Awesome

AWS EFS Terraform module

Terraform module which creates AWS EFS (elastic file system) resources.

Usage

See examples directory for working examples to reference:

module "efs" {
  source = "terraform-aws-modules/efs/aws"

  # File system
  name           = "example"
  creation_token = "example-token"
  encrypted      = true
  kms_key_arn    = "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

  # performance_mode                = "maxIO"
  # NB! PROVISIONED TROUGHPUT MODE WITH 256 MIBPS IS EXPENSIVE ~$1500/month
  # throughput_mode                 = "provisioned"
  # provisioned_throughput_in_mibps = 256

  lifecycle_policy = {
    transition_to_ia = "AFTER_30_DAYS"
  }

  # File system policy
  attach_policy                      = true
  bypass_policy_lockout_safety_check = false
  policy_statements = [
    {
      sid     = "Example"
      actions = ["elasticfilesystem:ClientMount"]
      principals = [
        {
          type        = "AWS"
          identifiers = ["arn:aws:iam::111122223333:role/EfsReadOnly"]
        }
      ]
    }
  ]

  # Mount targets / security group
  mount_targets = {
    "eu-west-1a" = {
      subnet_id = "subnet-abcde012"
    }
    "eu-west-1b" = {
      subnet_id = "subnet-bcde012a"
    }
    "eu-west-1c" = {
      subnet_id = "subnet-fghi345a"
    }
  }
  security_group_description = "Example EFS security group"
  security_group_vpc_id      = "vpc-1234556abcdef"
  security_group_rules = {
    vpc = {
      # relying on the defaults provdied for EFS/NFS (2049/TCP + ingress)
      description = "NFS ingress from VPC private subnets"
      cidr_blocks = ["10.99.3.0/24", "10.99.4.0/24", "10.99.5.0/24"]
    }
  }

  # Access point(s)
  access_points = {
    posix_example = {
      name = "posix-example"
      posix_user = {
        gid            = 1001
        uid            = 1001
        secondary_gids = [1002]
      }

      tags = {
        Additionl = "yes"
      }
    }
    root_example = {
      root_directory = {
        path = "/example"
        creation_info = {
          owner_gid   = 1001
          owner_uid   = 1001
          permissions = "755"
        }
      }
    }
  }

  # Backup policy
  enable_backup_policy = true

  # Replication configuration
  create_replication_configuration = true
  replication_configuration_destination = {
    region = "eu-west-2"
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Complete

Requirements

Name	Version
<a name="requirement_terraform"></a> terraform	>= 1.0
<a name="requirement_aws"></a> aws	>= 5.35

Providers

Name	Version
<a name="provider_aws"></a> aws	>= 5.35

Modules

No modules.

Resources

Name	Type
aws_efs_access_point.this	resource
aws_efs_backup_policy.this	resource
aws_efs_file_system.this	resource
aws_efs_file_system_policy.this	resource
aws_efs_mount_target.this	resource
aws_efs_replication_configuration.this	resource
aws_security_group.this	resource
aws_security_group_rule.this	resource
aws_iam_policy_document.policy	data source

Inputs

Name	Description	Type	Default	Required
<a name="input_access_points"></a> access_points	A map of access point definitions to create	`any`	`{}`	no
<a name="input_attach_policy"></a> attach_policy	Determines whether a policy is attached to the file system	`bool`	`true`	no
<a name="input_availability_zone_name"></a> availability_zone_name	The AWS Availability Zone in which to create the file system. Used to create a file system that uses One Zone storage classes	`string`	`null`	no
<a name="input_bypass_policy_lockout_safety_check"></a> bypass_policy_lockout_safety_check	A flag to indicate whether to bypass the `aws_efs_file_system_policy` lockout safety check. Defaults to `false`	`bool`	`null`	no
<a name="input_create"></a> create	Determines whether resources will be created (affects all resources)	`bool`	`true`	no
<a name="input_create_backup_policy"></a> create_backup_policy	Determines whether a backup policy is created	`bool`	`true`	no
<a name="input_create_replication_configuration"></a> create_replication_configuration	Determines whether a replication configuration is created	`bool`	`false`	no
<a name="input_create_security_group"></a> create_security_group	Determines whether a security group is created	`bool`	`true`	no
<a name="input_creation_token"></a> creation_token	A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform	`string`	`null`	no
<a name="input_deny_nonsecure_transport"></a> deny_nonsecure_transport	Determines whether `aws:SecureTransport` is required when connecting to elastic file system	`bool`	`true`	no
<a name="input_enable_backup_policy"></a> enable_backup_policy	Determines whether a backup policy is `ENABLED` or `DISABLED`	`bool`	`true`	no
<a name="input_encrypted"></a> encrypted	If `true`, the disk will be encrypted	`bool`	`true`	no
<a name="input_kms_key_arn"></a> kms_key_arn	The ARN for the KMS encryption key. When specifying `kms_key_arn`, encrypted needs to be set to `true`	`string`	`null`	no
<a name="input_lifecycle_policy"></a> lifecycle_policy	A file system lifecycle policy object	`any`	`{}`	no
<a name="input_mount_targets"></a> mount_targets	A map of mount target definitions to create	`any`	`{}`	no
<a name="input_name"></a> name	The name of the file system	`string`	`""`	no
<a name="input_override_policy_documents"></a> override_policy_documents	List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`	`list(string)`	`[]`	no
<a name="input_performance_mode"></a> performance_mode	The file system performance mode. Can be either `generalPurpose` or `maxIO`. Default is `generalPurpose`	`string`	`null`	no
<a name="input_policy_statements"></a> policy_statements	A list of IAM policy statements for custom permission usage	`any`	`[]`	no
<a name="input_provisioned_throughput_in_mibps"></a> provisioned_throughput_in_mibps	The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with `throughput_mode` set to `provisioned`	`number`	`null`	no
<a name="input_replication_configuration_destination"></a> replication_configuration_destination	A destination configuration block	`any`	`{}`	no
<a name="input_security_group_description"></a> security_group_description	Security group description. Defaults to Managed by Terraform	`string`	`null`	no
<a name="input_security_group_name"></a> security_group_name	Name to assign to the security group. If omitted, Terraform will assign a random, unique name	`string`	`null`	no
<a name="input_security_group_rules"></a> security_group_rules	Map of security group rule definitions to create	`any`	`{}`	no
<a name="input_security_group_use_name_prefix"></a> security_group_use_name_prefix	Determines whether to use a name prefix for the security group. If `true`, the `security_group_name` value will be used as a prefix	`bool`	`false`	no
<a name="input_security_group_vpc_id"></a> security_group_vpc_id	The VPC ID where the security group will be created	`string`	`null`	no
<a name="input_source_policy_documents"></a> source_policy_documents	List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s	`list(string)`	`[]`	no
<a name="input_tags"></a> tags	A map of tags to add to all resources	`map(string)`	`{}`	no
<a name="input_throughput_mode"></a> throughput_mode	Throughput mode for the file system. Defaults to `bursting`. Valid values: `bursting`, `elastic`, and `provisioned`. When using `provisioned`, also set `provisioned_throughput_in_mibps`	`string`	`null`	no

Outputs

Name	Description
<a name="output_access_points"></a> access_points	Map of access points created and their attributes
<a name="output_arn"></a> arn	Amazon Resource Name of the file system
<a name="output_dns_name"></a> dns_name	The DNS name for the filesystem per documented convention
<a name="output_id"></a> id	The ID that identifies the file system (e.g., `fs-ccfc0d65`)
<a name="output_mount_targets"></a> mount_targets	Map of mount targets created and their attributes
<a name="output_replication_configuration_destination_file_system_id"></a> replication_configuration_destination_file_system_id	The file system ID of the replica
<a name="output_security_group_arn"></a> security_group_arn	ARN of the security group
<a name="output_security_group_id"></a> security_group_id	ID of the security group
<a name="output_size_in_bytes"></a> size_in_bytes	The latest known metered size (in bytes) of data stored in the file system, the value is not the exact size that the file system was at any point in time

License

Apache-2.0 Licensed. See LICENSE.