search

terraform-aws-modules / terraform-aws-efs

Terraform module to create AWS EFS resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/efs/aws
Apache License 2.0
24 stars 38 forks source link

Policy generated when deny_nonsecure_transport = true is incomplete/outdated #20

Closed marqueurs404 closed 7 months ago

marqueurs404 commented 8 months ago

Description

The policy generated when deny_nonsecure_transport = true is incomplete/outdated

Versions

Expected behavior

When enabling via the web console, we see the generated policy to be:

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-01983604-a016-498a-b73c-a6956f8caa13",
    "Statement": [
        {
            "Sid": "efs-statement-ba87d44a-9919-4ded-969e-b42792f6e334",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientMount"
            ],
            "Condition": {
                "Bool": {
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        },
        {
            "Sid": "efs-statement-d04fd86d-0ea8-49dc-9d76-b6383171d3a7",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

This policy allowed my ecs containers to properly mount the volume.

Actual behavior

When deny_nonsecure_transport = true (which is the default), this module generates an incomplete policy:

{
    "Sid": "NonSecureTransport",
    "Effect": "Deny",
    "Principal": {
        "AWS": "*"
    },
    "Action": "*",
    "Resource": "arn:aws:elasticfilesystem:us-east-1:12345678912:file-system/fs-0114bc825a22274e46",
    "Condition": {
        "Bool": {
            "aws:SecureTransport": "false"
        }
    }
}

This policy is insufficient for ecs containers to mount the volume when transit_encryption is enabled.

(Seems like this issue has been reported before without a response https://github.com/terraform-aws-modules/terraform-aws-efs/issues/11)

antonbabenko commented 7 months ago

This issue has been resolved in version 1.4.0 :tada:

github-actions[bot] commented 6 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.