Open Kirizan opened 10 months ago
Can you demonstrate that this does not happen in another language (e.g. Go/Java/etc) and is limited only to the Python bindings?
@indrora Yes, if you deploy this CDK project (https://github.com/richardneililagan/vaultwarden-ecs-fargate/tree/main), you will see that the file system has no File System Policy. I discovered the issue translating that project from TypeScript to Python (translating between languages helps me understand tools like CDK better).
This PR introduced a feature flag which adjusts how the policy creation works. You're likely seeing a difference due to whether this flag exists in your code or not - not because of a difference in language
You can either use the feature flag, or use allowAnonymousAccess
instead
We should update the documentation on the fileSystemPolicy
prop to reflect these changes
Neither the python code in my post, nor the code in the TypeScript project I shared (link to the relevant file and line) have that flag set. If it was just because of that flag, it needing to be configured in one language but not another is a difference in the languages.
This is not a documentation issue. Even if it is related to that feature flag, both environments were fresh, default, environments. Deploying an EFS filesystem using default settings in TypeScript results in a different configuration then deploying an EFS filesystem using default settings in Python. The Python default settings are not in line with how EFS defaults work. If you deploy EFS with default settings in the console, it matches the TypeScript deployment. The only place (that I've testing) with the incorrect defaults is when deploying with Python.
Just to double check, I went and deployed the python code using the allow_anonymous_access=True
with the EFS. It still deploys something different then the TypeScript and Console defaults.
This policy is now applied when allowing anonymous access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCN>:root"
},
"Action": "elasticfilesystem:*",
"Resource": "*"
}
]
}
In both TypeScript and the Console, the default file system policy is empty.
@indrora @peterwoodworth Can we get the documentation tag removed, since this is not a documentation issue?
Also running into this issue.
We are also getting the same!
I had the same issue. Setting the flag allow_anonymous_access to True solved that for me. The policy is now empty
i have generated a new project with cdk init and there is this cdk.json which now (with cdk version 147) generates much rules as before. one of them was indeed "@aws-cdk/aws-efs:denyAnonymousAccess": true, which as said in the docs "Default: false when using grantRead, grantWrite, grantRootAccess or set @aws-cdk/aws-efs:denyAnonymousAccess feature flag, otherwise true" might redefine the settings in the code. I set "@aws-cdk/aws-efs:denyAnonymousAccess": false and everything worked again, it means no policy was generated on EFS
Describe the bug
When creating an EFS FileSystem in Python, a default file system policy is created regardless of the value passed to
file_system_policy
. If you specify a specific file system property, then it adds the custom policy to the default policy instead of replacing it. This all works as expected when deploying an EFS filesystem in TypeScript. I do not know if other languages also have the same issue.Expected Behavior
I would expect the
file_system_policy
to reflect what was specified in the code.Current Behavior
This policy is always applied or added to an EFS FileSystem:
Reproduction Steps
Deploy the following python CDK code, Browse to the console and you will see that there is an additional policy beyond the policy that was specified.
Deploy the following python CDK code, Browse to the console and you will see that there is a default policy, even though the
file_system_policy
was set to None (which according to the documentation, is the default value).Possible Solution
No response
Additional Information/Context
I discovered this bug while trying to create an EFS backed ECS Fargate container. The default policy doesn't allow containers to access the file system
CDK CLI Version
2.99.0 (build 0aa1096)
Framework Version
No response
Node.js Version
v20.7.0
OS
MacOS
Language
Python
Language Version
Python 3.11.5
Other information
No response