diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml index 50a93cd0604..5a05adb2b00 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-manifest.yml @@ -83,7 +83,12 @@ storage: path: '/etc/mount1' efs: id: - from_cfn: stack-fs-12345 + from_cfn: stack-fs-12345 + externalEFSVolume2: + path: '/etc/mount2' + efs: + id: + from_cfn: stack-fs-12345 # Optional fields for more advanced use-cases. # diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml index aabd72ce3da..6af621abe6b 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml @@ -90,7 +90,12 @@ Metadata: path: '/etc/mount1' efs: id: - from_cfn: stack-fs-12345 + from_cfn: stack-fs-12345 + externalEFSVolume2: + path: '/etc/mount2' + efs: + id: + from_cfn: stack-fs-12345 # Optional fields for more advanced use-cases. # @@ -190,7 +195,7 @@ Resources: yourtopicyourtopicfifoURL: !Ref yourtopicyourtopicfifoEventsQueue nonfifotopicnonfifotopicURL: !Ref nonfifotopicnonfifotopicEventsQueue - Name: COPILOT_MOUNT_POINTS - Value: '{"externalEFSVolume":"/etc/mount1"}' + Value: '{"externalEFSVolume":"/etc/mount1","externalEFSVolume2":"/etc/mount2"}' EnvironmentFiles: - !If - HasEnvFile @@ -207,6 +212,9 @@ Resources: - ContainerPath: '/etc/mount1' ReadOnly: true SourceVolume: externalEFSVolume + - ContainerPath: '/etc/mount2' + ReadOnly: true + SourceVolume: externalEFSVolume2 Volumes: - Name: externalEFSVolume EFSVolumeConfiguration: @@ -215,6 +223,13 @@ Resources: TransitEncryption: ENABLED AuthorizationConfig: IAM: DISABLED + - Name: externalEFSVolume2 + EFSVolumeConfiguration: + FilesystemId: !ImportValue 'stack-fs-12345' + RootDirectory: '/' + TransitEncryption: ENABLED + AuthorizationConfig: + IAM: DISABLED ExecutionRole: Metadata: 'aws:copilot:description': 'An IAM Role for the Fargate agent to make AWS API calls on your behalf' @@ -319,7 +334,16 @@ Resources: - Effect: 'Allow' Action: ["logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents"] Resource: "*" - - PolicyName: !Join ['', ['GrantEFSAccess', !ImportValue 'stack-fs-12345']] + - PolicyName: !Join ['', ['GrantEFSAccess', !ImportValue 'stack-fs-12345', '-0']] + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: 'Allow' + Action: + - 'elasticfilesystem:ClientMount' + Resource: + - !Join ['/', [!Sub 'arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system', !ImportValue 'stack-fs-12345']] + - PolicyName: !Join ['', ['GrantEFSAccess', !ImportValue 'stack-fs-12345', '-1']] PolicyDocument: Version: '2012-10-17' Statement: diff --git a/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml b/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml index 3b2317290b2..9b3f79ae6b2 100644 --- a/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml +++ b/internal/pkg/template/templates/workloads/partials/cf/taskrole.yml @@ -46,11 +46,11 @@ TaskRole: Resource: "*" {{- end }} {{- if .Storage}} - {{- range $EFS := .Storage.EFSPerms}} + {{- range $i, $EFS := .Storage.EFSPerms}} {{- if not $EFS.FilesystemID.RequiresImport}} - - PolicyName: 'GrantEFSAccess{{$EFS.FilesystemID.Value}}' + - PolicyName: 'GrantEFSAccess{{$EFS.FilesystemID.Value}}-{{$i}}' {{- else}} - - PolicyName: !Join ['',[ 'GrantEFSAccess', !ImportValue {{$EFS.FilesystemID.Value}}]] + - PolicyName: !Join ['',[ 'GrantEFSAccess', !ImportValue {{$EFS.FilesystemID.Value}}, '-{{$i}}']] {{- end}} PolicyDocument: Version: '2012-10-17'