search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

Requesting AWS::EFS::FileSystem to support a String type for FileSystemPolicy property #1805

Open miguel-aws opened 1 year ago

miguel-aws commented 1 year ago

Name of the resource

AWS::EFS::FileSystem

Resource name

AWS::EFS::FileSystem

Description

Use case

I would like to provide the following file system policy through a CloudFormation String parameter FSPolicy:

Policy

{ "Id": "read-only-example-policy02", "Statement": [ { "Sid": "efs-statement-example02", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": ["elasticfilesystem:ClientMount"], "Resource": "*" } ] }

CFN template

Parameters:
  FSPolicy:
    Description: The IAM's FileSystemPolicy for the EFS
    Type: String

Resources:
  EFS:
    Type: AWS::EFS::FileSystem
    Properties:
      Encrypted: true
      FileSystemPolicy: !Ref FSPolicy

However, this fails with

Resource handler returned message: "Model validation failed (#/Encrypted: expected type: Boolean, found: String #/FileSystemPolicy: expected type: JSONObject, found: String)" (RequestToken: abc123, HandlerErrorCode: InvalidRequest)

This property accepts a Json type, similar to AWS::S3::BucketPolicy PolicyDocument property. I can pass the bucket policy through a parameter with no issues.

Schema

Looking at the resource type schema for EFS FS, I see that it accepts object value type.

    "FileSystemPolicy" : {
      "type" : "object"
    },

On the other hand, PolicyDocument of bucket policy resource accepts both object and string value type.

    "PolicyDocument" : {
      "description" : "A policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM.",
      "type" : [ "object", "string" ]
    }

Request

From the investigation above, I believe this use case can be fulfilled if FileSystemPolicy accepts both object and string. Please let us know otherwise.

Hence, I would like to request for AWS::EFS::FileSystem resource to support String value for FileSystemPolicy property.

Thank you!

Other Details

No response