RFC for S3Files L2 CDK Constructs#932
Conversation
309ae3c to
bb52e36
Compare
badmintoncryer
left a comment
There was a problem hiding this comment.
Thank you for creating a rfc.
I've added some comments. And there are two things to say.
-
The proposal automates the IAM role but exposes no grant* surface for client principals (s3files:ClientMount/ClientWrite/ClientRootAccess). Worth adding grant methods (or a grants facade) so consumers can authorize Lambda/ECS/EC2 task roles idiomatically.
-
The CFN resources expose AcceptBucketWarning and ClientToken on FileSystem, and IpAddressType (IPV4_ONLY|IPV6_ONLY|DUAL_STACK) on MountTarget. None appear in the proposed API — AcceptBucketWarning in particular is needed for many buckets, and there’s no way to opt into IPv6/dual-stack mount targets.
| * | ||
| * @default - CDK generated name | ||
| */ | ||
| readonly fileSystemName?: string; |
There was a problem hiding this comment.
AWS::S3Files::FileSystem has no Name property. I think this prop is not needed.
| sizeLessThan: 1073741824, | ||
| trigger: s3files.ImportDataRuleTrigger.ON_FILE_ACCESS, | ||
| }], | ||
| expirationDataRules: [{ |
There was a problem hiding this comment.
sizeLessThan (CFN: Integer bytes) and the expiration value (CFN: DaysAfterLastAccess, Integer days) are raw numbers in the proposal. Per the CDK design guidelines these should be Size / Duration. Note the CFN constraints when converting: DaysAfterLastAccess is an integer 1–365 days, so a Duration must validate whole days; SizeLessThan is in bytes.
| synchronizationConfiguration: { | ||
| importDataRules: [{ | ||
| prefix: '/', | ||
| sizeLessThan: 1073741824, | ||
| trigger: s3files.ImportDataRuleTrigger.ON_FILE_ACCESS, | ||
| }], | ||
| expirationDataRules: [{ |
There was a problem hiding this comment.
nit: CFN requires exactly one ExpirationDataRule (min=max=1) and 1–10 ImportDataRules with exactly one root-prefix rule. The proposed expirationDataRules: ExpirationDataRule[] / importDataRules[] should validate this.
| vpcConfiguration: { | ||
| vpc, | ||
| vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }, | ||
| }, |
There was a problem hiding this comment.
The README shows vpcSubnets but the interface defines subnets: ec2.ISubnet[] (required). Suggest aligning on a single name and using ec2.SubnetSelection (consistent with EFS L2 and other VPC-attached constructs) so users can pass { subnetType } rather than resolving subnets themselves.
…n types, IpAddressType, acceptBucketWarning
leonmk-aws
left a comment
There was a problem hiding this comment.
Similar to grants, we should have metrics helper functions: https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md#metrics
|
|
||
| Each method calls `iam.Grant.addToPrincipalOrResource` with the | ||
| appropriate `s3files:Client*` actions and an | ||
| `s3files:AccessedViaMountTarget` condition. A general-purpose |
There was a problem hiding this comment.
Shouldn't this condition be: s3files:AccessPointArn ?
| actions: ['s3files:ClientMount'], | ||
| principals: [new iam.AnyPrincipal()], | ||
| conditions: { | ||
| Bool: { 's3files:AccessedViaMountTarget': 'true' }, |
There was a problem hiding this comment.
Shouldn't this be: s3files:AccessPointArn
|
|
||
| ## Granting Access | ||
|
|
||
| Use `grant*` methods to authorize principals for NFS client operations. |
There was a problem hiding this comment.
Let's use grants facades for this: https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md#grants (this is a minimal change)
| resource policy support | ||
| * `AccessPoint` L2 with POSIX user and root directory configuration | ||
| * `FileSystem.fromFileSystemAttributes()` and | ||
| `AccessPoint.fromAccessPointAttributes()` import methods |
There was a problem hiding this comment.
Earlier it is mentioned that the methods name is fromAccessPointId not fromAccessPointAttributes
| ```ts | ||
| declare const fileSystem: s3files.FileSystem; | ||
|
|
||
| const accessPoint = fileSystem.addAccessPoint('AccessPoint', { |
There was a problem hiding this comment.
fileSystem.addAccessPoint('AccessPoint', { path, createAcl, posixUser }), but the only interface defined later is AccessPointProps, which requires fileSystem. Are we missing an AccessPointOptions interface ?
| * | ||
| * @default - CDK generated name | ||
| */ | ||
| readonly accessPointName?: string; |
There was a problem hiding this comment.
CloudFormation doesn't have support for the name of an access point https://docs.aws.amazon.com/fr_fr/AWSCloudFormation/latest/TemplateReference/aws-resource-s3files-accesspoint.html, I believe this is only supported in the console ?
leonmk-aws
left a comment
There was a problem hiding this comment.
Added a few more comments after the last changes
| action sets. | ||
| ## Metrics | ||
|
|
||
| Use the metrics facade to create CloudWatch metric objects: |
There was a problem hiding this comment.
Unfortunately the metrics facade is not ready yet so it cannot be used, we need to write the metrics methods by hand for now. I also means that there should not be metrics property on the Filesystem.
See this section of the design guidelines: https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md#metrics, we should have at least a metric() method and additional metric methods for the ones we find relevant (e.g metricDataReadBytes etc)
There was a problem hiding this comment.
I can include one in the doc here as an example but for actual implementation is there a priority list of metrics we want to expose if we are exposing each manually? maybe the top N make it into the first impl and we can add more down the road based on demand?
There was a problem hiding this comment.
Yes, later during the implementation or based on demand, additional methods can be added without any backwards compatibility concern.
| /** | ||
| * Configuration for data import and expiration behavior. | ||
| */ | ||
| export interface SynchronizationConfiguration { |
There was a problem hiding this comment.
Both importDataRules and ImportDataRules are required in CFN: AWS::S3Files::FileSystem SynchronizationConfiguration so they should not be optional in this interface, unless the L2 abstraction provides defaults configuration (@default - service defaults seems to imply that we don't).
| * | ||
| * @default - service defaults | ||
| */ | ||
| readonly expirationDataRule?: ExpirationDataRule; |
There was a problem hiding this comment.
Do we need to have this additional ExpirationDataRule type since it only holds daysAfterLastAccess property ?
There was a problem hiding this comment.
The L1 defines it as an object but we can flatten it for the L2
c53254c to
e6ef122
Compare
| * expires. Must be a whole number of days between 1 | ||
| * and 365. | ||
| */ | ||
| readonly daysAfterLastAccess: Duration; |
There was a problem hiding this comment.
Now that ExpirationDataRule is flattened away, daysAfterLastAccess sitting next to importDataRules reads like a threshold rather than the expiration action. The S3 Files console labels this "Data expiration after last access," so I'd rename it to match — dataExpiration: Duration (with "measured from last access" in the JSDoc).
| action sets. | ||
| ## Metrics | ||
|
|
||
| Use the metrics facade to create CloudWatch metric objects: |
There was a problem hiding this comment.
Yes, later during the implementation or based on demand, additional methods can be added without any backwards compatibility concern.
This is a request for comments about S3Fiels L2 Constructs. See #929 for
additional details.
APIs are signed off by @{BAR_RAISER}.
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache-2.0 license