x-efs ¶

          volumes:
  shared-images:
    x-efs:
      Properties: {}
      MacroParameters: {}
      Settings: {}
      Lookup: {}

         

Synopsis ¶

As described in the volumes documentation, in order to setup an AWS EFS Filesystem, you can either use the ECS Plugin definition, which will let ECS Compose-X import and define default settings, or alternatively, you can define your own settings using x-efs .

Attention

For more details around permissions and access to the filesystem, refer to Filesystem, Access Point and services access

Properties ¶

As usual, the Properties supported as equal to the properties you would define in native CloudFormation. Refer to the AWS CFN EFS syntax reference for more details.

MacroParameters ¶

However, AWS EFS has evolved since and some very tidy and neat features have emerged since, such as the EFS Access Points.

As it is ECS Compose-X objective to abstract that complexity away from developers but retain the security to high standards, we have implemented simple feature(s) to automatically enable using features such as IAM Authentication to further control access.

EnforceIamAuth ¶

Enable IAM Auth restriction ¶

             volumes:
  shared-images:
    x-efs:
      MacroParameters:
        EnforceIamAuth: <True|False>

            

The purpose of IAM Authentication is to allow applications to authenticate against an EFS Access Point which will allow for further security configuration, such as, setting UID/GID to use, among others.

But primarily this will allow connection to the EFS using the Task IAM Role as a way to authenticate a specific application which can then translate into specific files access permissions.

When using IAM Authentication, this also enforces to use TLS between the client and the server, for increased security.

By enabling this feature, an access point will be created specifically for your services in the task definition, along with the filesystem.

Attention

To use that feature, it is highly recommend to use the EFS Mount Helper

Settings ¶

Subnets ¶

As for other services that require to be created in a VPC to be accessed (for EFS, via Mount Targets ), you can override the default behaviour (for EFS, defaults to the StorageSubnets).

Lookup ¶

As usual, the Plug N’ Play aspect of ECS Compose-X to your existing infrastructure is a key concern, therefore, you can also use ECS Compose-X to identify dynamically AWS EFS which already exists.

           volumes:
  abcd:
    x-efs:
      Lookup:
        Tags: []
        RoleArn: <>

          

Examples ¶

A full example using Bitnami Wordpress image (which requires users permissions etc. to be set) can be found in GitHub

Filesystem, Access Point and services access ¶

AWS EFS has a notion of Access Point, which are very well described in the docs and other blog articles on the AWS sites. In a nutshell, they will allow you to control access to the Filesystem and “proxy” your access so that your services can set use specific POSIX users and root folders to the filesystem

This comes in to be very important if you are using a shared EFS among multiple tenants (applications, services etc.) and want to ensure separation for each but not have to spend hours configuring each service clients.

Access point per “container” within the task definition ¶

In ECS Compose-X there is only so much that we can understand from the settings set at the volumes level. Given ECS Compose-X tries to focus as much as possible on security, we have implemented the following:

If your task definition only has 1 container definition, there is one volume created in the task level, used by containers
If there is more than one container definition and you defined a different user property for the service, a new

access point is created specifically for that container, added to the task definition.

Warning

Even with 1 access point per container in the task definition, the access remains at the task level for IAM permissions.

JSON Schema ¶

Model ¶

x-efs ¶

x-efs.spec.json
The common definitions for specifications of x-efs in ComposeX
type	object
properties
Lookup	type	object
	x-resources.common.spec.json#/definitions/Lookup
Properties	type	object
MacroParameters	type	object
	properties
	EnforceIamAuth	type	boolean
	RootDirectoryCreateMode	POSIX root folder creation. Default granting user and group full access.
		type	string
		minLength	4
		pattern	[01234567]{4}
		default	0775
	additionalProperties	False
Settings	type	object
	properties
	Subnets	type	string
	additionalProperties	False

Definition ¶

            {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "x-efs.spec.json",
  "type": "object",
  "title": "x-efs",
  "description": "The common definitions for specifications of x-efs in ComposeX",
  "properties": {
    "Lookup": {
      "type": "object",
      "$ref": "x-resources.common.spec.json#/definitions/Lookup"
    },
    "Properties": {
      "type": "object"
    },
    "MacroParameters": {
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "EnforceIamAuth": {
          "type": "boolean"
        },
        "RootDirectoryCreateMode": {
          "type": "string",
          "minLength": 4,
          "pattern": "[01234567]{4}",
          "description": "POSIX root folder creation. Default granting user and group full access.",
          "default": "0775"
        }
      }
    },
    "Settings": {
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "Subnets": {
          "type": "string"
        }
      }
    }
  }
}

           

Test files ¶

You can find the test files here to use as reference for your use-case.