This Terraform module facilitates the creation of an AWS Elastic File System, complete with the capability to incorporate additional configurations.
- Ensures adherence to AWS security standards through the integration of checkov for code compliance scanning.
- The following features are included in the module:
- Module based security group with dynamic rule configuration capabilities
- EFS file system policy feature which can be customized further depending on the required permissions
- EFS backup policy
- Encryption
- Provides ease of setup and utilization through clear instructions and examples.
Examples available here
Note on Seurity Group Usage
- To create a security group for efs using this module set the
create_security_group
argument totrue
- To provide custom security group rules for the security group created by the module use the
security_group_ingress
block (see complete example). - To provide external security group that is already configured for efs use the
external_security_groups
block and provide the security group IDs. - This allows you to use one or more security groups
NOTE: These examples use the latest version of this module
module "complete_efs" {
source = "boldlink/efs/aws"
version = "<provide_module_version_here>"
creation_token = "minimum-efs-example"
tags = {
Environment = "examples"
"user::CostCenter" = "terraform-registry"
}
}
Terraform module documentation
Name | Version |
---|---|
terraform | >= 0.14.11 |
aws | >= 4.45.0 |
Name | Version |
---|---|
aws | 5.40.0 |
No modules.
Name | Type |
---|---|
aws_efs_backup_policy.main | resource |
aws_efs_file_system.main | resource |
aws_efs_file_system_policy.main | resource |
aws_efs_mount_target.main | resource |
aws_security_group.main | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
availability_zone_name | (Optional) the AWS Availability Zone in which to create the file system. Used to create a file system that uses One Zone storage classes. See user guide for more information. | string |
null |
no |
backup_policy_status | (Required) A status of the backup policy. Valid values: ENABLED , DISABLED . |
string |
"ENABLED" |
no |
bypass_policy_lockout_safety_check | (Optional) A flag to indicate whether to bypass the aws_efs_file_system_policy lockout safety check. The policy lockout safety check determines whether the policy in the request will prevent the principal making the request will be locked out from making future PutFileSystemPolicy requests on the file system. Set bypass_policy_lockout_safety_check to true only when you intend to prevent the principal that is making the request from making a subsequent PutFileSystemPolicy request on the file system. The default value is false |
string |
false |
no |
create_security_group | whether to create security group using module | bool |
true |
no |
creation_token | (Optional) A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform. See Elastic File System user guide for more information. | string |
null |
no |
egress_rules | (Optional) egress rules to add to the security group | any |
{} |
no |
encrypted | (Optional) If true, the disk will be encrypted. | bool |
true |
no |
external_security_groups | IDs of other security groups. NOTE: All these security groups must be in the same vpc as the subnets where the efs is mounted. A maximum of 5 Security Group IDs is allowed. | list(string) |
[] |
no |
file_system_policy | (Required) The JSON formatted file system policy for the EFS file system. | string |
"" |
no |
kms_key_id | (Optional) The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true . |
string |
null |
no |
mount_target_ip_addresses | The addresses (within the address range of the specified subnet) at which the file system may be mounted via the mount target. | list(string) |
[] |
no |
mount_target_subnet_ids | (Required) The IDs of subnets to add the mount target in. | list(string) |
[] |
no |
performance_mode | (Optional) The file system performance mode. Can be either generalPurpose or maxIO (Default: generalPurpose ) |
string |
"generalPurpose" |
no |
provisioned_throughput_in_mibps | (Optional) The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with throughput_mode set to provisioned . |
string |
null |
no |
security_group_ingress | Specify the ingress rule for the security group | any |
{} |
no |
tags | (Optional) A map of tags to assign to the file system. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | map(string) |
{} |
no |
throughput_mode | (Optional) Throughput mode for the file system. Defaults to bursting . Valid values: bursting , provisioned . When using provisioned , also set provisioned_throughput_in_mibps . |
string |
"bursting" |
no |
transition_to_ia | (Optional) Indicates how long it takes to transition files to the IA storage class. Valid values: AFTER_7_DAYS , AFTER_14_DAYS , AFTER_30_DAYS , AFTER_60_DAYS , or AFTER_90_DAYS . |
list(string) |
[] |
no |
transition_to_primary_storage_class | (Optional) Describes the policy used to transition a file from infequent access storage to primary storage. Valid values: AFTER_1_ACCESS . |
list(string) |
[] |
no |
vpc_id | (Optional, Forces new resource) VPC ID. | string |
null |
no |
Name | Description |
---|---|
efs_file_system_arn | Amazon Resource Name of the file system. |
file_system_availability_zone_id | The identifier of the Availability Zone in which the file system's One Zone storage classes exist. |
file_system_dns_name | The DNS name for the filesystem |
file_system_id | The ID that identifies the file system (e.g., fs-ccfc0d65) . |
file_system_owner_id | The AWS account that created the file system. If the file system was createdby an IAM user, the parent account to which the user belongs is the owner. |
file_system_size_in_bytes | The latest known metered size (in bytes) of data stored in the file system, the value is not the exact size that the file system was at any point in time. |
mount_target_availability_zone_id | The unique and consistent identifier of the Availability Zone (AZ) that the mount target resides in. |
mount_target_availability_zone_name | The name of the Availability Zone (AZ) that the mount target resides in. |
mount_target_dns_name | The DNS name for the given subnet/AZ |
mount_target_id | The ID of the mount target. |
mount_target_network_interface_id | The ID of the network interface that Amazon EFS created when it created the mount target. |
security_group_arn | ARN of the security group. |
security_group_id | ID of the security group. |
security_group_owner_id | Owner ID. of the security group. |
tags_all | A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block. |
This repository uses third party software:
- pre-commit - Used to help ensure code and documentation consistency
- Install with
brew install pre-commit
- Manually use with
pre-commit run
- Install with
- terraform 0.14.11 For backwards compatibility we are using version 0.14.11 for testing making this the min version tested and without issues with terraform-docs.
- terraform-docs - Used to generate the Inputs and Outputs sections
- Install with
brew install terraform-docs
- Manually use via pre-commit
- Install with
- tflint - Used to lint the Terraform code
- Install with
brew install tflint
- Manually use via pre-commit
- Install with
The example stacks are used by BOLDLink developers to validate the modules by building an actual stack on AWS.
Some of the modules have dependencies on other modules (ex. Ec2 instance depends on the VPC module) so we create them first and use data sources on the examples to use the stacks.
Any supporting resources will be available on the tests/supportingResources
and the lifecycle is managed by the Makefile
targets.
Resources on the tests/supportingResources
folder are not intended for demo or actual implementation purposes, and can be used for reference.
The makefile contained in this repo is optimized for linux paths and the main purpose is to execute testing for now.
- Create all tests stacks including any supporting resources:
make tests
- Clean all tests except existing supporting resources:
make clean
- Clean supporting resources - this is done separately so you can test your module build/modify/destroy independently.
make cleansupporting
- !!!DANGER!!! Clean the state files from examples and test/supportingResources - use with CAUTION!!!
make cleanstatefiles