feat(efs): implement IResourceWithPolicy (#24453)

Implement `IResourceWithPolicy` in `FileSystem`.
Currently, `FileSystem` implements `FileSystemPolicy`. However, it does not implement `iam.IResourceWithPolicy`, which means that `iam.Grant.addToPrincipalOrResource` and `iam.Grant.addToPrincipalAndResource` cannot be used and is not compatible with other resources with resource policies. This PR makes it easier to extend `grantXxx`.

Closes #15805. (Already implemented `FileSystemPolicy`)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: WinterYukky

packages/@aws-cdk/aws-efs/README.md

@@ -66,13 +66,15 @@ const importedFileSystem = efs.FileSystem.fromFileSystemAttributes(this, 'existi
 You can use both IAM identity policies and resource policies to control client access to Amazon EFS resources in a way that is scalable and optimized for cloud environments. Using IAM, you can permit clients to perform specific actions on a file system, including read-only, write, and root access.
 
 ```ts
-const myFileSystemPolicy = new PolicyDocument({
-  statements: [new PolicyStatement({
+import * as iam from '@aws-cdk/aws-iam';
+
+const myFileSystemPolicy = new iam.PolicyDocument({
+  statements: [new iam.PolicyStatement({
     actions: [
       'elasticfilesystem:ClientWrite',
       'elasticfilesystem:ClientMount',
     ],
-    principals: [new AccountRootPrincipal()],
+    principals: [new iam.AccountRootPrincipal()],
     resources: ['*'],
     conditions: {
       Bool: {
@@ -88,6 +90,19 @@ const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
 });
 ```
 
+Alternatively, a resource policy can be added later using `addToResourcePolicy(statement)`. Note that this will not work with imported FileSystem.
+
+```ts
+import * as iam from '@aws-cdk/aws-iam';
+
+declare const statement: iam.PolicyStatement;
+const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
+  vpc: new ec2.Vpc(this, 'VPC'),
+});
+
+fileSystem.addToResourcePolicy(statement);
+```
+
 ### Permissions
 
 If you need to grant file system permissions to another resource, you can use the `.grant()` API.

packages/@aws-cdk/aws-efs/lib/efs-file-system.ts

@@ -1,7 +1,7 @@
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
-import { ArnFormat, FeatureFlags, IResource, RemovalPolicy, Resource, Size, Stack, Tags } from '@aws-cdk/core';
+import { ArnFormat, FeatureFlags, Lazy, RemovalPolicy, Resource, Size, Stack, Tags } from '@aws-cdk/core';
 import * as cxapi from '@aws-cdk/cx-api';
 import { Construct, DependencyGroup, IDependable } from 'constructs';
 import { AccessPoint, AccessPointOptions } from './access-point';
@@ -106,7 +106,7 @@ export enum ThroughputMode {
 /**
  * Represents an Amazon EFS file system
  */
-export interface IFileSystem extends ec2.IConnectable, IResource {
+export interface IFileSystem extends ec2.IConnectable, iam.IResourceWithPolicy {
   /**
    * The ID of the file system, assigned by Amazon EFS.
    *
@@ -284,6 +284,15 @@ abstract class FileSystemBase extends Resource implements IFileSystem {
    */
   public abstract readonly mountTargetsAvailable: IDependable;
 
+  /**
+   * @internal
+   */
+  protected _resource?: CfnFileSystem;
+  /**
+   * @internal
+   */
+  protected _fileSystemPolicy?: iam.PolicyDocument;
+
   /**
    * Grant the actions defined in actions to the given grantee
    * on this File System resource.
@@ -298,6 +307,28 @@ abstract class FileSystemBase extends Resource implements IFileSystem {
       resourceArns: [this.fileSystemArn],
     });
   }
+
+  /**
+   * Adds a statement to the resource policy associated with this file system.
+   * A resource policy will be automatically created upon the first call to `addToResourcePolicy`.
+   *
+   * Note that this does not work with imported file systems.
+   *
+   * @param statement The policy statement to add
+   */
+  public addToResourcePolicy(
+    statement: iam.PolicyStatement,
+  ): iam.AddToResourcePolicyResult {
+    if (!this._resource) {
+      return { statementAdded: false };
+    }
+    this._fileSystemPolicy = this._fileSystemPolicy ?? new iam.PolicyDocument({ statements: [] });
+    this._fileSystemPolicy.addStatements(statement);
+    return {
+      statementAdded: true,
+      policyDependable: this,
+    };
+  }
 }
 
 /**
@@ -370,20 +401,21 @@ export class FileSystem extends FileSystemBase {
       lifecyclePolicies.push({ transitionToPrimaryStorageClass: props.outOfInfrequentAccessPolicy });
     }
 
-    const filesystem = new CfnFileSystem(this, 'Resource', {
+    this._resource = new CfnFileSystem(this, 'Resource', {
       encrypted: encrypted,
       kmsKeyId: props.kmsKey?.keyArn,
       lifecyclePolicies: lifecyclePolicies.length > 0 ? lifecyclePolicies : undefined,
       performanceMode: props.performanceMode,
       throughputMode: props.throughputMode,
       provisionedThroughputInMibps: props.provisionedThroughputPerSecond?.toMebibytes(),
       backupPolicy: props.enableAutomaticBackups ? { status: 'ENABLED' } : undefined,
-      fileSystemPolicy: props.fileSystemPolicy,
+      fileSystemPolicy: Lazy.any({ produce: () => this._fileSystemPolicy }),
     });
-    filesystem.applyRemovalPolicy(props.removalPolicy);
+    this._resource.applyRemovalPolicy(props.removalPolicy);
 
-    this.fileSystemId = filesystem.ref;
-    this.fileSystemArn = filesystem.attrArn;
+    this.fileSystemId = this._resource.ref;
+    this.fileSystemArn = this._resource.attrArn;
+    this._fileSystemPolicy = props.fileSystemPolicy;
 
     Tags.of(this).add('Name', props.fileSystemName || this.node.path);
 

packages/@aws-cdk/aws-efs/test/efs-file-system.test.ts

@@ -457,4 +457,106 @@ test('can specify file system policy', () => {
       ],
     },
   });
+});
+
+test('can add statements to file system policy', () => {
+  // WHEN
+  const statement1 = new iam.PolicyStatement({
+    actions: [
+      'elasticfilesystem:ClientMount',
+    ],
+    principals: [new iam.ArnPrincipal('arn:aws:iam::111122223333:role/Testing_Role1')],
+    resources: ['arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd'],
+    conditions: {
+      Bool: {
+        'elasticfilesystem:AccessedViaMountTarget': 'true',
+      },
+    },
+  });
+  const statement2 = new iam.PolicyStatement({
+    actions: [
+      'elasticfilesystem:ClientMount',
+      'elasticfilesystem:ClientWrite',
+    ],
+    principals: [new iam.ArnPrincipal('arn:aws:iam::111122223333:role/Testing_Role2')],
+    resources: ['arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd'],
+    conditions: {
+      Bool: {
+        'elasticfilesystem:AccessedViaMountTarget': 'true',
+      },
+    },
+  });
+  const fileSystem = new FileSystem(stack, 'EfsFileSystem', { vpc });
+  fileSystem.addToResourcePolicy(statement1);
+  fileSystem.addToResourcePolicy(statement2);
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::EFS::FileSystem', {
+    FileSystemPolicy: {
+      Statement: [
+        {
+          Effect: 'Allow',
+          Principal: {
+            AWS: 'arn:aws:iam::111122223333:role/Testing_Role1',
+          },
+          Action: 'elasticfilesystem:ClientMount',
+          Resource: 'arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd',
+          Condition: {
+            Bool: {
+              'elasticfilesystem:AccessedViaMountTarget': 'true',
+            },
+          },
+        },
+        {
+          Effect: 'Allow',
+          Principal: {
+            AWS: 'arn:aws:iam::111122223333:role/Testing_Role2',
+          },
+          Action: [
+            'elasticfilesystem:ClientMount',
+            'elasticfilesystem:ClientWrite',
+          ],
+          Resource: 'arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd',
+          Condition: {
+            Bool: {
+              'elasticfilesystem:AccessedViaMountTarget': 'true',
+            },
+          },
+        },
+      ],
+    },
+  });
+});
+
+test('imported file system can not add statements to file system policy', () => {
+  // WHEN
+  const statement = new iam.PolicyStatement({
+    actions: [
+      'elasticfilesystem:ClientMount',
+    ],
+    principals: [new iam.ArnPrincipal('arn:aws:iam::111122223333:role/Testing_Role')],
+    resources: ['arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd'],
+    conditions: {
+      Bool: {
+        'elasticfilesystem:AccessedViaMountTarget': 'true',
+      },
+    },
+  });
+
+  const fileSystem = new FileSystem(stack, 'FileSystem', { vpc });
+  const importedFileSystem = FileSystem.fromFileSystemAttributes(stack, 'ImportedFileSystem', {
+    securityGroup: fileSystem.connections.securityGroups[0],
+    fileSystemArn: fileSystem.fileSystemArn,
+  });
+  const fileSystemResult = fileSystem.addToResourcePolicy(statement);
+  const importedFileSystemResult = importedFileSystem.addToResourcePolicy(statement);
+
+  // THEN
+  expect(fileSystemResult).toStrictEqual({
+    statementAdded: true,
+    policyDependable: fileSystem,
+  });
+  expect(importedFileSystemResult).toStrictEqual({
+    statementAdded: false,
+  });
 });

packages/@aws-cdk/aws-efs/test/integ.efs-filesystem-policy.js.snapshot/manifest.json

@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7d5832d3a930b18cb36abc1ffaed24a2bf408a8130ba7fab108ff6f6fa75dd98.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/80b43aa6ff9bb3df4306a753de53b67b3d2eca66f7851894c1186c46edea991d.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

packages/@aws-cdk/aws-efs/test/integ.efs-filesystem-policy.js.snapshot/test-efs-integ.assets.json

@@ -1,15 +1,15 @@
 {
   "version": "30.1.0",
   "files": {
-    "7d5832d3a930b18cb36abc1ffaed24a2bf408a8130ba7fab108ff6f6fa75dd98": {
+    "80b43aa6ff9bb3df4306a753de53b67b3d2eca66f7851894c1186c46edea991d": {
       "source": {
         "path": "test-efs-integ.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "7d5832d3a930b18cb36abc1ffaed24a2bf408a8130ba7fab108ff6f6fa75dd98.json",
+          "objectKey": "80b43aa6ff9bb3df4306a753de53b67b3d2eca66f7851894c1186c46edea991d.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-efs/test/integ.efs-filesystem-policy.js.snapshot/test-efs-integ.template.json

@@ -391,6 +391,34 @@
         }
        },
        "Resource": "*"
+      },
+      {
+       "Action": "elasticfilesystem:ClientRootAccess",
+       "Condition": {
+        "Bool": {
+         "elasticfilesystem:AccessedViaMountTarget": "true"
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
       }
      ],
      "Version": "2012-10-17"

packages/@aws-cdk/aws-efs/test/integ.efs-filesystem-policy.js.snapshot/tree.json

@@ -646,6 +646,34 @@
                             }
                           },
                           "Resource": "*"
+                        },
+                        {
+                          "Action": "elasticfilesystem:ClientRootAccess",
+                          "Condition": {
+                            "Bool": {
+                              "elasticfilesystem:AccessedViaMountTarget": "true"
+                            }
+                          },
+                          "Effect": "Allow",
+                          "Principal": {
+                            "AWS": {
+                              "Fn::Join": [
+                                "",
+                                [
+                                  "arn:",
+                                  {
+                                    "Ref": "AWS::Partition"
+                                  },
+                                  ":iam::",
+                                  {
+                                    "Ref": "AWS::AccountId"
+                                  },
+                                  ":root"
+                                ]
+                              ]
+                            }
+                          },
+                          "Resource": "*"
                         }
                       ],
                       "Version": "2012-10-17"

packages/@aws-cdk/aws-efs/test/integ.efs-filesystem-policy.ts

@@ -30,6 +30,18 @@ const fileSystem = new FileSystem(stack, 'FileSystem', {
   vpc,
   fileSystemPolicy: myFileSystemPolicy,
 });
+fileSystem.addToResourcePolicy(new PolicyStatement({
+  actions: [
+    'elasticfilesystem:ClientRootAccess',
+  ],
+  principals: [new AccountRootPrincipal()],
+  resources: ['*'],
+  conditions: {
+    Bool: {
+      'elasticfilesystem:AccessedViaMountTarget': 'true',
+    },
+  },
+}));
 
 const accessPoint = new AccessPoint(stack, 'AccessPoint', {
   fileSystem,