(aws-lambda): Add validation to verify the filesystem configuration mountPath matches the AccessPoint path

[gshpychka]

What is the problem?

When attaching an EFS mount point to a lambda, there is only one correct value for the mountPath, and that is /mnt/{access point root path}. Any other value will result in an OS-level access denied exception. Since the root path can be accessed from the access point by CDK, why expose this parameter at all?

Reproduction Steps

Create an EFS Access Point. Attach it to a Lambda with mountPoint set to anything other than /mnt/{access point root path}. Attempt to write anything to the filesystem from the lambda.

What did you expect to happen?

File I/O operations work normally.

What actually happened?

Access denied I/O errors if the mount path differs from the access point's root path.

CDK CLI Version

1.132

Framework Version

No response

Node.js Version

16.11.1

OS

Linux

Language

Typescript, Python, .NET, Java, Go

Language Version

No response

Other information

Either infer the mountPath from the access point, or specify clearly in the documentation that it has to follow this strict pattern and is not customizable.

[nija-at]

@gshpychka -

By {access point root path}, do you mean the value passed here - https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-efs.AccessPoint.html#path ?

Per the CFN docs, this is configurable - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-filesystemconfig.html#cfn-lambda-function-filesystemconfig-localmountpath.

I've not tested this myself, but if that's not the access the value is always fixed, we can add a validation that these paths are the same. We'll still need the property in order to support imported EFS access points.

[gshpychka]

Yes, that's the one. From my testing, it has to match the root path or it doesn't work. Very confusing for sure.