feat(efs): graduate to stable 🚀

packages/@aws-cdk/aws-efs/README.md

@@ -5,17 +5,7 @@
 
 ![cfn-resources: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge)
 
-> All classes with the `Cfn` prefix in this module ([CFN Resources]) are always stable and safe to use.
->
-> [CFN Resources]: https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib
-
-![cdk-constructs: Experimental](https://img.shields.io/badge/cdk--constructs-experimental-important.svg?style=for-the-badge)
-
-> The APIs of higher level constructs in this module are experimental and under active development.
-> They are subject to non-backward compatible changes or removal in any future version. These are
-> not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes will be
-> announced in the release notes. This means that while you may use them, you may need to update
-> your source code when upgrading to a newer version of this package.
+![cdk-constructs: Stable](https://img.shields.io/badge/cdk--constructs-stable-success.svg?style=for-the-badge)
 
 ---
 
@@ -44,15 +34,19 @@ Access (IA) storage class.
 ```ts
 const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
   vpc: new ec2.Vpc(this, 'VPC'),
-  encrypted: true, // file system is not encrypted by default
+  encrypted: true,
   lifecyclePolicy: efs.LifecyclePolicy.AFTER_14_DAYS, // files are not transitioned to infrequent access (IA) storage by default
   performanceMode: efs.PerformanceMode.GENERAL_PURPOSE, // default
 });
 ```
-
 ⚠️ An Amazon EFS file system's performance mode can't be changed after the file system has been created.
 Updating this property will replace the file system.
 
+#### Encryption
+
+Encryption behavior is controlled via the `@aws-cdk/aws-efs:defaultEncryptionAtRest` context key. When set to `true`, encryption is enabled by default and the `encrypted` property can be omitted.
+Otherwise, explicitly set `encryption: true` to enable encryption.
+
 ### Access Point
 
 An access point is an application-specific view into an EFS file system that applies an operating

packages/@aws-cdk/aws-efs/lib/efs-file-system.ts

@@ -1,6 +1,7 @@
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as kms from '@aws-cdk/aws-kms';
-import { ConcreteDependable, IDependable, IResource, RemovalPolicy, Resource, Size, Tags } from '@aws-cdk/core';
+import { FeatureFlags, ConcreteDependable, IDependable, IResource, RemovalPolicy, Resource, Size, Tags } from '@aws-cdk/core';
+import * as cxapi from '@aws-cdk/cx-api';
 import { Construct } from 'constructs';
 import { AccessPoint, AccessPointOptions } from './access-point';
 import { CfnFileSystem, CfnMountTarget } from './efs.generated';
@@ -122,7 +123,7 @@ export interface FileSystemProps {
   /**
    * Defines if the data at rest in the file system is encrypted or not.
    *
-   * @default false
+   * @default - if '@aws-cdk/aws-efs:defaultEncryptionAtRest' is enabled, the default is true. Otherwise, the default is false.
    */
   readonly encrypted?: boolean;
 
@@ -249,8 +250,10 @@ export class FileSystem extends Resource implements IFileSystem {
       throw new Error('Property provisionedThroughputPerSecond is required when throughputMode is PROVISIONED');
     }
 
+    const encrypted = props.encrypted ?? FeatureFlags.of(this).isEnabled(cxapi.EFS_DEFAULT_ENCRYPTION_AT_REST);
+
     const filesystem = new CfnFileSystem(this, 'Resource', {
-      encrypted: props.encrypted,
+      encrypted: encrypted,
       kmsKeyId: props.kmsKey?.keyArn,
       lifecyclePolicies: (props.lifecyclePolicy ? [{ transitionToIa: props.lifecyclePolicy }] : undefined),
       performanceMode: props.performanceMode,

packages/@aws-cdk/aws-efs/package.json

@@ -103,8 +103,8 @@
       "resource-attribute:@aws-cdk/aws-efs.FileSystem.fileSystemArn"
     ]
   },
-  "stability": "experimental",
-  "maturity": "experimental",
+  "stability": "stable",
+  "maturity": "stable",
   "awscdkio": {
     "announce": false
   },

packages/@aws-cdk/aws-efs/test/efs-file-system.test.ts

@@ -2,6 +2,7 @@ import { expect as expectCDK, haveResource, ResourcePart, countResources } from
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as kms from '@aws-cdk/aws-kms';
 import { RemovalPolicy, Size, Stack, Tags } from '@aws-cdk/core';
+import * as cxapi from '@aws-cdk/cx-api';
 import { FileSystem, LifecyclePolicy, PerformanceMode, ThroughputMode } from '../lib';
 
 let stack = new Stack();
@@ -12,6 +13,53 @@ beforeEach(() => {
   vpc = new ec2.Vpc(stack, 'VPC');
 });
 
+test(`when ${cxapi.EFS_DEFAULT_ENCRYPTION_AT_REST} is enabled, encryption is enabled by default`, () => {
+
+  const customStack = new Stack();
+  customStack.node.setContext(cxapi.EFS_DEFAULT_ENCRYPTION_AT_REST, true);
+
+  const customVpc = new ec2.Vpc(customStack, 'VPC');
+  new FileSystem(customVpc, 'EfsFileSystem', {
+    vpc: customVpc,
+  });
+
+  expectCDK(customStack).to(haveResource('AWS::EFS::FileSystem', {
+    Encrypted: true,
+  }));
+
+});
+
+test(`when ${cxapi.EFS_DEFAULT_ENCRYPTION_AT_REST} is disabled, encryption is disabled by default`, () => {
+
+  const customStack = new Stack();
+  customStack.node.setContext(cxapi.EFS_DEFAULT_ENCRYPTION_AT_REST, false);
+
+  const customVpc = new ec2.Vpc(customStack, 'VPC');
+  new FileSystem(customVpc, 'EfsFileSystem', {
+    vpc: customVpc,
+  });
+
+  expectCDK(customStack).to(haveResource('AWS::EFS::FileSystem', {
+    Encrypted: false,
+  }));
+
+});
+
+test(`when ${cxapi.EFS_DEFAULT_ENCRYPTION_AT_REST} is missing, encryption is disabled by default`, () => {
+
+  const customStack = new Stack();
+
+  const customVpc = new ec2.Vpc(customStack, 'VPC');
+  new FileSystem(customVpc, 'EfsFileSystem', {
+    vpc: customVpc,
+  });
+
+  expectCDK(customStack).to(haveResource('AWS::EFS::FileSystem', {
+    Encrypted: false,
+  }));
+
+});
+
 test('default file system is created correctly', () => {
   // WHEN
   new FileSystem(stack, 'EfsFileSystem', {

packages/@aws-cdk/aws-efs/test/integ.efs.expected.json

@@ -453,6 +453,7 @@
     "FileSystem8A8E25C0": {
       "Type": "AWS::EFS::FileSystem",
       "Properties": {
+        "Encrypted": true,
         "FileSystemTags": [
           {
             "Key": "Name",

packages/@aws-cdk/cx-api/lib/features.ts

@@ -135,6 +135,12 @@ export const RDS_LOWERCASE_DB_IDENTIFIER = '@aws-cdk/aws-rds:lowercaseDbIdentifi
  */
 export const APIGATEWAY_USAGEPLANKEY_ORDERINSENSITIVE_ID = '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId';
 
+/**
+ * Enable this feature flag to have elastic file systems encrypted at rest by default.
+ *
+ * Encryption can also be configured explicitly using the `encrypted` property.
+ */
+export const EFS_DEFAULT_ENCRYPTION_AT_REST = '@aws-cdk/aws-efs:defaultEncryptionAtRest';
 /**
  * This map includes context keys and values for feature flags that enable
  * capabilities "from the future", which we could not introduce as the default
@@ -159,6 +165,7 @@ export const FUTURE_FLAGS: { [key: string]: any } = {
   [S3_GRANT_WRITE_WITHOUT_ACL]: true,
   [ECS_REMOVE_DEFAULT_DESIRED_COUNT]: true,
   [RDS_LOWERCASE_DB_IDENTIFIER]: true,
+  [EFS_DEFAULT_ENCRYPTION_AT_REST]: true,
 
   // We will advertise this flag when the feature is complete
   // [NEW_STYLE_STACK_SYNTHESIS_CONTEXT]: 'true',
@@ -187,6 +194,7 @@ const FUTURE_FLAGS_DEFAULTS: { [key: string]: boolean } = {
   [S3_GRANT_WRITE_WITHOUT_ACL]: false,
   [ECS_REMOVE_DEFAULT_DESIRED_COUNT]: false,
   [RDS_LOWERCASE_DB_IDENTIFIER]: false,
+  [EFS_DEFAULT_ENCRYPTION_AT_REST]: false,
 };
 
 export function futureFlagDefault(flag: string): boolean {