feat(efs): allow AccessPoint to set client token

packages/@aws-cdk-testing/framework-integ/test/aws-efs/test/integ.efs.js.snapshot/test-efs-integ.template.json

@@ -458,6 +458,7 @@
       "Value": "test-efs-integ/FileSystem/AccessPoint"
      }
     ],
+    "ClientToken": "client-token",
     "FileSystemId": {
      "Ref": "FileSystem8A8E25C0"
     },

packages/@aws-cdk-testing/framework-integ/test/aws-efs/test/integ.efs.ts

@@ -24,6 +24,7 @@ fileSystem.addAccessPoint('AccessPoint', {
     gid: '1000',
     uid: '1000',
   },
+  clientToken: 'client-token',
 });
 
 new integ.IntegTest(app, 'test-efs-integ-test', {

packages/aws-cdk-lib/aws-efs/README.md

@@ -217,7 +217,10 @@ the access point can only access data in its own directory and below. To learn m
 Use the `addAccessPoint` API to create an access point from a fileSystem.
 
 ```ts fixture=with-filesystem-instance
-fileSystem.addAccessPoint('AccessPoint');
+fileSystem.addAccessPoint('MyAccessPoint', {
+  // create a unique access point via an optional client token
+  clientToken: 'client-token',
+});
 ```
 
 By default, when you create an access point, the root(`/`) directory is exposed to the client

packages/aws-cdk-lib/aws-efs/lib/access-point.ts

@@ -1,7 +1,7 @@
 import { Construct } from 'constructs';
 import { IFileSystem } from './efs-file-system';
 import { CfnAccessPoint } from './efs.generated';
-import { ArnFormat, IResource, Resource, Stack, Tags } from '../../core';
+import { ArnFormat, IResource, Resource, Stack, Tags, Token } from '../../core';
 
 /**
  * Represents an EFS AccessPoint
@@ -102,6 +102,15 @@ export interface AccessPointOptions {
    * @default - user identity not enforced
    */
   readonly posixUser?: PosixUser;
+
+  /**
+   * The opaque string specified in the request to ensure idempotent creation.
+   *
+   * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-accesspoint.html#cfn-efs-accesspoint-clienttoken
+   *
+   * @default - No client token
+   */
+  readonly clientToken?: string;
 }
 
 /**
@@ -201,6 +210,11 @@ export class AccessPoint extends AccessPointBase {
   constructor(scope: Construct, id: string, props: AccessPointProps) {
     super(scope, id);
 
+    const clientToken = props.clientToken;
+    if ((clientToken?.length === 0 || (clientToken && clientToken.length > 64)) && !Token.isUnresolved(clientToken)) {
+      throw new Error(`The length of \'clientToken\' must range from 1 to 64 characters, got: ${clientToken.length} characters`);
+    }
+
     const resource = new CfnAccessPoint(this, 'Resource', {
       fileSystemId: props.fileSystem.fileSystemId,
       rootDirectory: {
@@ -216,6 +230,7 @@ export class AccessPoint extends AccessPointBase {
         gid: props.posixUser.gid,
         secondaryGids: props.posixUser.secondaryGids,
       } : undefined,
+      clientToken,
     });
 
     Tags.of(this).add('Name', this.node.path);

packages/aws-cdk-lib/aws-efs/test/access-point.test.ts

@@ -50,6 +50,35 @@ test('support tags for AccessPoint', () => {
   });
 });
 
+test('allow client token to be set for AccessPoint', () => {
+  // WHEN
+  new AccessPoint(stack, 'MyAccessPoint', {
+    fileSystem,
+    clientToken: 'client-token',
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::EFS::AccessPoint', {
+    ClientToken: 'client-token',
+  });
+});
+
+test('throw when client token has a length that is less than 1', () => {
+  expect(() => new AccessPoint(stack, 'MyAccessPoint', {
+    fileSystem,
+    clientToken: '',
+  },
+  )).toThrow(/The length of \'clientToken\' must range from 1 to 64 characters, got: 0 characters/);
+});
+
+test('throw when client token has a length that is greater than 64', () => {
+  expect(() => new AccessPoint(stack, 'MyAccessPoint', {
+    fileSystem,
+    clientToken: 'a'.repeat(65),
+  },
+  )).toThrow(/The length of \'clientToken\' must range from 1 to 64 characters, got: 65 characters/);
+});
+
 test('import an AccessPoint using fromAccessPointId', () => {
   // WHEN
   const ap = new AccessPoint(stack, 'MyAccessPoint', {