[ecs] EFS Volume configuration is not abstracted
See original GitHub issueThere’s kind of a few related points on this bug, but I figured one issue was the way to go instead of multiple. Happy to split it out though if that’s better for the team.
The theme here is that EFS volume configuration is very raw and not abstracted at all in the L2 constructs for task definitions, and some things are just outright incorrect.
- Specifying
transitEncryption
requires the stringENABLED
orDISABLED
- this should be true/false - If you enable an access point it tells you that you must enable
transitEncryption
- if this is a requirement of using an access point then it should be enabled automatically in this case transitEncryption
is disabled by default - I could be wrong on this, but I do not see any downside to enabling this by default, and it is a more secure option which would be more in-line with the CDK’s mission to implement best practices by defaultIf an access point is specified, the root directory value will be relative to the directory set for the access point. If specified, transit encryption must be enabled in the EFSVolumeConfiguration.
-> If you try to deploy with both an access point and a root directory specified you get an errorInvalid request provided: Create TaskDefinition: When using an EFS access point, the root directory must either be set to "/" or be omitted.
. So at the very least the documentation is wrong, but we should catch this on the CDK side and error during creation if these are mutually exclusive options. I’d also note that the docs for cloudformation state pretty much the exact error that I get back; which is much clearer.- Enabling
iam
auth in theauthorizationConfig
block also advises thattransitEncryption
is required - Again, this should make it turn on automatically - When specifying an EFS filesystem and access point, you must pass in the IDs themselves, instead of the filesystem/access point objects themselves (e.g.
filesystemId: fs.filesystemId
instead offilesystem: fs
as you’d expect)
Reproduction Steps
What did you expect to happen?
What actually happened?
Environment
- CLI Version : 1.66
- Framework Version: 1.66
- Node.js Version:
- OS :
- Language (Version):
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:10
- Comments:9 (4 by maintainers)
Top Results From Across the Web
Troubleshoot why you are unable to mount EFS volumes on ...
To troubleshoot this error, check if the file system policy or the ECS task role IAM policy denies access to the file system....
Read more >Trouble for AWS ECS to copy file to AWS EFS - Stack Overflow
I encounter a issue that ecs task failed to start with the following error. Status reason CannotCreateContainerError: Error response from daemon ...
Read more >Persisting Docker Volumes in ECS using EFS - Nordcloud
We managed to combine these resources and everything looked alright, but a closer look revealed that the changes did not persist. We found...
Read more >Splunking AWS ECS Part 2: Sending ECS Logs To Splunk
Creating a key pair will allow us to access the container instance OS should we need to do any manual configuration. Although not...
Read more >Using EBS and EFS as Persistent Volume in Kubernetes
The Kubernetes Volume abstraction solves these problems. ... EFS doesn't support any backup mechanism we need to setup backup manually.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I wholeheartedly agree with all the points in the original (excellent) post. The experience using EFS with ECS has been uncharacteristically difficult, please give it a little love.
Not clear to me how to mount an EFS access point as a volume in ECS