feat(efs): support file system policy

packages/@aws-cdk/aws-efs/README.md

@@ -61,6 +61,33 @@ const importedFileSystem = efs.FileSystem.fromFileSystemAttributes(this, 'existi
 });
 ```
 
+### IAM to control file system data access
+
+You can use both IAM identity policies and resource policies to control client access to Amazon EFS resources in a way that is scalable and optimized for cloud environments. Using IAM, you can permit clients to perform specific actions on a file system, including read-only, write, and root access.
+
+```ts
+const myFileSystemPolicy = new PolicyDocument({
+  statements: [new PolicyStatement({
+    actions: [
+      'elasticfilesystem:ClientWrite',
+      'elasticfilesystem:ClientMount',
+    ],
+    principals: [new AccountRootPrincipal()],
+    resources: ['*'],
+    conditions: {
+      Bool: {
+        'elasticfilesystem:AccessedViaMountTarget': 'true',
+      },
+    },
+  })],
+});
+
+const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
+  vpc: new ec2.Vpc(this, 'VPC'),
+  fileSystemPolicy: myFileSystemPolicy,
+});
+```
+
 ### Permissions
 
 If you need to grant file system permissions to another resource, you can use the `.grant()` API.

packages/@aws-cdk/aws-efs/lib/efs-file-system.ts

@@ -231,6 +231,13 @@ export interface FileSystemProps {
    * @default false
    */
   readonly enableAutomaticBackups?: boolean;
+
+  /**
+   * File system policy is an IAM resource policy used to control NFS access to an EFS file system.
+   *
+   * @default none
+   */
+  readonly fileSystemPolicy?: iam.PolicyDocument;
 }
 
 /**
@@ -371,6 +378,7 @@ export class FileSystem extends FileSystemBase {
       throughputMode: props.throughputMode,
       provisionedThroughputInMibps: props.provisionedThroughputPerSecond?.toMebibytes(),
       backupPolicy: props.enableAutomaticBackups ? { status: 'ENABLED' } : undefined,
+      fileSystemPolicy: props.fileSystemPolicy,
     });
     filesystem.applyRemovalPolicy(props.removalPolicy);
 

packages/@aws-cdk/aws-efs/test/efs-file-system.test.ts

@@ -414,3 +414,47 @@ test('can create when using a VPC with multiple subnets per availability zone',
   // make sure only one mount target is created.
   Template.fromStack(stack).resourceCountIs('AWS::EFS::MountTarget', 1);
 });
+
+test('can specify file system policy', () => {
+  // WHEN
+  const myFileSystemPolicy = new iam.PolicyDocument({
+    statements: [new iam.PolicyStatement({
+      actions: [
+        'elasticfilesystem:ClientWrite',
+        'elasticfilesystem:ClientMount',
+      ],
+      principals: [new iam.ArnPrincipal('arn:aws:iam::111122223333:role/Testing_Role')],
+      resources: ['arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd'],
+      conditions: {
+        Bool: {
+          'elasticfilesystem:AccessedViaMountTarget': 'true',
+        },
+      },
+    })],
+  });
+  new FileSystem(stack, 'EfsFileSystem', { vpc, fileSystemPolicy: myFileSystemPolicy });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::EFS::FileSystem', {
+    FileSystemPolicy: {
+      Statement: [
+        {
+          Effect: 'Allow',
+          Principal: {
+            AWS: 'arn:aws:iam::111122223333:role/Testing_Role',
+          },
+          Action: [
+            'elasticfilesystem:ClientWrite',
+            'elasticfilesystem:ClientMount',
+          ],
+          Resource: 'arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd',
+          Condition: {
+            Bool: {
+              'elasticfilesystem:AccessedViaMountTarget': 'true',
+            },
+          },
+        },
+      ],
+    },
+  });
+});

packages/@aws-cdk/aws-efs/test/integ.efs-filesystem-policy.js.snapshot/FileSystemPolicyTestDefaultTestDeployAssertD0596FC1.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "30.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "FileSystemPolicyTestDefaultTestDeployAssertD0596FC1.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-efs/test/integ.efs-filesystem-policy.js.snapshot/FileSystemPolicyTestDefaultTestDeployAssertD0596FC1.template.json

@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk/aws-efs/test/integ.efs-filesystem-policy.js.snapshot/cdk.out

@@ -0,0 +1 @@
+{"version":"30.0.0"}

packages/@aws-cdk/aws-efs/test/integ.efs-filesystem-policy.js.snapshot/integ.json

@@ -0,0 +1,12 @@
+{
+  "version": "30.0.0",
+  "testCases": {
+    "FileSystemPolicyTest/DefaultTest": {
+      "stacks": [
+        "test-efs-integ"
+      ],
+      "assertionStack": "FileSystemPolicyTest/DefaultTest/DeployAssert",
+      "assertionStackName": "FileSystemPolicyTestDefaultTestDeployAssertD0596FC1"
+    }
+  }
+}