search

aws-samples / aws-cdk-examples

Example projects using the AWS CDK
Apache License 2.0
4.96k stars 2.1k forks source link

Broken Example: fargate-service-with-ecs #920

Closed johncmunson closed 9 months ago

johncmunson commented 9 months ago

Describe the bug

The fargate-service-with-ecs example is broken. The majority of the deployment succeeds, but it hangs at the very end when it tries to get past creating the Fargate service and tasks.

If you go inspect the Fargate tasks in the AWS Console, you can see that the tasks are failing to startup and are throwing this error...

ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: access denied by server while mounting fs-065b374f6a1a6b4c8.efs.us-east-1.amazonaws.com:/' : unsuccessful EFS utils command execution; code: 32

Expected Behavior

The example should successfully deploy. The Fargate tasks should be able to access the EFS file system.

Current Behavior

The Fargate tasks are failing to access the EFS file system. Access is denied.

Reproduction Steps

See the fargate-service-with-ecs example repo.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.95.1

Framework Version

No response

Node.js Version

v18.14.0

OS

macOS

Language

Typescript

Language Version

TypeScript (~5.2.2)

thierryweo commented 9 months ago

same problem here

johncmunson commented 9 months ago

To rule out any potential weirdness with the AWS account I was using, I creating a fresh account and tried again.

The example is still broken and fails with the same error mentioned above.

mrlikl commented 9 months ago

I was able to deploy the sample by adding ClientMount permission to the EFS file system policy

fileSystem.addToResourcePolicy(
      new iam.PolicyStatement({
        actions: ['elasticfilesystem:ClientMount'],
        principals: [new iam.AnyPrincipal()],
        conditions: {
          Bool: {
            'elasticfilesystem:AccessedViaMountTarget': 'true'
          }
        }
      })
    )
johncmunson commented 9 months ago

Thank you @mrlikl, that did indeed fix the example.

Although, it's frustrating to be mucking around with IAM policies in this scenario. I was under the impression that CDK abstracts away some of this stuff by wiring up least-privileged policies, especially when working with higher level L2 constructs.

The code below clearly shows that the Fargate tasks have a dependency on the EFS file system. Seems to me like CDK should understand the dependency tree and automatically create least-privileged IAM policies so that the resources can talk to one another.

const taskDef = new ecs.FargateTaskDefinition(this, "MyTaskDefinition", {
  memoryLimitMiB: 512,
  cpu: 256,
  volumes: [
    {
      name: "uploads",
      efsVolumeConfiguration: {
        fileSystemId: fileSystem.fileSystemId,
      },
    },
  ],
});
github-actions[bot] commented 9 months ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.