AWS Elastic File System Module

Usage

Here is an example HCL code snippet that demonstrates how to use AWS EFS Terraform module:

module "efs" {
  source = "../.."

  # Basic EFS configuration
  name                            = "example-elastic-file-system"
  creation_token                  = "example-creation-token"
  encrypted                       = true
  enable_automatic_backups        = true
  kms_key_id                      = "example-kms-key-id"
  performance_mode                = "generalPurpose"
  throughput_mode                 = "provisioned"
  provisioned_throughput_in_mibps = 100

  # Lifecycle management
  lifecycle_policy = {
    transition_to_ia                    = "AFTER_7_DAYS"
    transition_to_primary_storage_class = "AFTER_1_ACCESS"
  }

  # Access points
  access_points = {
    example_posix_user = {
      ac_name = "example-posix-user"
      posix_user = {
        gid            = 1001
        uid            = 1001
        secondary_gids = [1002, 1003, 1004]
      }
      root_directory = {
        path = "/example-posix-user"
        creation_info = {
          owner_gid   = 1001
          owner_uid   = 1001
          permissions = "755"
        }
      }
    }
  }

  # Security Group Configuration for EFS Mount Targets
  security_group_configuration = {
    description = "Security group for EFS mount targets"
    name_prefix = "efs-"
    vpc_id      = "vpc-1234567890"

    # Ingress rules are automatically configured for EFS port 2049
    ingress_rules = {
      allow_vpc = {
        description = "Allow NFS access from VPC"
        cidr_blocks = ["10.0.0.0/16"]
      }
      allow_specific_sg = {
        description              = "Allow NFS from specific security group"
        source_security_group_id = "example-sg-0"
      }
    }

    # Configurable egress rules
    egress_rules = {
      allow_all = {
        description = "Allow all outbound traffic"
        protocol    = "-1"
        from_port   = "0"
        to_port     = "0"
        cidr_blocks = ["0.0.0.0/0"]
      }
    }
  }
  
  # Mount targets in multiple AZs
  mount_targets = [
    {
      subnet_id       = "example-subnet-id-1"
      security_groups = ["example-sg-id-1", "example-sg-id-2"]
      timeouts = {
        create = "50m"
        delete = "40m"
      }
    },
    {
      subnet_id       = "example-subnet-id-2"
      security_groups = ["example-sg-id-3", "example-sg-id-4"]
      timeouts = {
        create = "40m"
        delete = "30m"
      }
    }
  ]

  # Cross-region replication
  replication_configuration = {
    region                 = "us-east-1"
    availability_zone_name = "us-east-1a"
    timeouts = {
      create = "1h"
      delete = "30m"
    }
  }

  # File System IAM policy
  policy_configuration = {
    version   = "2012-10-17"
    policy_id = "example-policy-id"
    statements = [
      {
        sid = "example-sid"
        actions = [
          "elasticfilesystem:ClientMount",
          "elasticfilesystem:ClientWrite"
        ]
        principals = [
          {
            type        = "AWS"
            identifiers = ["arn:aws:iam::111122223333:role/ExampleEFSRole"]
          }
        ]
      }
    ]
    bypass_policy_lockout_safety_check = false
  }

  tags = {
    CreatedBy = "Terraform"
  }
}

Examples

Examples demonstrate use-cases and configurations of the module. They serve both as a reference for users implementing the module and as integration tests for validating module functionality.

• Complete
• Default

Requirements

Name	Version
terraform	>= 1.3
aws	>= 5.40

Providers

Name	Version
aws	>= 5.40

Modules

No modules.

Resources

Name	Type
aws_efs_access_point.this	resource
aws_efs_backup_policy.this	resource
aws_efs_file_system.this	resource
aws_efs_file_system_policy.this	resource
aws_efs_mount_target.this	resource
aws_efs_replication_configuration.this	resource
aws_security_group.this	resource
aws_security_group_rule.egress	resource
aws_security_group_rule.ingress	resource
aws_iam_policy_document.this	data source

Inputs

Name	Description	Type	Default	Required
access_points	A map of access points to create for the file system. Each access point supports the following settings: name : (Optional) A descriptive name for the access point. posix_user: (Optional) The operating system user and group applied to all file system requests made using the access point gid: (Required) The POSIX group ID used for all file system operations using this access point secondary_gids: (Optional) Secondary POSIX group IDs used for all file system operations using this access point uid: (Required) The POSIX user ID used for all file system operations using this access point root_directory: (Optional) Configures the access point's root directory path: (Optional) The path on the EFS file system to expose as the root directory to NFS clients using the access point creation_info: (Optional) Specifies the POSIX IDs and permissions to apply to the access point's root directory owner_gid: (Required) The POSIX group ID to apply to the root directory owner_uid: (Required) The POSIX user ID to apply to the root directory permissions: (Required) The POSIX permissions to apply to the root directory, in numeric notation (e.g. "0755")	map(object({ name = optional(string) posix_user = optional(object({ gid = number secondary_gids = optional(set(number)) uid = number })) root_directory = optional(object({ path = optional(string) creation_info = optional(object({ owner_gid = number owner_uid = number permissions = string })) })) }))	null	no
availability_zone_name	The AWS Availability Zone in which to create the file system. Used to create a file system that uses One Zone storage classes	string	null	no
creation_token	A unique name used to ensure idempotent file system creation. If not specified, defaults to an auto-generated string combining timestamp and UUID in the format: "terraform-<YYYYMMDDhhmmss>-<random_uuid>" (defined as a local value in main.tf file)	string	null	no
enable_automatic_backups	If true, automatic backups will be enabled for the file system. Defaults to false	bool	false	no
encrypted	If true, the disk will be encrypted. Defaults to true	bool	true	no
kms_key_id	The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true	string	null	no
lifecycle_policy	Configuration for EFS lifecycle policy transitions. Supports the following settings: "transition_to_archive": (Optional) Indicates how long it takes to transition files to the Archive storage class. Requires "transition_to_ia" to be specified, with "performance_mode" set to "generalPurpose" and "throughput_mode" set to "elastic". Valid values: "AFTER_1_DAY", "AFTER_7_DAYS", "AFTER_14_DAYS", "AFTER_30_DAYS", "AFTER_60_DAYS", "AFTER_90_DAYS", "AFTER_180_DAYS", "AFTER_270_DAYS", "AFTER_365_DAYS" "transition_to_ia": (Optional) Indicates how long it takes to transition files to the IA storage class. Valid values: "AFTER_1_DAY", "AFTER_7_DAYS", "AFTER_14_DAYS", "AFTER_30_DAYS", "AFTER_60_DAYS", "AFTER_90_DAYS", "AFTER_180_DAYS", "AFTER_270_DAYS", "AFTER_365_DAYS" "transition_to_primary_storage_class": (Optional) Indicates how long it takes to transition files back to the primary storage class. Only valid value is "AFTER_1_ACCESS"	map(string)	null	no
mount_targets	Configuration block for EFS mount targets. Accepts a list of objects with the following settings: subnet_id: (Required) The ID of the subnet to add the mount target in ip_address: (Optional) The IPv4 address within the subnet's CIDR range where the mount target will be created security_groups: (Optional) A list of security group IDs (up to 5 items) to associate with the mount target timeouts: (Optional) Configuration block for operation timeouts create: (Optional) Time to wait for mount target(s) to be created. Must be a string specifying hours (h), minutes (m) or seconds (s) delete: (Optional) Time to wait for mount target(s) to be deleted. Must be a string specifying hours (h), minutes (m) or seconds (s)	list(object({ subnet_id = string ip_address = optional(string) security_groups = optional(set(string)) timeouts = optional(object({ create = optional(string) delete = optional(string) })) }))	null	no
name	A unique name for the Elastic File System (EFS)	string	null	no
performance_mode	The file system performance mode. Can be either "generalPurpose" or "maxIO". Defaults to "generalPurpose"	string	"generalPurpose"	no
policy_configuration	Configuration block for EFS policy configuration. Supports the following settings: version: (Optional) The version of the IAM policy document. Valid values are "2008-10-17" or "2012-10-17" override_policy_documents: (Optional) List of IAM policy documents that are merged together into the exported document. Statements defined in statements block will be added to the document after merging override_policy_documents policy_id: (Optional) ID for the policy. For example, "MYFILESYSTEMPOLICY" source_policy_documents: (Optional) List of IAM policy documents that are merged together into the exported document. Statements defined in statements block will be added to the document after merging source_policy_documents statements: (Optional) List of policy statement blocks. Each statement supports: sid: (Optional) Statement ID, unique identifier for the statement effect: (Optional) Whether statement allows or denies access. Valid values: "Allow" or "Deny" actions: (Optional) List of actions that the policy allows or denies condition: (Optional) Conditions for when the policy is in effect test: (Required) Condition operator. e.g. "StringEquals" variable: (Required) Context variable to apply condition to values: (Required) List of values to compare against not_actions: (Optional) List of actions that the statement does not apply to not_principals: (Optional) List of principals that the statement does not apply to identifiers: (Required) List of principal identifiers type: (Required) Type of principal (e.g. "AWS", "Service") not_resources: (Optional) List of resources that the statement does not apply to principals: (Optional) List of principals that the statement applies to identifiers: (Required) List of principal identifiers type: (Required) Type of principal (e.g. "AWS", "Service") resources: (Optional) List of resources that the statement applies to bypass_policy_lockout_safety_check: (Optional) A flag to indicate whether to bypass the "aws:PrincipalArn" condition key policy lockout safety check. Setting this value to true increases the risk that the file system becomes locked	object({ version = optional(string) override_policy_documents = optional(set(any)) policy_id = optional(string) source_policy_documents = optional(set(string)) statements = optional(list(object({ sid = optional(string) effect = optional(string) actions = optional(set(string)) condition = optional(object({ test = string variable = string values = set(string) })) not_actions = optional(set(any)) not_principals = optional(set(object({ identifiers = set(string) type = string }))) not_resources = optional(set(string)) principals = optional(set(object({ identifiers = set(string) type = string }))) resources = optional(set(string)) }))) bypass_policy_lockout_safety_check = optional(bool) })	null	no
protection	Configuration block for EFS file system protection settings. Supports the following settings: replication_overwrite: (Optional) Indicates whether the destination file system can overwrite the source file system. Valid values: "ENABLED": Allows the destination file system to overwrite the source file system "DISABLED": Prevents the destination file system from overwriting the source file system	object({ replication_overwrite = optional(string) })	null	no
provisioned_throughput_in_mibps	The throughput, measured in MiB/s, to provision for the file system. Only applicable with throughput_mode set to "provisioned"	number	null	no
replication_configuration	Configuration block for EFS replication configuration. Supports the following settings: region: (Optional) The AWS Region to replicate the file system to. Must be different from the source file system's region availability_zone_name: (Optional) The availability zone in which the replica should be created. If specified, the replica will be created with One Zone storage. If omitted, regional storage will be used file_system_id: (Optional) The ID of an existing file system to use as the destination for replication. If not specified, a new file system will be created with default settings kms_key_id: (Optional) The ARN, ID alias, or alias ARN of the AWS KMS key used to encrypt the destination file system. The default KMS key for EFS "/aws/elasticfilesystem" will be used timeouts: (Optional) Configuration block for operation timeouts create: (Optional) Time to wait for replication to be created. Must be a string specifying hours (h), minutes (m) or seconds (s) delete: (Optional) Time to wait for replication to be deleted. Must be a string specifying hours (h), minutes (m) or seconds (s)	object({ region = optional(string) availability_zone_name = optional(string) file_system_id = optional(string) kms_key_id = optional(string) timeouts = optional(object({ create = optional(string) delete = optional(string) })) })	null	no
security_group_configuration	Configuration for AWS security group with flexible rule management: description: (Optional) The description of the security group name_prefix: (Optional) The prefix for generating a unique security group name name: (Optional) The exact name for the security group vpc_id: (Optional) The VPC ID where the security group will be created ingress_rules: (Optional) The map of security group ingress rules with granular configuration description: (Optional) The description for individual rule cidr_blocks: (Optional) The IPv4 CIDR ranges for rule ipv6_cidr_blocks: (Optional) The IPv6 CIDR ranges for rule prefix_list_ids: (Optional) The referenced prefix lists self: (Optional) Whether rule references the security group itself source_security_group_id: (Optional) The source security group for rule egress_rules: (Optional) The map of security group egress rules with granular configuration description: (Optional) The description for individual rule protocol: (Required) The protocol for rule (e.g. "tcp") from_port: (Required) The start port for rule (e.g. "80") to_port: (Required) The end port for rule (e.g. "80") cidr_blocks: (Optional) The IPv4 CIDR ranges for rule ipv6_cidr_blocks: (Optional) The IPv6 CIDR ranges for rule prefix_list_ids: (Optional) The referenced prefix lists self: (Optional) Whether rule references the security group itself source_security_group_id: (Optional) The source security group for rule	object({ description = optional(string) name_prefix = optional(string) name = optional(string) vpc_id = optional(string) ingress_rules = optional(map(object({ description = optional(string) cidr_blocks = optional(set(string)) ipv6_cidr_blocks = optional(set(string)) prefix_list_ids = optional(set(string)) self = optional(bool) source_security_group_id = optional(string) }))) egress_rules = optional(map(object({ description = optional(string) protocol = string from_port = string to_port = string cidr_blocks = optional(set(string)) ipv6_cidr_blocks = optional(set(string)) prefix_list_ids = optional(set(string)) self = optional(bool) source_security_group_id = optional(string) }))) })	null	no
tags	A map of tags to add to all resources	map(string)	{}	no
throughput_mode	Throughput mode for the file system. Valid values: "bursting", "provisioned", or "elastic". When using "provisioned", also set provisioned_throughput_in_mibps". Defaults to "bursting"	string	"bursting"	no

Outputs

Name	Description
access_points_arns	The ARN(s) of the access point(s)
access_points_file_system_arn	The Amazon Resource Name (ARN) of the EFS file system associated with the access point(s)
access_points_file_system_ids	The ID(s) of the access point(s)
backup_policy_id	The ID of the backup policy
file_system_arn	The Amazon Resource Name (ARN) of the file system
file_system_availability_zone_id	The identifier of the Availability Zone in which the file system's One Zone storage classes exist
file_system_dns_name	The DNS name for the filesystem per documented convention
file_system_id	The ID that identifies the file system
file_system_name	The value of the file system's Name tag
file_system_number_of_mount_targets	The current number of mount targets that the file system has
file_system_owner_id	The AWS account that created the file system. If the file system was createdby an IAM user, the parent account to which the user belongs is the owner
file_system_policy_id	The ID that identifies the file system policy
file_system_size_in_bytes	The latest known metered size (in bytes) of data stored in the file system, the value is not the exact size that the file system was at any point in time
mount_targets_availability_zone_ids	The unique and consistent identifier of the Availability Zone(s) that the mount target(s) reside in
mount_targets_availability_zone_names	The name(s) of the Availability Zone(s) that the mount target(s) reside in
mount_targets_dns_names	The DNS name(s) for the mount target(s) in each subnet/AZ, following the format [az].[filesystem-id].efs.[region].amazonaws.com
mount_targets_file_system_arn	The Amazon Resource Name (ARN) of the EFS file system associated with the mount target(s). This will be the same ARN for all mount targets in a file system
mount_targets_file_system_dns_name	The DNS name for the EFS file system, which can be used to mount the file system using the NFS protocol. This is the same for all mount targets in a file system
mount_targets_ids	The ID(s) of the mount target(s)
mount_targets_network_interface_ids	The ID(s) of the ENI(s) that AWS EFS automatically created and attached when provisioning the mount target(s). This ENI enables network connectivity to the EFS file system
mount_targets_owner_id	The AWS account ID that owns the mount target(s)
replication_configuration_creation_time	The timestamp indicating when the replication configuration was initially created (expressed in Unix timestamp format)
replication_configuration_destination_file_system_id	The file system ID of the destination EFS replica created by the replication configuration
replication_configuration_destination_status	The current status of the EFS replication configuration destination
replication_configuration_original_source_file_system_arn	The Amazon Resource Name (ARN) of the original source Amazon EFS file system in the replication configuration
replication_configuration_source_file_system_arn	The Amazon Resource Name (ARN) of the current source file system in the replication configuration
replication_configuration_source_file_system_region	The AWS Region in which the source Amazon EFS file system is located
tags_all	A map of tags assigned to the resource