Terraform module which creates AWS EFS (elastic file system) resources.
See examples
directory for working examples to reference:
module "efs" {
source = "terraform-aws-modules/efs/aws"
# File system
name = "example"
creation_token = "example-token"
encrypted = true
kms_key_arn = "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
# performance_mode = "maxIO"
# NB! PROVISIONED TROUGHPUT MODE WITH 256 MIBPS IS EXPENSIVE ~$1500/month
# throughput_mode = "provisioned"
# provisioned_throughput_in_mibps = 256
lifecycle_policy = {
transition_to_ia = "AFTER_30_DAYS"
}
# File system policy
attach_policy = true
bypass_policy_lockout_safety_check = false
policy_statements = [
{
sid = "Example"
actions = ["elasticfilesystem:ClientMount"]
principals = [
{
type = "AWS"
identifiers = ["arn:aws:iam::111122223333:role/EfsReadOnly"]
}
]
}
]
# Mount targets / security group
mount_targets = {
"eu-west-1a" = {
subnet_id = "subnet-abcde012"
}
"eu-west-1b" = {
subnet_id = "subnet-bcde012a"
}
"eu-west-1c" = {
subnet_id = "subnet-fghi345a"
}
}
security_group_description = "Example EFS security group"
security_group_vpc_id = "vpc-1234556abcdef"
security_group_rules = {
vpc = {
# relying on the defaults provdied for EFS/NFS (2049/TCP + ingress)
description = "NFS ingress from VPC private subnets"
cidr_blocks = ["10.99.3.0/24", "10.99.4.0/24", "10.99.5.0/24"]
}
}
# Access point(s)
access_points = {
posix_example = {
name = "posix-example"
posix_user = {
gid = 1001
uid = 1001
secondary_gids = [1002]
}
tags = {
Additionl = "yes"
}
}
root_example = {
root_directory = {
path = "/example"
creation_info = {
owner_gid = 1001
owner_uid = 1001
permissions = "755"
}
}
}
}
# Backup policy
enable_backup_policy = true
# Replication configuration
create_replication_configuration = true
replication_configuration_destination = {
region = "eu-west-2"
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
Examples codified under the examples
are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 5.35 |
Name | Version |
---|---|
aws | >= 5.35 |
No modules.
Name | Type |
---|---|
aws_efs_access_point.this | resource |
aws_efs_backup_policy.this | resource |
aws_efs_file_system.this | resource |
aws_efs_file_system_policy.this | resource |
aws_efs_mount_target.this | resource |
aws_efs_replication_configuration.this | resource |
aws_security_group.this | resource |
aws_security_group_rule.this | resource |
aws_iam_policy_document.policy | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_points | A map of access point definitions to create | any |
{} |
no |
attach_policy | Determines whether a policy is attached to the file system | bool |
true |
no |
availability_zone_name | The AWS Availability Zone in which to create the file system. Used to create a file system that uses One Zone storage classes | string |
null |
no |
bypass_policy_lockout_safety_check | A flag to indicate whether to bypass the aws_efs_file_system_policy lockout safety check. Defaults to false |
bool |
null |
no |
create | Determines whether resources will be created (affects all resources) | bool |
true |
no |
create_backup_policy | Determines whether a backup policy is created | bool |
true |
no |
create_replication_configuration | Determines whether a replication configuration is created | bool |
false |
no |
create_security_group | Determines whether a security group is created | bool |
true |
no |
creation_token | A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform | string |
null |
no |
deny_nonsecure_transport | Determines whether aws:SecureTransport is required when connecting to elastic file system |
bool |
true |
no |
deny_nonsecure_transport_via_mount_target | Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target | bool |
true |
no |
enable_backup_policy | Determines whether a backup policy is ENABLED or DISABLED |
bool |
true |
no |
encrypted | If true , the disk will be encrypted |
bool |
true |
no |
kms_key_arn | The ARN for the KMS encryption key. When specifying kms_key_arn , encrypted needs to be set to true |
string |
null |
no |
lifecycle_policy | A file system lifecycle policy object | any |
{} |
no |
mount_targets | A map of mount target definitions to create | any |
{} |
no |
name | The name of the file system | string |
"" |
no |
override_policy_documents | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sid s will override statements with the same sid |
list(string) |
[] |
no |
performance_mode | The file system performance mode. Can be either generalPurpose or maxIO . Default is generalPurpose |
string |
null |
no |
policy_statements | A list of IAM policy statements for custom permission usage | any |
[] |
no |
provisioned_throughput_in_mibps | The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with throughput_mode set to provisioned |
number |
null |
no |
replication_configuration_destination | A destination configuration block | any |
{} |
no |
security_group_description | Security group description. Defaults to Managed by Terraform | string |
null |
no |
security_group_name | Name to assign to the security group. If omitted, Terraform will assign a random, unique name | string |
null |
no |
security_group_rules | Map of security group rule definitions to create | any |
{} |
no |
security_group_use_name_prefix | Determines whether to use a name prefix for the security group. If true , the security_group_name value will be used as a prefix |
bool |
false |
no |
security_group_vpc_id | The VPC ID where the security group will be created | string |
null |
no |
source_policy_documents | List of IAM policy documents that are merged together into the exported document. Statements must have unique sid s |
list(string) |
[] |
no |
tags | A map of tags to add to all resources | map(string) |
{} |
no |
throughput_mode | Throughput mode for the file system. Defaults to bursting . Valid values: bursting , elastic , and provisioned . When using provisioned , also set provisioned_throughput_in_mibps |
string |
null |
no |
Name | Description |
---|---|
access_points | Map of access points created and their attributes |
arn | Amazon Resource Name of the file system |
dns_name | The DNS name for the filesystem per documented convention |
id | The ID that identifies the file system (e.g., fs-ccfc0d65 ) |
mount_targets | Map of mount targets created and their attributes |
replication_configuration_destination_file_system_id | The file system ID of the replica |
security_group_arn | ARN of the security group |
security_group_id | ID of the security group |
size_in_bytes | The latest known metered size (in bytes) of data stored in the file system, the value is not the exact size that the file system was at any point in time |
Apache-2.0 Licensed. See LICENSE.