Access point requires TLS

mapk-amazon · mapk-amazon · commit 80a35558344d · 2024-08-10T10:25:50.000Z
https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#mount-with-access-point Added unit test
diff --git a/cli/src/pcluster/config/cluster_config.py b/cli/src/pcluster/config/cluster_config.py
@@ -406,6 +406,7 @@ def _register_validators(self, context: ValidatorContext = None):  # noqa: D102
             EfsAccessPointOptionsValidator,
             access_point_id=self.access_point_id,
             file_system_id=self.file_system_id,
+            encryption_in_transit=self.encryption_in_transit
         )
 
 class BaseSharedFsx(Resource):
diff --git a/cli/src/pcluster/validators/efs_validators.py b/cli/src/pcluster/validators/efs_validators.py
@@ -33,11 +33,18 @@ class EfsAccessPointOptionsValidator(Validator):
     IAM Authorization requires Encryption in Transit.
     """
 
-    def _validate(self,  access_point_id: str, file_system_id: str):
+    def _validate(self,  access_point_id: str, file_system_id: str, encryption_in_transit: bool):
 
         if access_point_id and not file_system_id:
             self._add_failure(
                 "An access point can only be specified when using an existing EFS file system. "
                 f"Please either remove the access point id {access_point_id} or provide the file system id for the access point",
                 FailureLevel.ERROR,
             )
+
+        if access_point_id and not encryption_in_transit:
+            self._add_failure(
+                "An access point can only be specified when encryption in transit is enabled. "
+                f"Please either remove the access point id {access_point_id} or enable encryption in transit.",
+                FailureLevel.ERROR,
+            )
diff --git a/cli/tests/pcluster/validators/test_efs_validators.py b/cli/tests/pcluster/validators/test_efs_validators.py
@@ -79,7 +79,35 @@ def test_efs_mount_options_validator(
     ],
 )
 def test_efs_access_point_with_filesystem_validator(access_point_id, file_system_id, expected_message):
-    actual_failures = EfsAccessPointOptionsValidator().execute(access_point_id, file_system_id)
+    actual_failures = EfsAccessPointOptionsValidator().execute(access_point_id, file_system_id, True)
     assert_failure_messages(actual_failures, expected_message)
 
-
+@pytest.mark.parametrize(
+    "access_point_id, encryption_in_transit, expected_message",
+    [
+        (
+            None,
+            False,
+            None,
+        ),
+        (
+            "<access_point_id>",
+            False,
+            "An access point can only be specified when encryption in transit is enabled. "
+            "Please either remove the access point id <access_point_id> or enable encryption in transit.",
+        ),
+        (
+            "<access_point_id>",
+            True,
+            None,
+        ),
+        (
+            None,
+            True,
+            None,
+        ),
+    ],
+)
+def test_efs_access_point_with_filesystem_validator(access_point_id, encryption_in_transit, expected_message):
+    actual_failures = EfsAccessPointOptionsValidator().execute(access_point_id, "<file-system-id>", encryption_in_transit)
+    assert_failure_messages(actual_failures, expected_message)

Original file line number	Diff line number	Diff line change
`@@ -406,6 +406,7 @@ def _register_validators(self, context: ValidatorContext = None): # noqa: D102`
`406`	`406`	`EfsAccessPointOptionsValidator,`
`407`	`407`	`access_point_id=self.access_point_id,`
`408`	`408`	`file_system_id=self.file_system_id,`
	`409`	`+ encryption_in_transit=self.encryption_in_transit`
`409`	`410`	`)`
`410`	`411`
`411`	`412`	`class BaseSharedFsx(Resource):`