Namespace Amazon.CDK.AWS.EFS
Amazon Elastic File System Construct Library
Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. Amazon EFS provides file storage in the AWS Cloud. With Amazon EFS, you can create a file system, mount the file system on an Amazon EC2 instance, and then read and write data to and from your file system.
This module is part of the AWS Cloud Development Kit project.
File Systems
Amazon EFS provides elastic, shared file storage that is POSIX-compliant. The file system you create supports concurrent read and write access from multiple Amazon EC2 instances and is accessible from all of the Availability Zones in the AWS Region where it is created. Learn more about EFS file systems
Create an Amazon EFS file system
A Virtual Private Cloud (VPC) is required to create an Amazon EFS file system.
The following example creates a file system that is encrypted at rest, running in General Purpose
performance mode, and Bursting
throughput mode and does not transition files to the Infrequent
Access (IA) storage class.
var fileSystem = new FileSystem(this, "MyEfsFileSystem", new FileSystemProps {
Vpc = new Vpc(this, "VPC"),
LifecyclePolicy = LifecyclePolicy.AFTER_14_DAYS, // files are not transitioned to infrequent access (IA) storage by default
PerformanceMode = PerformanceMode.GENERAL_PURPOSE, // default
OutOfInfrequentAccessPolicy = OutOfInfrequentAccessPolicy.AFTER_1_ACCESS, // files are not transitioned back from (infrequent access) IA to primary storage by default
TransitionToArchivePolicy = LifecyclePolicy.AFTER_14_DAYS, // files are not transitioned to Archive by default
ReplicationOverwriteProtection = ReplicationOverwriteProtection.ENABLED
});
⚠️ An Amazon EFS file system's performance mode can't be MAX_IO when its throughputMode is ELASTIC.
⚠️ An Amazon EFS file system's performance mode can't be changed after the file system has been created. Updating this property will replace the file system.
Any file system that has been created outside the stack can be imported into your CDK app.
Use the fromFileSystemAttributes()
API to import an existing file system.
Here is an example of giving a role write permissions on a file system.
using Amazon.CDK.AWS.IAM;
var importedFileSystem = FileSystem.FromFileSystemAttributes(this, "existingFS", new FileSystemAttributes {
FileSystemId = "fs-12345678", // You can also use fileSystemArn instead of fileSystemId.
SecurityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-123456789", new SecurityGroupImportOptions {
AllowAllOutbound = false
})
});
One Zone file system
To initialize a One Zone file system use the oneZone
property:
Vpc vpc;
new FileSystem(this, "OneZoneFileSystem", new FileSystemProps {
Vpc = vpc,
OneZone = true
});
⚠️ One Zone file systems are not compatible with the MAX_IO performance mode.
⚠️ When oneZone
is enabled, the file system is automatically placed in the first availability zone of the VPC.
It is not currently possible to specify a different availability zone.
⚠️ When oneZone
is enabled, mount targets will be created only in the specified availability zone.
This is to prevent deployment failures due to cross-AZ configurations.
⚠️ When oneZone
is enabled, vpcSubnets
cannot be specified.
Replicating file systems
You can create a replica of your EFS file system in the AWS Region of your preference.
Vpc vpc;
// auto generate a regional replication destination file system
// auto generate a regional replication destination file system
new FileSystem(this, "RegionalReplicationFileSystem", new FileSystemProps {
Vpc = vpc,
ReplicationConfiguration = ReplicationConfiguration.RegionalFileSystem("us-west-2")
});
// auto generate a one zone replication destination file system
// auto generate a one zone replication destination file system
new FileSystem(this, "OneZoneReplicationFileSystem", new FileSystemProps {
Vpc = vpc,
ReplicationConfiguration = ReplicationConfiguration.OneZoneFileSystem("us-east-1", "us-east-1a")
});
var destinationFileSystem = new FileSystem(this, "DestinationFileSystem", new FileSystemProps {
Vpc = vpc,
// set as the read-only file system for use as a replication destination
ReplicationOverwriteProtection = ReplicationOverwriteProtection.DISABLED
});
// specify the replication destination file system
// specify the replication destination file system
new FileSystem(this, "ReplicationFileSystem", new FileSystemProps {
Vpc = vpc,
ReplicationConfiguration = ReplicationConfiguration.ExistingFileSystem(destinationFileSystem)
});
Note: EFS now supports only one replication destination and thus allows specifying just one replicationConfiguration
for each file system.
Visit <a href="https://docs.aws.amazon.com/efs/latest/ug/efs-replication.html">Replicating file systems</a> for more details.
IAM to control file system data access
You can use both IAM identity policies and resource policies to control client access to Amazon EFS resources in a way that is scalable and optimized for cloud environments. Using IAM, you can permit clients to perform specific actions on a file system, including read-only, write, and root access.
using Amazon.CDK.AWS.IAM;
var myFileSystemPolicy = new PolicyDocument(new PolicyDocumentProps {
Statements = new [] { new PolicyStatement(new PolicyStatementProps {
Actions = new [] { "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientMount" },
Principals = new [] { new AccountRootPrincipal() },
Resources = new [] { "*" },
Conditions = new Dictionary<string, object> {
{ "Bool", new Dictionary<string, string> {
{ "elasticfilesystem:AccessedViaMountTarget", "true" }
} }
}
}) }
});
var fileSystem = new FileSystem(this, "MyEfsFileSystem", new FileSystemProps {
Vpc = new Vpc(this, "VPC"),
FileSystemPolicy = myFileSystemPolicy
});
Alternatively, a resource policy can be added later using addToResourcePolicy(statement)
. Note that this will not work with imported FileSystem.
using Amazon.CDK.AWS.IAM;
PolicyStatement statement;
var fileSystem = new FileSystem(this, "MyEfsFileSystem", new FileSystemProps {
Vpc = new Vpc(this, "VPC")
});
fileSystem.AddToResourcePolicy(statement);
Permissions
If you need to grant file system permissions to another resource, you can use the .grant()
API.
As an example, the following code gives elasticfilesystem:Backup
permissions to an IAM role.
var role = new Role(this, "Role", new RoleProps {
AssumedBy = new AnyPrincipal()
});
fileSystem.Grant(role, "elasticfilesystem:Backup");
APIs for clients also include .grantRead()
, .grantReadWrite()
, and .grantRootAccess()
. Using these APIs grants access to clients.
Also, by default, the file system policy is updated to only allow access to clients using IAM authentication and deny access to anonymous clients.
var role = new Role(this, "ClientRole", new RoleProps {
AssumedBy = new AnyPrincipal()
});
fileSystem.GrantRead(role);
You can control this behavior with allowAnonymousAccess
. The following example continues to allow anonymous client access.
using Amazon.CDK.AWS.IAM;
var role = new Role(this, "ClientRole", new RoleProps {
AssumedBy = new AnyPrincipal()
});
var fileSystem = new FileSystem(this, "MyEfsFileSystem", new FileSystemProps {
Vpc = new Vpc(this, "VPC"),
AllowAnonymousAccess = true
});
fileSystem.GrantRead(role);
Access Point
An access point is an application-specific view into an EFS file system that applies an operating system user and group, and a file system path, to any file system request made through the access point. The operating system user and group override any identity information provided by the NFS client. The file system path is exposed as the access point's root directory. Applications using the access point can only access data in its own directory and below. To learn more, see Mounting a File System Using EFS Access Points.
Use the addAccessPoint
API to create an access point from a fileSystem.
fileSystem.AddAccessPoint("AccessPoint");
By default, when you create an access point, the root(/
) directory is exposed to the client
connecting to the access point. You can specify a custom path with the path
property.
If path
does not exist, it will be created with the settings defined in the creationInfo
.
See Creating Access Points for more details.
Any access point that has been created outside the stack can be imported into your CDK app.
Use the fromAccessPointAttributes()
API to import an existing access point.
AccessPoint.FromAccessPointAttributes(this, "ap", new AccessPointAttributes {
AccessPointId = "fsap-1293c4d9832fo0912",
FileSystem = FileSystem.FromFileSystemAttributes(this, "efs", new FileSystemAttributes {
FileSystemId = "fs-099d3e2f",
SecurityGroup = SecurityGroup.FromSecurityGroupId(this, "sg", "sg-51530134")
})
});
⚠️ Notice: When importing an Access Point using fromAccessPointAttributes()
, you must make sure
the mount targets are deployed and their lifecycle state is available
. Otherwise, you may encounter
the following error when deploying:
EFS file system <ARN of="of" efs="efs" xmlns="http://www.w3.org/1999/xhtml"></ARN> referenced by access point <ARN of access point of EFS> has
mount targets created in all availability zones the function will execute in, but not all
are in the available life cycle state yet. Please wait for them to become available and
try the request again.
Connecting
To control who can access the EFS, use the .connections
attribute. EFS has
a fixed default port, so you don't need to specify the port:
fileSystem.Connections.AllowDefaultPortFrom(instance);
Learn more about managing file system network accessibility
Mounting the file system using User Data
After you create a file system, you can create mount targets. Then you can mount the file system on EC2 instances, containers, and Lambda functions in your virtual private cloud (VPC).
The following example automatically mounts a file system during instance launch.
fileSystem.Connections.AllowDefaultPortFrom(instance);
instance.UserData.AddCommands("yum check-update -y", "yum upgrade -y", "yum install -y amazon-efs-utils", "yum install -y nfs-utils", "file_system_id_1=" + fileSystem.FileSystemId, "efs_mount_point_1=/mnt/efs/fs1", "mkdir -p \"${efs_mount_point_1}\"", "test -f \"/sbin/mount.efs\" && echo \"${file_system_id_1}:/ ${efs_mount_point_1} efs defaults,_netdev\" >> /etc/fstab || " + "echo \"${file_system_id_1}.efs." + Stack.Of(this).Region + ".amazonaws.com:/ ${efs_mount_point_1} nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport,_netdev 0 0\" >> /etc/fstab", "mount -a -t efs,nfs4 defaults");
Learn more about mounting EFS file systems
Deleting
Since file systems are stateful resources, by default the file system will not be deleted when your stack is deleted.
You can configure the file system to be destroyed on stack deletion by setting a removalPolicy
var fileSystem = new FileSystem(this, "EfsFileSystem", new FileSystemProps {
Vpc = new Vpc(this, "VPC"),
RemovalPolicy = RemovalPolicy.DESTROY
});
Classes
AccessPoint | Represents the AccessPoint. |
AccessPointAttributes | Attributes that can be specified when importing an AccessPoint. |
AccessPointOptions | Options to create an AccessPoint. |
AccessPointProps | Properties for the AccessPoint. |
Acl | Permissions as POSIX ACL. |
CfnAccessPoint | The |
CfnAccessPoint.AccessPointTagProperty | A tag is a key-value pair attached to a file system. |
CfnAccessPoint.CreationInfoProperty | Required if the |
CfnAccessPoint.PosixUserProperty | The full POSIX identity, including the user ID, group ID, and any secondary group IDs, on the access point that is used for all file system operations performed by NFS clients using the access point. |
CfnAccessPoint.RootDirectoryProperty | Specifies the directory on the Amazon EFS file system that the access point provides access to. |
CfnAccessPointProps | Properties for defining a |
CfnFileSystem | The |
CfnFileSystem.BackupPolicyProperty | The backup policy turns automatic backups for the file system on or off. |
CfnFileSystem.ElasticFileSystemTagProperty | A tag is a key-value pair attached to a file system. |
CfnFileSystem.FileSystemProtectionProperty | Describes the protection on the file system. |
CfnFileSystem.LifecyclePolicyProperty | Describes a policy used by Lifecycle management that specifies when to transition files into and out of the EFS storage classes. |
CfnFileSystem.ReplicationConfigurationProperty | Describes the replication configuration for a specific file system. |
CfnFileSystem.ReplicationDestinationProperty | Describes the destination file system in the replication configuration. |
CfnFileSystemProps | Properties for defining a |
CfnMountTarget | The |
CfnMountTargetProps | Properties for defining a |
ExistingFileSystemProps | Properties for configuring ReplicationConfiguration to replicate to an existing file system. |
FileSystem | The Elastic File System implementation of IFileSystem. |
FileSystemAttributes | Properties that describe an existing EFS file system. |
FileSystemProps | Properties of EFS FileSystem. |
LifecyclePolicy | EFS Lifecycle Policy, if a file is not accessed for given days, it will move to EFS Infrequent Access or Archive storage. |
OneZoneFileSystemProps | Properties for configuring ReplicationConfiguration to replicate to a new One Zone file system. |
OutOfInfrequentAccessPolicy | EFS Out Of Infrequent Access Policy, if a file is accessed given times, it will move back to primary storage class. |
PerformanceMode | EFS Performance mode. |
PosixUser | Represents the PosixUser. |
RegionalFileSystemProps | Properties for configuring ReplicationConfiguration to replicate to a new Regional file system. |
ReplicationConfiguration | EFS Replication Configuration. |
ReplicationConfigurationProps | Properties for the ReplicationConfiguration. |
ReplicationOverwriteProtection | The status of the file system's replication overwrite protection. |
ThroughputMode | EFS Throughput mode. |
Interfaces
CfnAccessPoint.IAccessPointTagProperty | A tag is a key-value pair attached to a file system. |
CfnAccessPoint.ICreationInfoProperty | Required if the |
CfnAccessPoint.IPosixUserProperty | The full POSIX identity, including the user ID, group ID, and any secondary group IDs, on the access point that is used for all file system operations performed by NFS clients using the access point. |
CfnAccessPoint.IRootDirectoryProperty | Specifies the directory on the Amazon EFS file system that the access point provides access to. |
CfnFileSystem.IBackupPolicyProperty | The backup policy turns automatic backups for the file system on or off. |
CfnFileSystem.IElasticFileSystemTagProperty | A tag is a key-value pair attached to a file system. |
CfnFileSystem.IFileSystemProtectionProperty | Describes the protection on the file system. |
CfnFileSystem.ILifecyclePolicyProperty | Describes a policy used by Lifecycle management that specifies when to transition files into and out of the EFS storage classes. |
CfnFileSystem.IReplicationConfigurationProperty | Describes the replication configuration for a specific file system. |
CfnFileSystem.IReplicationDestinationProperty | Describes the destination file system in the replication configuration. |
IAccessPoint | Represents an EFS AccessPoint. |
IAccessPointAttributes | Attributes that can be specified when importing an AccessPoint. |
IAccessPointOptions | Options to create an AccessPoint. |
IAccessPointProps | Properties for the AccessPoint. |
IAcl | Permissions as POSIX ACL. |
ICfnAccessPointProps | Properties for defining a |
ICfnFileSystemProps | Properties for defining a |
ICfnMountTargetProps | Properties for defining a |
IExistingFileSystemProps | Properties for configuring ReplicationConfiguration to replicate to an existing file system. |
IFileSystem | Represents an Amazon EFS file system. |
IFileSystemAttributes | Properties that describe an existing EFS file system. |
IFileSystemProps | Properties of EFS FileSystem. |
IOneZoneFileSystemProps | Properties for configuring ReplicationConfiguration to replicate to a new One Zone file system. |
IPosixUser | Represents the PosixUser. |
IRegionalFileSystemProps | Properties for configuring ReplicationConfiguration to replicate to a new Regional file system. |
IReplicationConfigurationProps | Properties for the ReplicationConfiguration. |