Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[ecs] EFS Volume configuration is not abstracted

See original GitHub issue

There’s kind of a few related points on this bug, but I figured one issue was the way to go instead of multiple. Happy to split it out though if that’s better for the team.

The theme here is that EFS volume configuration is very raw and not abstracted at all in the L2 constructs for task definitions, and some things are just outright incorrect.

Specifying transitEncryption requires the string ENABLED or DISABLED - this should be true/false
If you enable an access point it tells you that you must enable transitEncryption - if this is a requirement of using an access point then it should be enabled automatically in this case
transitEncryption is disabled by default - I could be wrong on this, but I do not see any downside to enabling this by default, and it is a more secure option which would be more in-line with the CDK’s mission to implement best practices by default
If an access point is specified, the root directory value will be relative to the directory set for the access point. If specified, transit encryption must be enabled in the EFSVolumeConfiguration. -> If you try to deploy with both an access point and a root directory specified you get an error Invalid request provided: Create TaskDefinition: When using an EFS access point, the root directory must either be set to "/" or be omitted.. So at the very least the documentation is wrong, but we should catch this on the CDK side and error during creation if these are mutually exclusive options. I’d also note that the docs for cloudformation state pretty much the exact error that I get back; which is much clearer.
Enabling iam auth in the authorizationConfig block also advises that transitEncryption is required - Again, this should make it turn on automatically
When specifying an EFS filesystem and access point, you must pass in the IDs themselves, instead of the filesystem/access point objects themselves (e.g. filesystemId: fs.filesystemId instead of filesystem: fs as you’d expect)

Reproduction Steps

What did you expect to happen?

What actually happened?

Environment

CLI Version : 1.66
Framework Version: 1.66
Node.js Version:
OS :
Language (Version):

Other

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:10
Comments:9 (4 by maintainers)

Top GitHub Comments

4reactions

slotnickcommented, Jun 6, 2021

I wholeheartedly agree with all the points in the original (excellent) post. The experience using EFS with ECS has been uncharacteristically difficult, please give it a little love.

2reactions

revmischacommented, Mar 6, 2021

Not clear to me how to mount an EFS access point as a volume in ECS