Open davejbax opened 3 months ago
I'd add that, checking EFS docs, the statement in question has nothing to do with nonsecure transport, and so gating it with deny_nonsecure_transport
is rather misleading. The statement is instead just one approach AWS suggests to consider the file system non-public...
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
Not stale
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
Still not stale
Description
The policy generated by
deny_nonsecure_transport
grants access to all AWS principals. This makes the use of IAM to control access to the filesystem impossible when this boolean is set, and is an extremely significant side-effect of the boolean (in contrast to having it set tofalse
and usingpolicy_statements
) that is not clear in documentation.The problematic policy was added in https://github.com/terraform-aws-modules/terraform-aws-efs/pull/21, in an attempt to fix #20 and #11. In particular, I think the policy given in #20 is the incorrect policy to fix the ECS issue because it only works because it grants access to all principals -- which is far too broad of a policy, and probably not the intention.
20 mentions that the web console generated the policy. However, I believe the policies generated by the web console are intended to be used where IAM is not used to control access to the filesystem: all of them generate a similar policy granting access to all principals, with specific denies; this is because the 'default' EFS policy is to allow access to all principals, and use firewall rules to control access.
I think this module should support using IAM to selectively control access to the EFS filesystem, instead of firewall rules alone. At the very least, it should be made more explicit that
deny_nonsecure_transport
precludes the use of IAM. I would suggest creating a new boolean that makes it very explicit as to whether a 'allow all principals' policy will be attached; then, this could be set to false to facilitate the use of IAM to control access.Versions
Module version [Required]: v1.6.2
Terraform version: v1.6.3
Provider version(s): provider registry.terraform.io/hashicorp/aws v5.40.0
Reproduction Code [Required]
Steps to reproduce the behavior:
deny_nonsecure_transport
set totrue
policy_statements
to attempt to grant some form of access to a specific IAM principalExpected behavior
The EFS filesystem should not be able to be mounted by any IAM principal when
deny_nonsecure_transport
is trueActual behavior
The EFS filesystem is able to be mounted by any IAM principal when
deny_nonsecure_transport
is true, regardless of any allows inpolicy_statements
.