Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-lambda): Add validation to verify the filesystem configuration mountPath matches the AccessPoint path #17526

Closed
gshpychka opened this issue Nov 16, 2021 · 6 comments · Fixed by #31019
Closed

(aws-lambda): Add validation to verify the filesystem configuration mountPath matches the AccessPoint path #17526

gshpychka opened this issue Nov 16, 2021 · 6 comments · Fixed by #31019
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2

Comments

@gshpychka
Copy link
Contributor

What is the problem?

When attaching an EFS mount point to a lambda, there is only one correct value for the mountPath, and that is /mnt/{access point root path}. Any other value will result in an OS-level access denied exception. Since the root path can be accessed from the access point by CDK, why expose this parameter at all?

Reproduction Steps

Create an EFS Access Point. Attach it to a Lambda with mountPoint set to anything other than /mnt/{access point root path}. Attempt to write anything to the filesystem from the lambda.

What did you expect to happen?

File I/O operations work normally.

What actually happened?

Access denied I/O errors if the mount path differs from the access point's root path.

CDK CLI Version

1.132

Framework Version

No response

Node.js Version

16.11.1

OS

Linux

Language

Typescript, Python, .NET, Java, Go

Language Version

No response

Other information

Either infer the mountPath from the access point, or specify clearly in the documentation that it has to follow this strict pattern and is not customizable.
@gshpychka gshpychka added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 16, 2021
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Nov 16, 2021
@NGL321 NGL321 added the p2 label Nov 22, 2021
@nija-at nija-at removed the p2 label Dec 1, 2021
@nija-at
Copy link
Contributor

nija-at commented Dec 1, 2021

@gshpychka -

By {access point root path}, do you mean the value passed here - https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-efs.AccessPoint.html#path ?

Per the CFN docs, this is configurable - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-filesystemconfig.html#cfn-lambda-function-filesystemconfig-localmountpath.

I've not tested this myself, but if that's not the access the value is always fixed, we can add a validation that these paths are the same. We'll still need the property in order to support imported EFS access points.

@nija-at nija-at added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/small Small work item – less than a day of effort p2 good first issue Related to contributions. See CONTRIBUTING.md and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. needs-triage This issue or PR still needs to be triaged. labels Dec 1, 2021
@gshpychka
Copy link
Contributor Author

Yes, that's the one. From my testing, it has to match the root path or it doesn't work. Very confusing for sure.

@nija-at nija-at removed their assignment Dec 2, 2021
@gshpychka
Copy link
Contributor Author

@nija-at what do you think about potential resolutions? Maybe this is a bug in lambda and should be dealt with upstream?

@github-actions
Copy link

github-actions bot commented Dec 8, 2022

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Dec 8, 2022
@gshpychka
Copy link
Contributor Author

Still relevant, I believe

@github-actions github-actions bot removed the closing-soon This issue will automatically close in 4 days unless further comments are made. label Dec 9, 2022
@madeline-k madeline-k changed the title (aws-lambda): filesystem configuration should not expose the mountPath parameter (aws-lambda): Add validation to verify the filesystem configuration mountPath matches the AccessPoint path Jan 27, 2023
@exoego exoego mentioned this issue Jul 5, 2024
Closed
1 task
@exoego exoego mentioned this issue Aug 4, 2024
Merged
1 task
@mergify mergify bot closed this as completed in #31019 Aug 17, 2024
mergify bot pushed a commit that referenced this issue Aug 17, 2024
@exoego
fix(lambda): validate localMountPath format and length (#31019)
c159e77 
### Issue # (if applicable)

Closes #17526

### Reason for this change

Show user-friendly error message faster (before deployment)


### Description of changes

Added format and length validation according to [AWS::Lambda::Function FileSystemConfig document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-filesystemconfig.html#cfn-lambda-function-filesystemconfig-localmountpath)

![image](https://github.com/user-attachments/assets/5296cef5-9b33-4ddc-bfc2-8e6fac00dc66)


### Description of how you validated changes

- Added unit test
- No integration test because I think it is overkill


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 17, 2024
GavinZZ pushed a commit that referenced this issue Aug 20, 2024
@exoego @GavinZZ
fix(lambda): validate localMountPath format and length (#31019)
cf271f5 
### Issue # (if applicable)

Closes #17526

### Reason for this change

Show user-friendly error message faster (before deployment)


### Description of changes

Added format and length validation according to [AWS::Lambda::Function FileSystemConfig document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-filesystemconfig.html#cfn-lambda-function-filesystemconfig-localmountpath)

![image](https://github.com/user-attachments/assets/5296cef5-9b33-4ddc-bfc2-8e6fac00dc66)


### Description of how you validated changes

- Added unit test
- No integration test because I think it is overkill


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2
Projects
None yet
Milestone
No milestone
3 participants
@NGL321 @nija-at @gshpychka