/terraform-aws-efs

Terraform module to create AWS EFS resources 🇺🇦

Primary LanguageHCLApache License 2.0Apache-2.0

AWS EFS Terraform module

Terraform module which creates AWS EFS (elastic file system) resources.

SWUbanner

Usage

See examples directory for working examples to reference:

module "efs" {
  source = "terraform-aws-modules/efs/aws"

  # File system
  name           = "example"
  creation_token = "example-token"
  encrypted      = true
  kms_key_arn    = "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

  # performance_mode                = "maxIO"
  # NB! PROVISIONED TROUGHPUT MODE WITH 256 MIBPS IS EXPENSIVE ~$1500/month
  # throughput_mode                 = "provisioned"
  # provisioned_throughput_in_mibps = 256

  lifecycle_policy = {
    transition_to_ia = "AFTER_30_DAYS"
  }

  # File system policy
  attach_policy                      = true
  bypass_policy_lockout_safety_check = false
  policy_statements = [
    {
      sid     = "Example"
      actions = ["elasticfilesystem:ClientMount"]
      principals = [
        {
          type        = "AWS"
          identifiers = ["arn:aws:iam::111122223333:role/EfsReadOnly"]
        }
      ]
    }
  ]

  # Mount targets / security group
  mount_targets = {
    "eu-west-1a" = {
      subnet_id = "subnet-abcde012"
    }
    "eu-west-1b" = {
      subnet_id = "subnet-bcde012a"
    }
    "eu-west-1c" = {
      subnet_id = "subnet-fghi345a"
    }
  }
  security_group_description = "Example EFS security group"
  security_group_vpc_id      = "vpc-1234556abcdef"
  security_group_rules = {
    vpc = {
      # relying on the defaults provdied for EFS/NFS (2049/TCP + ingress)
      description = "NFS ingress from VPC private subnets"
      cidr_blocks = ["10.99.3.0/24", "10.99.4.0/24", "10.99.5.0/24"]
    }
  }

  # Access point(s)
  access_points = {
    posix_example = {
      name = "posix-example"
      posix_user = {
        gid            = 1001
        uid            = 1001
        secondary_gids = [1002]
      }

      tags = {
        Additionl = "yes"
      }
    }
    root_example = {
      root_directory = {
        path = "/example"
        creation_info = {
          owner_gid   = 1001
          owner_uid   = 1001
          permissions = "755"
        }
      }
    }
  }

  # Backup policy
  enable_backup_policy = true

  # Replication configuration
  create_replication_configuration = true
  replication_configuration_destination = {
    region = "eu-west-2"
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name Version
terraform >= 1.0
aws >= 5.35

Providers

Name Version
aws >= 5.35

Modules

No modules.

Resources

Name Type
aws_efs_access_point.this resource
aws_efs_backup_policy.this resource
aws_efs_file_system.this resource
aws_efs_file_system_policy.this resource
aws_efs_mount_target.this resource
aws_efs_replication_configuration.this resource
aws_security_group.this resource
aws_security_group_rule.this resource
aws_iam_policy_document.policy data source

Inputs

Name Description Type Default Required
access_points A map of access point definitions to create any {} no
attach_policy Determines whether a policy is attached to the file system bool true no
availability_zone_name The AWS Availability Zone in which to create the file system. Used to create a file system that uses One Zone storage classes string null no
bypass_policy_lockout_safety_check A flag to indicate whether to bypass the aws_efs_file_system_policy lockout safety check. Defaults to false bool null no
create Determines whether resources will be created (affects all resources) bool true no
create_backup_policy Determines whether a backup policy is created bool true no
create_replication_configuration Determines whether a replication configuration is created bool false no
create_security_group Determines whether a security group is created bool true no
creation_token A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform string null no
deny_nonsecure_transport Determines whether aws:SecureTransport is required when connecting to elastic file system bool true no
enable_backup_policy Determines whether a backup policy is ENABLED or DISABLED bool true no
encrypted If true, the disk will be encrypted bool true no
kms_key_arn The ARN for the KMS encryption key. When specifying kms_key_arn, encrypted needs to be set to true string null no
lifecycle_policy A file system lifecycle policy object any {} no
mount_targets A map of mount target definitions to create any {} no
name The name of the file system string "" no
override_policy_documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid list(string) [] no
performance_mode The file system performance mode. Can be either generalPurpose or maxIO. Default is generalPurpose string null no
policy_statements A list of IAM policy statements for custom permission usage any [] no
provisioned_throughput_in_mibps The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with throughput_mode set to provisioned number null no
replication_configuration_destination A destination configuration block any {} no
security_group_description Security group description. Defaults to Managed by Terraform string null no
security_group_name Name to assign to the security group. If omitted, Terraform will assign a random, unique name string null no
security_group_rules Map of security group rule definitions to create any {} no
security_group_use_name_prefix Determines whether to use a name prefix for the security group. If true, the security_group_name value will be used as a prefix bool false no
security_group_vpc_id The VPC ID where the security group will be created string null no
source_policy_documents List of IAM policy documents that are merged together into the exported document. Statements must have unique sids list(string) [] no
tags A map of tags to add to all resources map(string) {} no
throughput_mode Throughput mode for the file system. Defaults to bursting. Valid values: bursting, elastic, and provisioned. When using provisioned, also set provisioned_throughput_in_mibps string null no

Outputs

Name Description
access_points Map of access points created and their attributes
arn Amazon Resource Name of the file system
dns_name The DNS name for the filesystem per documented convention
id The ID that identifies the file system (e.g., fs-ccfc0d65)
mount_targets Map of mount targets created and their attributes
replication_configuration_destination_file_system_id The file system ID of the replica
security_group_arn ARN of the security group
security_group_id ID of the security group
size_in_bytes The latest known metered size (in bytes) of data stored in the file system, the value is not the exact size that the file system was at any point in time

License

Apache-2.0 Licensed. See LICENSE.