default 27 | * Enforce read-only access by default 28 | * Enforce in-transit encryption for all clients 29 | */ 30 | const statements: object[] = [ 31 | { 32 | Sid: 'DisableRootAccessAndEnforceReadOnlyByDefault', 33 | Effect: 'Allow', 34 | Action: 'elasticfilesystem:ClientMount', 35 | Principal: { 36 | AWS: '*', 37 | }, 38 | Resource: fileSystemArn, 39 | }, 40 | { 41 | Sid: 'EnforceInTransitEncryption', 42 | Effect: 'Deny', 43 | Action: ['*'], 44 | Principal: { 45 | AWS: '*', 46 | }, 47 | Resource: fileSystemArn, 48 | Condition: { 49 | Bool: {'aws:SecureTransport': false}, 50 | }, 51 | }, 52 | ]; 53 | 54 | if (ecsOnEc2Service) { 55 | // Allow r/w for ECS on EC2 Service to Common, EcsPrivate, and EcsShared 56 | statements.push({ 57 | Sid: 'EcsOnEc2CloudCmdTaskReadWriteAccess', 58 | Effect: 'Allow', 59 | Action: [ 60 | 'elasticfilesystem:ClientMount', 61 | 'elasticfilesystem:ClientWrite', 62 | ], 63 | Principal: { 64 | AWS: ecsOnEc2Service.taskDefinition.taskRole.roleArn, 65 | }, 66 | Resource: fileSystemArn, 67 | Condition: { 68 | StringEquals: { 69 | 'elasticfilesystem:AccessPointArn': [ 70 | accessPoints.get('Common')?.getResponseField('AccessPointArn'), 71 | accessPoints.get('EcsPrivate')?.getResponseField('AccessPointArn'), 72 | accessPoints.get('EcsShared')?.getResponseField('AccessPointArn'), 73 | ].filter((arn) => arn), 74 | }, 75 | }, 76 | }); 77 | 78 | if (ecsOnFargateService) { 79 | // Allow readonly for ECS on EC2 Service to FargateShared, if exists. 80 | statements.push({ 81 | Sid: 'EcsOnEc2CloudCmdTaskReadAccess', 82 | Effect: 'Allow', 83 | Action: [ 84 | 'elasticfilesystem:ClientMount', 85 | ], 86 | Principal: { 87 | AWS: ecsOnEc2Service.taskDefinition.taskRole.roleArn, 88 | }, 89 | Resource: fileSystemArn, 90 | Condition: { 91 | StringEquals: { 92 | 'elasticfilesystem:AccessPointArn': [ 93 | accessPoints.get('FargateShared')?.getResponseField('AccessPointArn'), 94 | ].filter((arn) => arn), 95 | }, 96 | }, 97 | }); 98 | } 99 | } 100 | 101 | if (ecsOnFargateService) { 102 | // Allow r/w for ECS on Fargate Service to Common, FargatePrivate, and FargateShared 103 | statements.push({ 104 | Sid: 'EcsOnFargateCloudCmdTaskReadWriteAccess', 105 | Effect: 'Allow', 106 | Action: [ 107 | 'elasticfilesystem:ClientMount', 108 | 'elasticfilesystem:ClientWrite', 109 | ], 110 | Principal: { 111 | AWS: ecsOnFargateService.taskDefinition.taskRole.roleArn, 112 | }, 113 | Resource: fileSystemArn, 114 | Condition: { 115 | StringEquals: { 116 | 'elasticfilesystem:AccessPointArn': [ 117 | accessPoints.get('Common')?.getResponseField('AccessPointArn'), 118 | accessPoints.get('FargatePrivate')?.getResponseField('AccessPointArn'), 119 | accessPoints.get('FargateShared')?.getResponseField('AccessPointArn'), 120 | ].filter((arn) => arn), 121 | }, 122 | }, 123 | }); 124 | 125 | if (ecsOnEc2Service) { 126 | // Allow readonly for ECS on Fargate Service to EcsShared, if exists. 127 | statements.push({ 128 | Sid: 'EcsOnFargateCloudCmdTaskReadAccess', 129 | Effect: 'Allow', 130 | Action: [ 131 | 'elasticfilesystem:ClientMount', 132 | ], 133 | Principal: { 134 | AWS: ecsOnFargateService.taskDefinition.taskRole.roleArn, 135 | }, 136 | Resource: fileSystemArn, 137 | Condition: { 138 | StringEquals: { 139 | 'elasticfilesystem:AccessPointArn': [ 140 | accessPoints.get('EcsShared')?.getResponseField('AccessPointArn'), 141 | ].filter((arn) => arn), 142 | }, 143 | }, 144 | }); 145 | } 146 | } 147 | 148 | const createOrUpdateFileSystemPolicy = { 149 | action: 'putFileSystemPolicy', 150 | parameters: { 151 | FileSystemId: fileSystem.fileSystemId, 152 | Policy: fileSystem.stack.toJsonString({ 153 | Version: '2012-10-17', 154 | Statement: statements, 155 | }), 156 | }, 157 | physicalResourceId: PhysicalResourceId.fromResponse('FileSystemId'), 158 | service: 'EFS', 159 | }; 160 | 161 | // Create the actual policy based on the statements assembled above. 162 | super( 163 | fileSystem.stack, 164 | 'EfsFileSystemPolicy', { 165 | onCreate: createOrUpdateFileSystemPolicy, 166 | onUpdate: createOrUpdateFileSystemPolicy, 167 | policy: AwsCustomResourcePolicy.fromSdkCalls({ 168 | resources: AwsCustomResourcePolicy.ANY_RESOURCE, 169 | }), 170 | }, 171 | ); 172 | } 173 | }; 174 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Amazon EFS Integrations 2 | 3 | This repository provides examples of some of the various Amazon EFS integrations available, beginning with ECS on EC2 and ECS on AWS Fargate. 4 | 5 | ## Usage 6 | 7 | 1. Install the [Amazon Cloud Development Kit](https://aws.amazon.com/cdk/) (CDK). 8 | 2. Clone this repository and `cd` into it. 9 | 3. Modify the arguments to the `AmazonEfsIntegrationsStack` constructor in `$/bin/cdk.ts` according to your environment. 10 | * The default settings will get you to the environment state at the beginning of the demo video linked below. The demo scenario has two running ECS services, but no EFS file system. 11 | * Alternatively, if you'd like to deploy the full setup, you can set all of the `createXXXXX` arguments to `true`. 12 | 4. Execute the following: 13 | * `npm install` 14 | * `npm run cdk bootstrap` 15 | * `npm run cdk deploy` 16 | 5. Visit the load balancer URLs and explore the AWS console within the ECS and EFS services to see how everything works, or follow along in the demo video to build the rest of the solution yourself. 17 | 18 | ## Cleanup 19 | 20 | Execute `npm run cdk destroy` to delete resources pertaining to this example. 21 | 22 | You will also need to delete the following *manually*: 23 | * The [CDKToolkit CloudFormation Stack](https://console.aws.amazon.com/cloudformation/home#/stacks?filteringText=CDKToolkit) created by `npm run cdk bootstrap`. 24 | * The `cdktoolkit-stagingbucket-<...>` bucket. 25 | 26 | ## Demo 27 | 28 | [![Demo](.github/demo-video.png)](https://www.youtube.com/watch?v=FJlHXBcDJiw) 29 | 30 | ## Example EFS file system policy 31 | 32 | If you're looking the example of the EFS file system policy mentioned in the demo video to use as a reference, it can be found below. Please note the values enclosed ``, which would need to be modified to suit your particular deployment. 33 | 34 | ```json 35 | { 36 | "Version": "2012-10-17", 37 | "Statement": [ 38 | { 39 | "Sid": "DisableRootAccessAndEnforceReadOnlyByDefault", 40 | "Effect": "Allow", 41 | "Principal": { 42 | "AWS": "*" 43 | }, 44 | "Action": "elasticfilesystem:ClientMount", 45 | "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/", 46 | }, 47 | { 48 | "Sid": "EnforceInTransitEncryption", 49 | "Effect": "Deny", 50 | "Principal": { 51 | "AWS": "*" 52 | }, 53 | "Action": "*", 54 | "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/", 55 | "Condition": { 56 | "Bool": { 57 | "aws:SecureTransport": "false" 58 | } 59 | } 60 | }, 61 | { 62 | "Sid": "EcsOnEc2CloudCmdTaskReadWriteAccess", 63 | "Effect": "Allow", 64 | "Principal": { 65 | "AWS": "arn:aws:iam::${AWS::AccountId}:role/" 66 | }, 67 | "Action": [ 68 | "elasticfilesystem:ClientMount", 69 | "elasticfilesystem:ClientWrite" 70 | ], 71 | "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/", 72 | "Condition": { 73 | "StringEquals": { 74 | "elasticfilesystem:AccessPointArn": [ 75 | "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/", 76 | "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/", 77 | "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/" 78 | ] 79 | } 80 | } 81 | }, 82 | { 83 | "Sid": "EcsOnEc2CloudCmdTaskReadAccess", 84 | "Effect": "Allow", 85 | "Principal": { 86 | "AWS": "arn:aws:iam::${AWS::AccountId}:role/" 87 | }, 88 | "Action": "elasticfilesystem:ClientMount", 89 | "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/", 90 | "Condition": { 91 | "StringEquals": { 92 | "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/" 93 | } 94 | } 95 | }, 96 | { 97 | "Sid": "EcsOnFargateCloudCmdTaskReadWriteAccess", 98 | "Effect": "Allow", 99 | "Principal": { 100 | "AWS": "arn:aws:iam::${AWS::AccountId}:role/" 101 | }, 102 | "Action": [ 103 | "elasticfilesystem:ClientMount", 104 | "elasticfilesystem:ClientWrite" 105 | ], 106 | "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/", 107 | "Condition": { 108 | "StringEquals": { 109 | "elasticfilesystem:AccessPointArn": [ 110 | "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/", 111 | "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/", 112 | "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/" 113 | ] 114 | } 115 | } 116 | }, 117 | { 118 | "Sid": "EcsOnFargateCloudCmdTaskReadAccess", 119 | "Effect": "Allow", 120 | "Principal": { 121 | "AWS": "arn:aws:iam::${AWS::AccountId}:role/" 122 | }, 123 | "Action": "elasticfilesystem:ClientMount", 124 | "Resource": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/", 125 | "Condition": { 126 | "StringEquals": { 127 | "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/" 128 | } 129 | } 130 | } 131 | ] 132 | } 133 | ``` 134 | 135 | ## License 136 | 137 | This library is licensed under the MIT-0 License. See the [LICENSE](./LICENSE) file. 138 | -------------------------------------------------------------------------------- /lib/amazon-efs-integrations/ecs-service.ts: -------------------------------------------------------------------------------- 1 | import { CfnService, ContainerImage, Cluster, Ec2TaskDefinition, FargatePlatformVersion, NetworkMode, Protocol, LogDriver } from '@aws-cdk/aws-ecs'; 2 | import { FileSystem } from '@aws-cdk/aws-efs'; 3 | import { Duration } from '@aws-cdk/core'; 4 | import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from '@aws-cdk/custom-resources'; 5 | import { EfsAccessPoints } from './efs-access-points'; 6 | import { 7 | ApplicationLoadBalancedEc2ServiceProps, 8 | ApplicationLoadBalancedEc2Service, 9 | ApplicationLoadBalancedFargateService, 10 | ApplicationLoadBalancedFargateServiceProps 11 | } from '@aws-cdk/aws-ecs-patterns'; 12 | 13 | export enum ServiceType { 14 | EC2 = 'Ec2', 15 | FARGATE = 'Fargate' 16 | } 17 | 18 | interface MountPoint { 19 | containerPath: string, 20 | sourceVolume: string 21 | }; 22 | 23 | interface Volume { 24 | name: string, 25 | efsVolumeConfiguration?: { 26 | fileSystemId: string, 27 | authorizationConfig?: { 28 | iam: string, 29 | accessPointId: string, 30 | }, 31 | transitEncryption: string, 32 | }, 33 | } 34 | 35 | export class EcsEfsIntegrationService { 36 | static create( 37 | serviceType: ServiceType, 38 | cluster: Cluster, 39 | fileSystem?: FileSystem, 40 | efsAccessPoints?: EfsAccessPoints, 41 | props?: ApplicationLoadBalancedEc2ServiceProps | ApplicationLoadBalancedFargateServiceProps, 42 | ) { 43 | let service: ApplicationLoadBalancedEc2Service | ApplicationLoadBalancedFargateService; 44 | 45 | const containerImage = 'coderaiser/cloudcmd:14.3.10-alpine'; 46 | if (serviceType === ServiceType.EC2) { 47 | /* 48 | Initial task definition with the 80:80 port mapping is needed here to ensure the ALB security 49 | group is created properly. This is not necessary for the Fargate service. 50 | @todo: Remove when CDK supports EFS for ECS fully. 51 | */ 52 | const initialEc2TaskDefinition = new Ec2TaskDefinition(cluster, 'Ec2ServiceInitialTaskDefinition', {}) 53 | const container = initialEc2TaskDefinition.addContainer('cloudcmd', { 54 | image: ContainerImage.fromRegistry(containerImage), 55 | logging: LogDriver.awsLogs({streamPrefix: 'ecs'}), 56 | memoryLimitMiB: 512, 57 | }) 58 | container.addPortMappings({ 59 | containerPort: 80, 60 | hostPort: 80, 61 | protocol: Protocol.TCP 62 | }) 63 | service = new ApplicationLoadBalancedEc2Service(cluster.stack, 'Ec2Service', { 64 | cluster, 65 | desiredCount: 2, 66 | memoryLimitMiB: 512, 67 | taskDefinition: initialEc2TaskDefinition, 68 | ...props, 69 | }); 70 | } else { 71 | service = new ApplicationLoadBalancedFargateService(cluster.stack, 'FargateService', { 72 | cluster, 73 | desiredCount: 2, 74 | platformVersion: FargatePlatformVersion.VERSION1_4, 75 | taskImageOptions: { 76 | containerName: 'cloudcmd', 77 | image: ContainerImage.fromRegistry(containerImage), 78 | }, 79 | ...props 80 | }); 81 | } 82 | 83 | // Required to run Cloud Commander from behind the ALB 84 | service.targetGroup.enableCookieStickiness(Duration.minutes(5)); 85 | 86 | let mountPoints: MountPoint[] = []; 87 | let volumes: Volume[] = []; 88 | 89 | if (efsAccessPoints) { 90 | efsAccessPoints.forEach((ap: AwsCustomResource, name: string) => { 91 | // Don't add the "EcsPrivate" AP on the Fargate task (and vice-versa) 92 | if ( 93 | (serviceType === ServiceType.EC2 && name === 'FargatePrivate') || 94 | (serviceType === ServiceType.FARGATE && name === 'EcsPrivate') 95 | ) { 96 | return 97 | } 98 | 99 | // Drop the "ecs" or "fargate" suffix if it's the "private" access point 100 | const containerPath = '/files' + ( 101 | (name === 'FargatePrivate' || name === 'EcsPrivate') ? '/private' : ap.getResponseField('RootDirectory.Path') 102 | ); 103 | 104 | mountPoints.push({containerPath, sourceVolume: name}) 105 | volumes.push({ 106 | name, 107 | efsVolumeConfiguration: { 108 | fileSystemId: fileSystem!.fileSystemId, 109 | authorizationConfig: { 110 | iam: 'ENABLED', 111 | accessPointId: ap.getResponseField('AccessPointId'), 112 | }, 113 | transitEncryption: 'ENABLED', 114 | } 115 | }) 116 | }); 117 | } else { 118 | // Whether it's a "Bind Mount" or a root EFS filesystem mount, we'll be using "/files" as the mount point 119 | mountPoints = [{ 120 | containerPath: '/files', 121 | sourceVolume: 'files', 122 | }]; 123 | 124 | // `efsVolumeConfiguration` if we're mounting the root EFS filesystem. 125 | if (fileSystem) { 126 | volumes = [{ 127 | efsVolumeConfiguration: { 128 | fileSystemId: fileSystem.fileSystemId, 129 | transitEncryption: 'ENABLED', 130 | }, 131 | name: 'files', 132 | }]; 133 | } else { 134 | volumes = [{name: 'files'}]; 135 | } 136 | } 137 | 138 | /* 139 | This JSON structure represents the final desired task definition, which includes the 140 | EFS volume configurations. This is a stop-gap measure that will be replaced when this 141 | capability is fully supported in CloudFormation and CDK. 142 | */ 143 | const customTaskDefinitionJson = { 144 | containerDefinitions: [ 145 | { 146 | command: [ 147 | '--no-keys-panel', 148 | '--one-file-panel', 149 | '--port=80', 150 | '--root=/files', 151 | ], 152 | essential: true, 153 | image: containerImage, 154 | logConfiguration: { 155 | logDriver: service.taskDefinition.defaultContainer?.logDriverConfig?.logDriver, 156 | options: service.taskDefinition.defaultContainer?.logDriverConfig?.options, 157 | }, 158 | memory: 512, 159 | mountPoints, 160 | name: service.taskDefinition.defaultContainer?.containerName, 161 | portMappings: [ 162 | { 163 | containerPort: 80, 164 | hostPort: 80, 165 | protocol: 'tcp', 166 | }, 167 | ], 168 | }, 169 | ], 170 | cpu: '256', 171 | executionRoleArn: service.taskDefinition.executionRole?.roleArn, 172 | family: service.taskDefinition.family, 173 | memory: '1024', 174 | networkMode: serviceType === ServiceType.EC2 ? NetworkMode.BRIDGE : NetworkMode.AWS_VPC, 175 | requiresCompatibilities: [ 176 | serviceType.toUpperCase(), 177 | ], 178 | taskRoleArn: service.taskDefinition.taskRole.roleArn, 179 | volumes, 180 | }; 181 | 182 | /* 183 | We use `AwsCustomResource` to create a new task definition revision with EFS volume 184 | configurations, which is available in the AWS SDK. 185 | */ 186 | const createOrUpdateCustomTaskDefinition = { 187 | action: 'registerTaskDefinition', 188 | outputPath: 'taskDefinition.taskDefinitionArn', 189 | parameters: customTaskDefinitionJson, 190 | physicalResourceId: PhysicalResourceId.fromResponse('taskDefinition.taskDefinitionArn'), 191 | service: 'ECS', 192 | }; 193 | const customTaskDefinition = new AwsCustomResource(service, 'Custom' + serviceType + 'TaskDefinition', { 194 | onCreate: createOrUpdateCustomTaskDefinition, 195 | onUpdate: createOrUpdateCustomTaskDefinition, 196 | policy: AwsCustomResourcePolicy.fromSdkCalls({ 197 | resources: AwsCustomResourcePolicy.ANY_RESOURCE, 198 | }), 199 | }); 200 | service.taskDefinition.executionRole?.grantPassRole(customTaskDefinition.grantPrincipal); 201 | service.taskDefinition.taskRole.grantPassRole(customTaskDefinition.grantPrincipal); 202 | 203 | /* 204 | Finally, we'll update the ECS service to use the new task definition revision 205 | that we just created above. 206 | */ 207 | (service.service.node.tryFindChild('Service') as CfnService)?.addPropertyOverride( 208 | 'TaskDefinition', 209 | customTaskDefinition.getResponseField('taskDefinition.taskDefinitionArn'), 210 | ); 211 | 212 | return service; 213 | }; 214 | } 215 | --------------------------------------------------------------------------------