Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECS Task Definition needs additional parameters for EFS Access Points #13286

Closed
aberezin opened this issue May 12, 2020 · 9 comments · Fixed by #13136
Closed

ECS Task Definition needs additional parameters for EFS Access Points #13286

aberezin opened this issue May 12, 2020 · 9 comments · Fixed by #13136
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ecs Issues and PRs that pertain to the ecs service. service/efs Issues and PRs that pertain to the efs service.
Milestone

Comments

@aberezin
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS EFS access points are the most recent addition to EFS and are documented (here)[https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html].

Currently, the aws_ecs_task_definition does not have an authorization_config for the efs_volume_configuration. This means that an ecs_task_definition cannot create an EC2 nor Fargate instance connected to an EFS access point. This ticket requests adding authorization_config.

It is unclear if terraform defined ECS Task Definition and efs_colume_configuration work with Fargate. See the references below. It may be a separate issue but I need to use ECS Task Definition with Fargate. This ticket is a necessary pre-condition. To the extent that additional work is needed to make this all work with Fargate, that could be another ticket.

New or Affected Resource(s)

  • aws_ecs_task_definition

Potential Terraform Configuration

#requires https://github.com/terraform-providers/terraform-provider-aws/pull/11965
resource "aws_efs_access_point" "this" {
  file_system_id = "${aws_efs_file_system.foo.id}"
  subnet_id      = "${aws_subnet.alpha.id}"
}

resource "aws_ecs_task_definition" "service" {
  family                = "service"
  container_definitions = "${file("task-definitions/service.json")}"

  volume {
    name = "service-storage"

    efs_volume_configuration {
      file_system_id = aws_efs_file_system.fs.id
      root_directory = "/opt/data"
      transit_encryption = true #required for Access Points

      #this section is optional.  If included, the volume uses an access point
      authorization_config {
          accessPointId = aws_efs_access_point.this.id
          #Options are "ENABLED" or "DISABLED".  Default to "DISABLED"
          iam = "DISABLED" 
      }
    }
  }
}

References

Requires this PR for aws_efs_access_point resource.

Requires This PR for ECS transit encryption to EFS because to use an access point with ECS (Fargate or EC2), transit encryption is required.

This ticket discusses the transit encryption request and makes some reference to needing authorizationConfig (which is this ticket).

The released TF docs here say the following

efs_volume_configuration - (Optional) Used to configure a EFS volume can be used only with an EC2 type task.

It may be a separate issue but I need to use ECS Task Definition with Fargate.

AWS task definition parameters for volumes are documented here

  • #0000
@aberezin aberezin added the enhancement Requests to existing resources that expand the functionality or scope. label May 12, 2020
@ghost ghost added service/ecs Issues and PRs that pertain to the ecs service. service/efs Issues and PRs that pertain to the efs service. labels May 12, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label May 12, 2020
@rickythefox
Copy link

Is there a workaround for this?

@aberezin
Copy link
Author

There was no workaround and my solution was to abandon EFS access points in favor of the older style of EFS direct file mounts. EFS Access Points are poorly supported across the board in TF and this is just one of the problems.

On a somewhat unrelated note, I may abandon Fargate perhaps ECS altogether so the urgency of this ticket may be zero for me now. Even if I stick with Fargate, it is not urgent to use Access Points because direct mounting of the EFS file system works well.

@durist
Copy link

durist commented May 18, 2020

I thought EFS access points are required to make Fargate work with EFS? From the announcement:

To use EFS with ECS, customers can add one or more volume definitions to an ECS task definition. A volume definition includes an EFS file system ID, Access Point ID, and whether to enable IAM authorization or TLS encryption in transit.

That's from here: https://aws.amazon.com/about-aws/whats-new/2020/04/amazon-ecs-aws-fargate-support-amazon-efs-filesystems-generally-available

I haven't been able to get it to work from terraform without the access point support, so unless I'm mistaken EFS+Fargate is currently not useable.

@alexgoldstone
Copy link

@durist Just to confirm this isn't just you, I have also not been able to access EFS from Fargate and believe it is because EFS access points are required.

@jukie
Copy link
Contributor

jukie commented May 21, 2020

Fyi I've updated my PR at #13136 to include the access point changes.

@durist
Copy link

durist commented May 26, 2020

It looks like access points were added in 2.63.0, but authorization_config still hasn't been added.

I've confirmed that I can now mount an EFS filesystem in Fargate, but only as root, which is not ideal.

@bflad bflad removed the needs-triage Waiting for first response or review from a maintainer. label Jun 24, 2020
@bflad bflad added this to the v2.68.0 milestone Jun 24, 2020
@bflad
Copy link
Contributor

bflad commented Jun 24, 2020

Support for this functionality has been merged and will release with version 2.68.0 of the Terraform AWS Provider, later this week. Thanks to @jukie and others for the implementation. 👍

@ghost
Copy link

ghost commented Jun 26, 2020

This has been released in version 2.68.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Jul 24, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Jul 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ecs Issues and PRs that pertain to the ecs service. service/efs Issues and PRs that pertain to the efs service.
Projects
None yet
6 participants