fix: Give Atlantis write permission to EFS

showwin commented 11 months ago

Description

Add elasticfilesystem:ClientWrite permission to the EFS file system policy.

Motivation and Context

Currently, we give only the mounting permission, so Atlantis ECS container can mount/read EFS, but cannot write anything under /home/atlantis/* directory. Due to this problem, Atlantis container cannot start with enable_efs = true option. This is the error message I saw in the Atlantis log.

Error: initializing server: unable to create dir "/home/atlantis/.atlantis/bin": mkdir /home/atlantis/.atlantis: read-only file system

The error was solved when I added the elasticfilesystem:ClientWrite permission.

The current workaround is to configure efs parameter as follows:

enable_efs = true
efs = {
  mount_targets = {
    "eu-west-1a" = {
      subnet_id = module.vpc.private_subnets[0]
    }
    ...
  }
  attach_policy = false # <= Here
}

Breaking Changes

N/A

How Has This Been Tested?

[x] I have updated at least one of the examples/* to demonstrate and validate my change(s)
[ ] I have tested and validated these changes using one or more of the provided examples/* projects
[ ] I have executed pre-commit run -a on my pull request

antonbabenko commented 11 months ago

This PR is included in version 4.0.4 :tada:

github-actions[bot] commented 10 months ago

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

terraform-aws-modules / terraform-aws-atlantis