https://github.com/stanislavzabarylo/terraform-aws-elastic-file-system
A type-safe Terraform module for provisioning and managing AWS Elastic File System (EFS) resources with robust configuration validation.
https://github.com/stanislavzabarylo/terraform-aws-elastic-file-system
aws aws-efs elasticfilesystem iac terraform terraform-module terraform-modules
Last synced: 2 months ago
JSON representation
A type-safe Terraform module for provisioning and managing AWS Elastic File System (EFS) resources with robust configuration validation.
- Host: GitHub
- URL: https://github.com/stanislavzabarylo/terraform-aws-elastic-file-system
- Owner: stanislavzabarylo
- License: mit
- Created: 2024-12-07T11:59:12.000Z (10 months ago)
- Default Branch: main
- Last Pushed: 2025-03-21T23:01:39.000Z (7 months ago)
- Last Synced: 2025-03-22T00:18:53.377Z (7 months ago)
- Topics: aws, aws-efs, elasticfilesystem, iac, terraform, terraform-module, terraform-modules
- Language: HCL
- Homepage: https://registry.terraform.io/modules/stanislavzabarylo/elastic-file-system/aws/latest
- Size: 104 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
# AWS Elastic File System Module
## Usage
Here is an example HCL code snippet that demonstrates how to use AWS EFS Terraform module:
```hcl
module "efs" {
source = "../.."
# Basic EFS configuration
name = "example-elastic-file-system"
creation_token = "example-creation-token"
encrypted = true
enable_automatic_backups = true
kms_key_id = "example-kms-key-id"
performance_mode = "generalPurpose"
throughput_mode = "provisioned"
provisioned_throughput_in_mibps = 100
# Lifecycle management
lifecycle_policy = {
transition_to_ia = "AFTER_7_DAYS"
transition_to_primary_storage_class = "AFTER_1_ACCESS"
}
# Access points
access_points = {
example_posix_user = {
ac_name = "example-posix-user"
posix_user = {
gid = 1001
uid = 1001
secondary_gids = [1002, 1003, 1004]
}
root_directory = {
path = "/example-posix-user"
creation_info = {
owner_gid = 1001
owner_uid = 1001
permissions = "755"
}
}
}
}
# Security Group Configuration for EFS Mount Targets
security_group_configuration = {
description = "Security group for EFS mount targets"
name_prefix = "efs-"
vpc_id = "vpc-1234567890"
# Ingress rules are automatically configured for EFS port 2049
ingress_rules = {
allow_vpc = {
description = "Allow NFS access from VPC"
cidr_blocks = ["10.0.0.0/16"]
}
allow_specific_sg = {
description = "Allow NFS from specific security group"
source_security_group_id = "example-sg-0"
}
}
# Configurable egress rules
egress_rules = {
allow_all = {
description = "Allow all outbound traffic"
protocol = "-1"
from_port = "0"
to_port = "0"
cidr_blocks = ["0.0.0.0/0"]
}
}
}
# Mount targets in multiple AZs
mount_targets = [
{
subnet_id = "example-subnet-id-1"
security_groups = ["example-sg-id-1", "example-sg-id-2"]
timeouts = {
create = "50m"
delete = "40m"
}
},
{
subnet_id = "example-subnet-id-2"
security_groups = ["example-sg-id-3", "example-sg-id-4"]
timeouts = {
create = "40m"
delete = "30m"
}
}
]
# Cross-region replication
replication_configuration = {
region = "us-east-1"
availability_zone_name = "us-east-1a"
timeouts = {
create = "1h"
delete = "30m"
}
}
# File System IAM policy
policy_configuration = {
version = "2012-10-17"
policy_id = "example-policy-id"
statements = [
{
sid = "example-sid"
actions = [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite"
]
principals = [
{
type = "AWS"
identifiers = ["arn:aws:iam::111122223333:role/ExampleEFSRole"]
}
]
}
]
bypass_policy_lockout_safety_check = false
}
tags = {
CreatedBy = "Terraform"
}
}
```
## Examples
[`Examples`](https://github.com/stasyk003/terraform-aws-efs-module/tree/main/examples) demonstrate use-cases and configurations of the module. They serve both as a reference for users implementing the module and as integration tests for validating module functionality.
- [Complete](https://github.com/stasyk003/terraform-aws-efs-module/tree/main/examples/complete)
- [Default](https://github.com/stasyk003/terraform-aws-efs-module/tree/main/examples/default)
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3 |
| [aws](#requirement\_aws) | >= 5.40 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 5.40 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_efs_access_point.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_access_point) | resource |
| [aws_efs_backup_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_backup_policy) | resource |
| [aws_efs_file_system.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
| [aws_efs_file_system_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system_policy) | resource |
| [aws_efs_mount_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
| [aws_efs_replication_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_replication_configuration) | resource |
| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [access\_points](#input\_access\_points) | A map of access points to create for the file system. Each access point supports the following settings:
- `name`
- `posix_user`: (Optional) The operating system user and group applied to all file system requests made using the access point
- `gid`: (Required) The POSIX group ID used for all file system operations using this access point
- `secondary_gids`: (Optional) Secondary POSIX group IDs used for all file system operations using this access point
- `uid`: (Required) The POSIX user ID used for all file system operations using this access point
- `root_directory`: (Optional) Configures the access point's root directory
- `path`: (Optional) The path on the EFS file system to expose as the root directory to NFS clients using the access point
- `creation_info`: (Optional) Specifies the POSIX IDs and permissions to apply to the access point's root directory
- `owner_gid`: (Required) The POSIX group ID to apply to the root directory
- `owner_uid`: (Required) The POSIX user ID to apply to the root directory
- `permissions`: (Required) The POSIX permissions to apply to the root directory, in numeric notation (e.g. `"0755"`)
map(object({
name = optional(string)
posix_user = optional(object({
gid = number
secondary_gids = optional(set(number))
uid = number
}))
root_directory = optional(object({
path = optional(string)
creation_info = optional(object({
owner_gid = number
owner_uid = number
permissions = string
}))
}))
})) | `null` | no |
| [availability\_zone\_name](#input\_availability\_zone\_name) | The AWS Availability Zone in which to create the file system. Used to create a file system that uses One Zone storage classes | `string` | `null` | no |
| [creation\_token](#input\_creation\_token) | A unique name used to ensure idempotent file system creation.
If not specified, defaults to an auto-generated string combining timestamp and UUID in the format:
`"terraform--"` (defined as a local value in `main.tf` file) | `string` | `null` | no |
| [enable\_automatic\_backups](#input\_enable\_automatic\_backups) | If `true`, automatic backups will be enabled for the file system. Defaults to `false` | `bool` | `false` | no |
| [encrypted](#input\_encrypted) | If `true`, the disk will be encrypted. Defaults to `true` | `bool` | `true` | no |
| [kms\_key\_id](#input\_kms\_key\_id) | The ARN for the KMS encryption key. When specifying `kms_key_id`, `encrypted` needs to be set to `true` | `string` | `null` | no |
| [lifecycle\_policy](#input\_lifecycle\_policy) | Configuration for EFS lifecycle policy transitions. Supports the following settings:
- `"transition_to_archive"`: (Optional) Indicates how long it takes to transition files to the Archive storage class.
Requires `"transition_to_ia"` to be specified, with `"performance_mode"` set to `"generalPurpose"` and `"throughput_mode"` set to `"elastic"`.
Valid values: `"AFTER_1_DAY"`, `"AFTER_7_DAYS"`, `"AFTER_14_DAYS"`, `"AFTER_30_DAYS"`, `"AFTER_60_DAYS"`, `"AFTER_90_DAYS"`,
`"AFTER_180_DAYS"`, `"AFTER_270_DAYS"`, `"AFTER_365_DAYS"`
- `"transition_to_ia"`: (Optional) Indicates how long it takes to transition files to the IA storage class.
Valid values: `"AFTER_1_DAY"`, `"AFTER_7_DAYS"`, `"AFTER_14_DAYS"`, `"AFTER_30_DAYS"`, `"AFTER_60_DAYS"`, `"AFTER_90_DAYS"`,
`"AFTER_180_DAYS"`, `"AFTER_270_DAYS"`, `"AFTER_365_DAYS"`
- `"transition_to_primary_storage_class"`: (Optional) Indicates how long it takes to transition files back to
the primary storage class. Only valid value is `"AFTER_1_ACCESS"`
| [mount\_targets](#input\_mount\_targets) | Configuration block for EFS mount targets. Accepts a list of objects with the following settings:
- `subnet_id`: (Required) The ID of the subnet to add the mount target in
- `ip_address`: (Optional) The IPv4 address within the subnet's CIDR range where the mount target will be created
- `security_groups`: (Optional) A list of security group IDs (up to 5 items) to associate with the mount target
- `timeouts`: (Optional) Configuration block for operation timeouts
- `create`: (Optional) Time to wait for mount target(s) to be created. Must be a string specifying hours (h), minutes (m) or seconds (s)
- `delete`: (Optional) Time to wait for mount target(s) to be deleted. Must be a string specifying hours (h), minutes (m) or seconds (s)
list(object({
subnet_id = string
ip_address = optional(string)
security_groups = optional(set(string))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
}))
})) | `null` | no |
| [name](#input\_name) | A unique name for the Elastic File System (EFS) | `string` | `null` | no |
| [performance\_mode](#input\_performance\_mode) | The file system performance mode. Can be either `"generalPurpose"` or `"maxIO"`. Defaults to `"generalPurpose"` | `string` | `"generalPurpose"` | no |
| [policy\_configuration](#input\_policy\_configuration) | Configuration block for EFS policy configuration. Supports the following settings:
- `version`: (Optional) The version of the IAM policy document. Valid values are `"2008-10-17"` or `"2012-10-17"`
- `override_policy_documents`: (Optional) List of IAM policy documents that are merged together into the exported document.
Statements defined in `statements` block will be added to the document after merging `override_policy_documents`
- `policy_id`: (Optional) ID for the policy. For example, `"MYFILESYSTEMPOLICY"`
- `source_policy_documents`: (Optional) List of IAM policy documents that are merged together into the exported document.
Statements defined in `statements` block will be added to the document after merging `source_policy_documents`
- `statements`: (Optional) List of policy statement blocks. Each statement supports:
- `sid`: (Optional) Statement ID, unique identifier for the statement
- `effect`: (Optional) Whether statement allows or denies access. Valid values: `"Allow"` or `"Deny"`
- `actions`: (Optional) List of actions that the policy allows or denies
- `condition`: (Optional) Conditions for when the policy is in effect
- `test`: (Required) Condition operator. e.g. `"StringEquals"`
- `variable`: (Required) Context variable to apply condition to
- `values`: (Required) List of values to compare against
- `not_actions`: (Optional) List of actions that the statement does not apply to
- `not_principals`: (Optional) List of principals that the statement does not apply to
- `identifiers`: (Required) List of principal identifiers
- `type`: (Required) Type of principal (e.g. `"AWS"`, `"Service"`)
- `not_resources`: (Optional) List of resources that the statement does not apply to
- `principals`: (Optional) List of principals that the statement applies to
- `identifiers`: (Required) List of principal identifiers
- `type`: (Required) Type of principal (e.g. `"AWS"`, `"Service"`)
- `resources`: (Optional) List of resources that the statement applies to
- `bypass_policy_lockout_safety_check`: (Optional) A flag to indicate whether to bypass the "aws:PrincipalArn" condition key policy lockout safety check.
Setting this value to `true` increases the risk that the file system becomes locked
object({
version = optional(string)
override_policy_documents = optional(set(any))
policy_id = optional(string)
source_policy_documents = optional(set(string))
statements = optional(list(object({
sid = optional(string)
effect = optional(string)
actions = optional(set(string))
condition = optional(object({
test = string
variable = string
values = set(string)
}))
not_actions = optional(set(any))
not_principals = optional(set(object({
identifiers = set(string)
type = string
})))
not_resources = optional(set(string))
principals = optional(set(object({
identifiers = set(string)
type = string
})))
resources = optional(set(string))
})))
bypass_policy_lockout_safety_check = optional(bool)
}) | `null` | no |
| [protection](#input\_protection) | Configuration block for EFS file system protection settings. Supports the following settings:
- `replication_overwrite`: (Optional) Indicates whether the destination file system can overwrite the source file system.
Valid values:
- `"ENABLED"`: Allows the destination file system to overwrite the source file system
- `"DISABLED"`: Prevents the destination file system from overwriting the source file system
object({
replication_overwrite = optional(string)
}) | `null` | no |
| [provisioned\_throughput\_in\_mibps](#input\_provisioned\_throughput\_in\_mibps) | The throughput, measured in MiB/s, to provision for the file system. Only applicable with `throughput_mode` set to `"provisioned"` | `number` | `null` | no |
| [replication\_configuration](#input\_replication\_configuration) | Configuration block for EFS replication configuration. Supports the following settings:
- `region`: (Optional) The AWS Region to replicate the file system to. Must be different from the source file system's region
- `availability_zone_name`: (Optional) The availability zone in which the replica should be created. If specified, the replica will be
created with One Zone storage. If omitted, regional storage will be used
- `file_system_id`: (Optional) The ID of an existing file system to use as the destination for replication. If not specified,
a new file system will be created with default settings
- `kms_key_id`: (Optional) The ARN, ID alias, or alias ARN of the AWS KMS key used to encrypt the destination file system.
The default KMS key for EFS `"/aws/elasticfilesystem"` will be used
- `timeouts`: (Optional) Configuration block for operation timeouts
- `create`: (Optional) Time to wait for replication to be created. Must be a string specifying hours (h), minutes (m) or seconds (s)
- `delete`: (Optional) Time to wait for replication to be deleted. Must be a string specifying hours (h), minutes (m) or seconds (s)
object({
region = optional(string)
availability_zone_name = optional(string)
file_system_id = optional(string)
kms_key_id = optional(string)
timeouts = optional(object({
create = optional(string)
delete = optional(string)
}))
}) | `null` | no |
| [security\_group\_configuration](#input\_security\_group\_configuration) | Configuration for AWS security group with flexible rule management:
- `description`: (Optional) The description of the security group
- `name_prefix`: (Optional) The prefix for generating a unique security group name
- `name`: (Optional) The exact name for the security group
- `vpc_id`: (Optional) The VPC ID where the security group will be created
- `ingress_rules`: (Optional) The map of security group ingress rules with granular configuration
- `description`: (Optional) The description for individual rule
- `cidr_blocks`: (Optional) The IPv4 CIDR ranges for rule
- `ipv6_cidr_blocks`: (Optional) The IPv6 CIDR ranges for rule
- `prefix_list_ids`: (Optional) The referenced prefix lists
- `self`: (Optional) Whether rule references the security group itself
- `source_security_group_id`: (Optional) The source security group for rule
- `egress_rules`: (Optional) The map of security group egress rules with granular configuration
- `description`: (Optional) The description for individual rule
- `protocol`: (Required) The protocol for rule (e.g. `"tcp"`)
- `from_port`: (Required) The start port for rule (e.g. `"80"`)
- `to_port`: (Required) The end port for rule (e.g. `"80"`)
- `cidr_blocks`: (Optional) The IPv4 CIDR ranges for rule
- `ipv6_cidr_blocks`: (Optional) The IPv6 CIDR ranges for rule
- `prefix_list_ids`: (Optional) The referenced prefix lists
- `self`: (Optional) Whether rule references the security group itself
- `source_security_group_id`: (Optional) The source security group for rule
object({
description = optional(string)
name_prefix = optional(string)
name = optional(string)
vpc_id = optional(string)
ingress_rules = optional(map(object({
description = optional(string)
cidr_blocks = optional(set(string))
ipv6_cidr_blocks = optional(set(string))
prefix_list_ids = optional(set(string))
self = optional(bool)
source_security_group_id = optional(string)
})))
egress_rules = optional(map(object({
description = optional(string)
protocol = string
from_port = string
to_port = string
cidr_blocks = optional(set(string))
ipv6_cidr_blocks = optional(set(string))
prefix_list_ids = optional(set(string))
self = optional(bool)
source_security_group_id = optional(string)
})))
}) | `null` | no |
| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
| [throughput\_mode](#input\_throughput\_mode) | Throughput mode for the file system. Valid values: `"bursting"`, `"provisioned"`, or `"elastic"`.
When using `"provisioned"`, also set `provisioned_throughput_in_mibps`". Defaults to `"bursting"` | `string` | `"bursting"` | no |
## Outputs
| Name | Description |
|------|-------------|
| [access\_points\_arns](#output\_access\_points\_arns) | The ARN(s) of the access point(s) |
| [access\_points\_file\_system\_arn](#output\_access\_points\_file\_system\_arn) | The Amazon Resource Name (ARN) of the EFS file system associated with the access point(s) |
| [access\_points\_file\_system\_ids](#output\_access\_points\_file\_system\_ids) | The ID(s) of the access point(s) |
| [backup\_policy\_id](#output\_backup\_policy\_id) | The ID of the backup policy |
| [file\_system\_arn](#output\_file\_system\_arn) | The Amazon Resource Name (ARN) of the file system |
| [file\_system\_availability\_zone\_id](#output\_file\_system\_availability\_zone\_id) | The identifier of the Availability Zone in which the file system's One Zone storage classes exist |
| [file\_system\_dns\_name](#output\_file\_system\_dns\_name) | The DNS name for the filesystem per documented convention |
| [file\_system\_id](#output\_file\_system\_id) | The ID that identifies the file system |
| [file\_system\_name](#output\_file\_system\_name) | The value of the file system's `Name` tag |
| [file\_system\_number\_of\_mount\_targets](#output\_file\_system\_number\_of\_mount\_targets) | The current number of mount targets that the file system has |
| [file\_system\_owner\_id](#output\_file\_system\_owner\_id) | The AWS account that created the file system. If the file system was createdby an IAM user, the parent account to which the user belongs is the owner |
| [file\_system\_policy\_id](#output\_file\_system\_policy\_id) | The ID that identifies the file system policy |
| [file\_system\_size\_in\_bytes](#output\_file\_system\_size\_in\_bytes) | The latest known metered size (in bytes) of data stored in the file system, the value is not the exact size that the file system was at any point in time |
| [mount\_targets\_availability\_zone\_ids](#output\_mount\_targets\_availability\_zone\_ids) | The unique and consistent identifier of the Availability Zone(s) that the mount target(s) reside in |
| [mount\_targets\_availability\_zone\_names](#output\_mount\_targets\_availability\_zone\_names) | The name(s) of the Availability Zone(s) that the mount target(s) reside in |
| [mount\_targets\_dns\_names](#output\_mount\_targets\_dns\_names) | The DNS name(s) for the mount target(s) in each subnet/AZ, following the format `[az].[filesystem-id].efs.[region].amazonaws.com` |
| [mount\_targets\_file\_system\_arn](#output\_mount\_targets\_file\_system\_arn) | The Amazon Resource Name (ARN) of the EFS file system associated with the mount target(s). This will be the same ARN for all mount targets in a file system |
| [mount\_targets\_file\_system\_dns\_name](#output\_mount\_targets\_file\_system\_dns\_name) | The DNS name for the EFS file system, which can be used to mount the file system using the NFS protocol. This is the same for all mount targets in a file system |
| [mount\_targets\_ids](#output\_mount\_targets\_ids) | The ID(s) of the mount target(s) |
| [mount\_targets\_network\_interface\_ids](#output\_mount\_targets\_network\_interface\_ids) | The ID(s) of the ENI(s) that AWS EFS automatically created and attached when provisioning the mount target(s). This ENI enables network connectivity to the EFS file system |
| [mount\_targets\_owner\_id](#output\_mount\_targets\_owner\_id) | The AWS account ID that owns the mount target(s) |
| [replication\_configuration\_creation\_time](#output\_replication\_configuration\_creation\_time) | The timestamp indicating when the replication configuration was initially created (expressed in Unix timestamp format) |
| [replication\_configuration\_destination\_file\_system\_id](#output\_replication\_configuration\_destination\_file\_system\_id) | The file system ID of the destination EFS replica created by the replication configuration |
| [replication\_configuration\_destination\_status](#output\_replication\_configuration\_destination\_status) | The current status of the EFS replication configuration destination |
| [replication\_configuration\_original\_source\_file\_system\_arn](#output\_replication\_configuration\_original\_source\_file\_system\_arn) | The Amazon Resource Name (ARN) of the original source Amazon EFS file system in the replication configuration |
| [replication\_configuration\_source\_file\_system\_arn](#output\_replication\_configuration\_source\_file\_system\_arn) | The Amazon Resource Name (ARN) of the current source file system in the replication configuration |
| [replication\_configuration\_source\_file\_system\_region](#output\_replication\_configuration\_source\_file\_system\_region) | The AWS Region in which the source Amazon EFS file system is located |
| [tags\_all](#output\_tags\_all) | A map of tags assigned to the resource |