feat(aws-efs): grant support on FileSystem#14999
Merged
mergify[bot] merged 8 commits intoaws:masterfrom Jul 15, 2021
Merged
Conversation
|
|
nija-at
previously requested changes
Jun 21, 2021
Comment on lines
+336
to
+340
| this.fileSystemArn = Stack.of(scope).formatArn({ | ||
| service: 'elasticfilesystem', | ||
| resource: 'file-system', | ||
| resourceName: this.fileSystemId, | ||
| }); |
Contributor
There was a problem hiding this comment.
I believe you should just get the arn from CfnFileSystem.
Suggested change
| this.fileSystemArn = Stack.of(scope).formatArn({ | |
| service: 'elasticfilesystem', | |
| resource: 'file-system', | |
| resourceName: this.fileSystemId, | |
| }); | |
| this.fileSystemArn = filesystem.attrArn; |
Contributor
Author
There was a problem hiding this comment.
Good catch. Just updated the code.
| super(scope, id); | ||
|
|
||
| this.fileSystemId = attrs.fileSystemId; | ||
| if (!attrs.fileSystemId && !attrs.fileSystemArn) { |
Contributor
There was a problem hiding this comment.
Either we should change this so that only one of them is provided, or if we want to support providing both, we should validate (later) that they are not different.
Contributor
Author
There was a problem hiding this comment.
I'm going to throw an error if both are provided (similar to how it's done for DynamoDB tables).
packages/@aws-cdk/aws-efs/README.md
Outdated
Comment on lines
+60
to
+64
| const role = new iam.Role(this, 'Role', { | ||
| assumedBy: new iam.AnyPrincipal(), | ||
| }); | ||
|
|
||
| importedFileSystem.grant(role, 'elasticfilesystem:ClientWrite'); |
Contributor
There was a problem hiding this comment.
Document the grant API in a separate section.
nija-at
previously requested changes
Jun 22, 2021
Contributor
nija-at
left a comment
There was a problem hiding this comment.
Thanks for making the changes. A few more comments below.
packages/@aws-cdk/aws-efs/README.md
Outdated
| }); | ||
| ``` | ||
|
|
||
| ### Granting fileSystem permissions to resources |
Contributor
There was a problem hiding this comment.
Suggested change
| ### Granting fileSystem permissions to resources | |
| ### Permissions |
packages/@aws-cdk/aws-efs/README.md
Outdated
Comment on lines
+63
to
+64
| If you need to grant file system permissions to another resource, you can use the `.grant()` method. | ||
| As an example, the following code gives ClientWrite permissions to an IAM role. |
Contributor
There was a problem hiding this comment.
Suggested change
| If you need to grant file system permissions to another resource, you can use the `.grant()` method. | |
| As an example, the following code gives ClientWrite permissions to an IAM role. | |
| If you need to grant file system permissions to another resource, you can use the `grant()` API. | |
| As an example, the following code gives `elasticfilesystem:ClientWrite` permissions to an IAM role. |
Comment on lines
+402
to
+408
| if (!attrs.fileSystemId && !attrs.fileSystemArn) { | ||
| throw new Error('One of fileSystemId or fileSystemArn must be provided.'); | ||
| } | ||
|
|
||
| if (attrs.fileSystemId && attrs.fileSystemArn) { | ||
| throw new Error('Only one of fileSystemId or fileSystemArn must be provided.'); | ||
| } |
Contributor
There was a problem hiding this comment.
I believe you can shorten this by
Suggested change
| if (!attrs.fileSystemId && !attrs.fileSystemArn) { | |
| throw new Error('One of fileSystemId or fileSystemArn must be provided.'); | |
| } | |
| if (attrs.fileSystemId && attrs.fileSystemArn) { | |
| throw new Error('Only one of fileSystemId or fileSystemArn must be provided.'); | |
| } | |
| if (!!attrs.fileSystemId === !!attrs.fileSystemArn) { | |
| throw new Error('One of fileSystemId or fileSystemArn, but not both, must be provided.'); | |
| } |
| const parsedArn = Stack.of(scope).parseArn(this.fileSystemArn); | ||
|
|
||
| if (!parsedArn.resourceName) { | ||
| throw new Error('Invalid FileSystem Arn.'); |
Contributor
There was a problem hiding this comment.
Suggested change
| throw new Error('Invalid FileSystem Arn.'); | |
| throw new Error(`Invalid FileSystem Arn ${this.filesystemArn}`); |
| throw new Error('Invalid FileSystem Arn.'); | ||
| } | ||
|
|
||
| this.fileSystemId = attrs.fileSystemId ?? Stack.of(scope).parseArn(this.fileSystemArn).resourceName!; |
Contributor
There was a problem hiding this comment.
avoid the non-null assertion operator !. I believe you can now do -
Suggested change
| this.fileSystemId = attrs.fileSystemId ?? Stack.of(scope).parseArn(this.fileSystemArn).resourceName!; | |
| this.fileSystemId = attrs.fileSystemId ?? parsedArn.resourceName; |
Comment on lines
+402
to
+408
| if (!attrs.fileSystemId && !attrs.fileSystemArn) { | ||
| throw new Error('One of fileSystemId or fileSystemArn must be provided.'); | ||
| } | ||
|
|
||
| if (attrs.fileSystemId && attrs.fileSystemArn) { | ||
| throw new Error('Only one of fileSystemId or fileSystemArn must be provided.'); | ||
| } |
Contributor
Author
|
Updates the code following last recommendations. Also updated the pull request description. |
Contributor
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
nija-at
approved these changes
Jul 15, 2021
Contributor
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Collaborator
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Contributor
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
TikiTDO
pushed a commit
to TikiTDO/aws-cdk
that referenced
this pull request
Aug 3, 2021
`FileSystem` now have the `fileSystemArn` attribute available. It is also possible to import an existing `FileSystem` by `arn` or `id` using the `fromFileSystemAttributes` method.
You can also grant permission to an existing grantee using the grant method.
See the example below giving an IAM Role permission to write to an imported file system:
```ts
const arn = stack.formatArn({
service: 'elasticfilesystem',
resource: 'file-system',
resourceName: 'fs-12912923',
});
const importedFileSystem = efs.FileSystem.fromFileSystemAttributes(this, 'existingFS', {
fileSystemArn: arn, // You can also use fileSystemArn instead of fileSystemId.
securityGroup: ec2.SecurityGroup.fromSecurityGroupId(this, 'SG', 'sg-123456789', {
allowAllOutbound: false,
}),
});
const role = new iam.Role(this, 'Access Role', { assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com') });
importedFileSystem.grant(role, 'elasticfilesystem:ClientWrite');
```
Closes aws#14998.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
hollanddd
pushed a commit
to hollanddd/aws-cdk
that referenced
this pull request
Aug 26, 2021
`FileSystem` now have the `fileSystemArn` attribute available. It is also possible to import an existing `FileSystem` by `arn` or `id` using the `fromFileSystemAttributes` method.
You can also grant permission to an existing grantee using the grant method.
See the example below giving an IAM Role permission to write to an imported file system:
```ts
const arn = stack.formatArn({
service: 'elasticfilesystem',
resource: 'file-system',
resourceName: 'fs-12912923',
});
const importedFileSystem = efs.FileSystem.fromFileSystemAttributes(this, 'existingFS', {
fileSystemArn: arn, // You can also use fileSystemArn instead of fileSystemId.
securityGroup: ec2.SecurityGroup.fromSecurityGroupId(this, 'SG', 'sg-123456789', {
allowAllOutbound: false,
}),
});
const role = new iam.Role(this, 'Access Role', { assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com') });
importedFileSystem.grant(role, 'elasticfilesystem:ClientWrite');
```
Closes aws#14998.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
FileSystemnow have thefileSystemArnattribute available. It is also possible to import an existingFileSystembyarnoridusing thefromFileSystemAttributesmethod.You can also grant permission to an existing grantee using the grant method.
See the example below giving an IAM Role permission to write to an imported file system:
Closes #14998.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license