From fd90aa2fa4a0d67e2aa2172d8833ae569ce5adce Mon Sep 17 00:00:00 2001
From: maz <yiyth.fcb6@gmail.com>
Date: Sun, 2 Mar 2025 20:41:38 +0900
Subject: [PATCH] unit test

---
 .../aws-efs/test/efs-file-system.test.ts      | 81 ++++++++++++++++++-
 1 file changed, 80 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk-lib/aws-efs/test/efs-file-system.test.ts b/packages/aws-cdk-lib/aws-efs/test/efs-file-system.test.ts
index 58df6c997f62b..ee949fdd810a9 100644
--- a/packages/aws-cdk-lib/aws-efs/test/efs-file-system.test.ts
+++ b/packages/aws-cdk-lib/aws-efs/test/efs-file-system.test.ts
@@ -1005,7 +1005,7 @@ test('one zone file system with vpcSubnets.availabilityZones empty.', () => {
 
 test.each([
   ReplicationOverwriteProtection.ENABLED, ReplicationOverwriteProtection.DISABLED,
-])('create read-only file system for replication destination', ( replicationOverwriteProtection ) => {
+])('create read-only file system for replication destination', (replicationOverwriteProtection) => {
   // WHEN
   new FileSystem(stack, 'EfsFileSystem', {
     vpc,
@@ -1106,3 +1106,82 @@ describe('replication configuration', () => {
     }).toThrow('Cannot configure \'replicationConfiguration\' when \'replicationOverwriteProtection\' is set to \'DISABLED\'');
   });
 });
+
+describe('test EFS_DEFAULT_ALLOW_CLIENT_MOUNT feature flag', () => {
+  test.each([false, undefined])('FileSystem Policy should not include ClientMount action when flag is %s', (value) => {
+    // WHEN
+    const app = new App({
+      context: {
+        [cxapi.EFS_DEFAULT_ALLOW_CLIENT_MOUNT]: value,
+      },
+    });
+    const customStack = new Stack(app);
+    const customVpc = new ec2.Vpc(customStack, 'VPC');
+    new FileSystem(customStack, 'EfsFileSystem', {
+      vpc: customVpc,
+      allowAnonymousAccess: false,
+    });
+
+    // THEN
+    Template.fromStack(customStack).hasResourceProperties('AWS::EFS::FileSystem', {
+      FileSystemPolicy: {
+        Statement: [
+          {
+            Effect: 'Allow',
+            Principal: {
+              AWS: '*',
+            },
+            Action: [
+              'elasticfilesystem:ClientWrite',
+              'elasticfilesystem:ClientRootAccess',
+            ],
+            Condition: {
+              Bool: {
+                'elasticfilesystem:AccessedViaMountTarget': 'true',
+              },
+            },
+          },
+        ],
+      },
+    });
+  });
+
+  test('FileSystem Policy should include ClientMount action when flag is true', () => {
+    // WHEN
+    const app = new App({
+      context: {
+        [cxapi.EFS_DEFAULT_ALLOW_CLIENT_MOUNT]: true,
+      },
+    });
+    const customStack = new Stack(app);
+    const customVpc = new ec2.Vpc(customStack, 'VPC');
+    new FileSystem(customStack, 'EfsFileSystem', {
+      vpc: customVpc,
+      allowAnonymousAccess: false,
+    });
+
+    // THEN
+    Template.fromStack(customStack).hasResourceProperties('AWS::EFS::FileSystem', {
+      FileSystemPolicy: {
+        Statement: [
+          {
+            Effect: 'Allow',
+            Principal: {
+              AWS: '*',
+            },
+            Action: [
+              'elasticfilesystem:ClientMount',
+              'elasticfilesystem:ClientWrite',
+              'elasticfilesystem:ClientRootAccess',
+            ],
+            Condition: {
+              Bool: {
+                'elasticfilesystem:AccessedViaMountTarget': 'true',
+              },
+            },
+          },
+        ],
+      },
+    });
+  });
+});