x-efs

volumes:
  shared-images:
    x-efs:
      Properties: {}
      MacroParameters: {}
      Settings: {}
      Lookup: {}

Synopsis

As described in the volumes documentation, in order to setup an AWS EFS Filesystem, you can either use the ECS Plugin definition, which will let ECS Compose-X import and define default settings, or alternatively, you can define your own settings using x-efs .

Attention

For more details around permissions and access to the filesystem, refer to Filesystem, Access Point and services access

Properties

As usual, the Properties supported as equal to the properties you would define in native CloudFormation. Refer to the AWS CFN EFS syntax reference for more details.

MacroParameters

However, AWS EFS has evolved since and some very tidy and neat features have emerged since, such as the EFS Access Points.

As it is ECS Compose-X objective to abstract that complexity away from developers but retain the security to high standards, we have implemented simple feature(s) to automatically enable using features such as IAM Authentication to further control access.

EnforceIamAuth

Enable IAM Auth restriction
volumes:
  shared-images:
    x-efs:
      MacroParameters:
        EnforceIamAuth: <True|False>

The purpose of IAM Authentication is to allow applications to authenticate against an EFS Access Point which will allow for further security configuration, such as, setting UID/GID to use, among others.

But primarily this will allow connection to the EFS using the Task IAM Role as a way to authenticate a specific application which can then translate into specific files access permissions.

When using IAM Authentication, this also enforces to use TLS between the client and the server, for increased security.

By enabling this feature, an access point will be created specifically for your services in the task definition, along with the filesystem.

Attention

To use that feature, it is highly recommend to use the EFS Mount Helper

Settings

Subnets

As for other services that require to be created in a VPC to be accessed (for EFS, via Mount Targets ), you can override the default behaviour (for EFS, defaults to the StorageSubnets).

Lookup

As usual, the Plug N’ Play aspect of ECS Compose-X to your existing infrastructure is a key concern, therefore, you can also use ECS Compose-X to identify dynamically AWS EFS which already exists.

volumes:
  abcd:
    x-efs:
      Lookup:
        Tags: []
        RoleArn: <>

Examples

A full example using Bitnami Wordpress image (which requires users permissions etc. to be set) can be found in GitHub

Filesystem, Access Point and services access

AWS EFS has a notion of Access Point, which are very well described in the docs and other blog articles on the AWS sites. In a nutshell, they will allow you to control access to the Filesystem and “proxy” your access so that your services can set use specific POSIX users and root folders to the filesystem

This comes in to be very important if you are using a shared EFS among multiple tenants (applications, services etc.) and want to ensure separation for each but not have to spend hours configuring each service clients.

Access point per “container” within the task definition

In ECS Compose-X there is only so much that we can understand from the settings set at the volumes level. Given ECS Compose-X tries to focus as much as possible on security, we have implemented the following:

  • If your task definition only has 1 container definition, there is one volume created in the task level, used by containers

  • If there is more than one container definition and you defined a different user property for the service, a new

    access point is created specifically for that container, added to the task definition.

Warning

Even with 1 access point per container in the task definition, the access remains at the task level for IAM permissions.

JSON Schema

Model

x-efs

x-efs.spec.json

The common definitions for specifications of x-efs in ComposeX

type

object

properties

  • Lookup

type

object

x-resources.common.spec.json#/definitions/Lookup

  • Properties

type

object

  • MacroParameters

type

object

properties

  • EnforceIamAuth

type

boolean

  • RootDirectoryCreateMode

POSIX root folder creation. Default granting user and group full access.

type

string

minLength

4

pattern

[01234567]{4}

default

0775

additionalProperties

False

  • Settings

type

object

properties

  • Subnets

type

string

additionalProperties

False

Definition

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "x-efs.spec.json",
  "type": "object",
  "title": "x-efs",
  "description": "The common definitions for specifications of x-efs in ComposeX",
  "properties": {
    "Lookup": {
      "type": "object",
      "$ref": "x-resources.common.spec.json#/definitions/Lookup"
    },
    "Properties": {
      "type": "object"
    },
    "MacroParameters": {
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "EnforceIamAuth": {
          "type": "boolean"
        },
        "RootDirectoryCreateMode": {
          "type": "string",
          "minLength": 4,
          "pattern": "[01234567]{4}",
          "description": "POSIX root folder creation. Default granting user and group full access.",
          "default": "0775"
        }
      }
    },
    "Settings": {
      "type": "object",
      "additionalProperties": false,
      "properties": {
        "Subnets": {
          "type": "string"
        }
      }
    }
  }
}

Test files

You can find the test files here to use as reference for your use-case.