aws
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/aws-s3files/test/integ.s3files-filesystem.ts‎
Lines changed: 31 additions & 0 deletions b/‎packages/@aws-cdk-testing/framework-integ/test/aws-s3files/test/integ.s3files-filesystem.ts‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎packages/aws-cdk-lib/aws-s3files/README.md‎
Lines changed: 177 additions & 17 deletions b/‎packages/aws-cdk-lib/aws-s3files/README.md‎
Lines changed: 177 additions & 17 deletions
diff --git a/‎packages/aws-cdk-lib/aws-s3files/grants.json‎
Lines changed: 36 additions & 0 deletions b/‎packages/aws-cdk-lib/aws-s3files/grants.json‎
Lines changed: 36 additions & 0 deletions
@@ -0,0 +1,31 @@
+import * as cdk from 'aws-cdk-lib';
+import { RemovalPolicies } from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import { FileSystem } from 'aws-cdk-lib/aws-s3files';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'test-s3files-filesystem-integ');
+
+const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 2 });
+const bucket = new s3.Bucket(stack, 'Bucket', {
+  autoDeleteObjects: true,
+});
+
+const fileSystem = new FileSystem(stack, 'FileSystem', {
+  bucket,
+  vpc,
+});
+
+fileSystem.addAccessPoint('AccessPoint', {
+  path: '/data',
+  createAcl: { ownerUid: '1000', ownerGid: '1000', permissions: '0755' },
+  posixUser: { uid: '1000', gid: '1000' },
+});
+
+RemovalPolicies.of(app).applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);
+
+new integ.IntegTest(app, 'test-s3files-filesystem-integ-test', {
+  testCases: [stack],
+});
@@ -1,39 +1,199 @@
-# AWS::S3Files Construct Library
+# Amazon S3 Files Construct Library
 <!--BEGIN STABILITY BANNER-->
 
 ---
 
 ![cfn-resources: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge)
 
-> All classes with the `Cfn` prefix in this module ([CFN Resources]) are always stable and safe to use.
->
-> [CFN Resources]: https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib
+![cdk-constructs: Stable](https://img.shields.io/badge/cdk--constructs-stable-success.svg?style=for-the-badge)
 
 ---
 
 <!--END STABILITY BANNER-->
 
-This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project.
+[Amazon S3 Files](https://aws.amazon.com/s3/) lets you mount an Amazon S3 bucket as
+a POSIX file system on EC2 instances in a VPC. This module provides L2 constructs for the
+`AWS::S3Files::FileSystem`, `AWS::S3Files::AccessPoint`, `AWS::S3Files::MountTarget`, and
+`AWS::S3Files::FileSystemPolicy` CloudFormation resources.
 
-```ts nofixture
-import * as s3files from 'aws-cdk-lib/aws-s3files';
+## Create an S3 Files file system
+
+In its simplest form, an S3 Files file system needs an S3 bucket and a VPC. A mount target
+is created in each Availability Zone of the VPC, and an IAM service role is generated
+automatically with read/write access to the bucket.
+
+```ts
+const vpc = new ec2.Vpc(this, 'Vpc');
+const bucket = new s3.Bucket(this, 'Bucket');
+
+const fileSystem = new s3files.FileSystem(this, 'FileSystem', {
+  bucket,
+  vpc,
+});
+```
+
+By default, the file system has a `RemovalPolicy.RETAIN` removal policy. To allow CDK
+to delete the file system on stack removal, set `removalPolicy` to `DESTROY`.
+
+```ts
+declare const bucket: s3.IBucket;
+declare const vpc: ec2.IVpc;
+
+new s3files.FileSystem(this, 'FileSystem', {
+  bucket,
+  vpc,
+  removalPolicy: RemovalPolicy.DESTROY,
+});
+```
+
+## Limit the file system to a bucket prefix
+
+Use `prefix` to scope the file system to a key prefix within the bucket. Set
+`acceptBucketWarning` if the AWS service emits a warning that the bucket has properties
+that may incur additional cost or latency.
+
+```ts
+declare const bucket: s3.IBucket;
+declare const vpc: ec2.IVpc;
+
+new s3files.FileSystem(this, 'FileSystem', {
+  bucket,
+  vpc,
+  prefix: 'projects/team-a',
+  acceptBucketWarning: true,
+});
+```
+
+## Synchronization configuration
+
+Synchronization rules describe which objects to import into the file system and when to
+expire them. Sizes are expressed with `Size`, durations with `Duration`.
+
+```ts
+declare const bucket: s3.IBucket;
+declare const vpc: ec2.IVpc;
+
+new s3files.FileSystem(this, 'FileSystem', {
+  bucket,
+  vpc,
+  synchronizationConfiguration: {
+    importDataRules: [{
+      prefix: 'incoming',
+      sizeLessThan: Size.gibibytes(10),
+      trigger: s3files.ImportDataTrigger.CONTINUOUS,
+    }],
+    expirationDataRules: [{
+      afterLastAccess: Duration.days(30),
+    }],
+  },
+});
 ```
 
-<!--BEGIN CFNONLY DISCLAIMER-->
+## Custom IAM role
 
-There are no official hand-written ([L2](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib)) constructs for this service yet. Here are some suggestions on how to proceed:
+By default, a service role is created with permissions scoped to the bucket (and
+`prefix` when set). To use an existing role, pass it via `role`.
+
+```ts
+declare const bucket: s3.IBucket;
+declare const vpc: ec2.IVpc;
+declare const role: iam.IRole;
+
+new s3files.FileSystem(this, 'FileSystem', {
+  bucket,
+  vpc,
+  role,
+});
+```
 
-- Search [Construct Hub for S3Files construct libraries](https://constructs.dev/search?q=s3files)
-- Use the automatically generated [L1](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_l1_using) constructs, in the same way you would use [the CloudFormation AWS::S3Files resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_S3Files.html) directly.
+## Encryption with a customer managed KMS key
 
+Provide a KMS key when the bucket is encrypted with SSE-KMS. The service role is granted
+`kms:Decrypt` and `kms:GenerateDataKey` scoped via the `kms:ViaService` condition.
 
-<!--BEGIN CFNONLY DISCLAIMER-->
+```ts
+declare const bucket: s3.IBucket;
+declare const vpc: ec2.IVpc;
+declare const key: kms.IKey;
 
-There are no hand-written ([L2](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib)) constructs for this service yet. 
-However, you can still use the automatically generated [L1](https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_l1_using) constructs, and use this service exactly as you would using CloudFormation directly.
+new s3files.FileSystem(this, 'FileSystem', {
+  bucket,
+  vpc,
+  kmsKey: key,
+});
+```
+
+## Resource (file system) policy
+
+A file system can have an attached resource policy. You can pass an initial document
+through `resourcePolicy`, and add statements later with `addToResourcePolicy()`.
+
+```ts fixture=with-filesystem
+fileSystem.addToResourcePolicy(new iam.PolicyStatement({
+  actions: ['s3files:ClientMount'],
+  principals: [new iam.AccountPrincipal('123456789012')],
+  resources: ['*'],
+}));
+```
 
-For more information on the resources and properties available for this service, see the [CloudFormation documentation for AWS::S3Files](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_S3Files.html).
+## Granting permissions
 
-(Read the [CDK Contributing Guide](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and submit an RFC if you are interested in contributing to this construct library.)
+Grants are exposed as a Facade on the file system: `fileSystem.grants`. Each method
+returns an `iam.Grant`.
 
-<!--END CFNONLY DISCLAIMER-->
+```ts fixture=with-filesystem
+declare const taskRole: iam.IRole;
+
+fileSystem.grants.mount(taskRole);
+fileSystem.grants.write(taskRole);
+fileSystem.grants.rootAccess(taskRole);
+```
+
+For custom action sets, use `actions()`:
+
+```ts fixture=with-filesystem
+declare const taskRole: iam.IRole;
+
+fileSystem.grants.actions(taskRole, ['s3files:DescribeFileSystem']);
+```
+
+## Access points
+
+An access point exposes a sub-tree of the file system with a fixed POSIX identity. Use
+`addAccessPoint()` to create one against an existing file system.
+
+```ts fixture=with-filesystem
+fileSystem.addAccessPoint('AccessPoint', {
+  path: '/projects/team-a',
+  createAcl: { ownerUid: '1000', ownerGid: '1000', permissions: '0755' },
+  posixUser: { uid: '1000', gid: '1000' },
+});
+```
+
+You can also import an existing access point.
+
+```ts
+const ap = s3files.AccessPoint.fromAccessPointId(this, 'ImportedAP', 'fsap-1234567890abcdef0');
+```
+
+## Connecting from EC2
+
+The file system is `IConnectable` and exposes a security group through `connections`.
+Allow traffic from your instances on the default port (NFS/2049):
+
+```ts fixture=with-filesystem
+declare const instance: ec2.Instance;
+fileSystem.connections.allowDefaultPortFrom(instance);
+```
+
+## Importing an existing file system
+
+```ts
+declare const vpc: ec2.IVpc;
+const sg = new ec2.SecurityGroup(this, 'SG', { vpc });
+
+const imported = s3files.FileSystem.fromFileSystemAttributes(this, 'Imported', {
+  fileSystemId: 'fs-1234567890abcdef0',
+  securityGroup: sg,
+});
+```
@@ -0,0 +1,36 @@
+{
+  "resources": {
+    "FileSystem": {
+      "hasResourcePolicy": true,
+      "grants": {
+        "mount": {
+          "actions": [
+            "s3files:ClientMount"
+          ],
+          "docSummary": "Grant the ability to mount this file system"
+        },
+        "read": {
+          "actions": [
+            "s3files:ClientMount"
+          ],
+          "docSummary": "Grant read (mount) access to this file system"
+        },
+        "write": {
+          "actions": [
+            "s3files:ClientMount",
+            "s3files:ClientWrite"
+          ],
+          "docSummary": "Grant read/write access to this file system"
+        },
+        "rootAccess": {
+          "actions": [
+            "s3files:ClientMount",
+            "s3files:ClientWrite",
+            "s3files:ClientRootAccess"
+          ],
+          "docSummary": "Grant root-level access to this file system"
+        }
+      }
+    }
+  }
+}