EFS Module
This module creates an Amazon Elastic File System (EFS) file system that provides NFSv4-compatible storage that can be used with other AWS services, such as EC2 instances.
EFS is also supported in Kubernetes via the EFS CSI driver. Among other features, it supports ReadWriteMany
and ReadOnlyMany
access modes in Kubernetes, allowing a volume to be attached to multiple pods (even across AZs) for failover/redundancy purposes. It also supports encryption-in-transit for an additional layer of security.
Features
-
Create a managed NFSv4-compliant file system
-
Supports encryption-at-rest and encryption-in-transit
-
Automatic failover to another availability zone
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
- EFS documentation: Amazon’s docs for EFS that cover core concepts such as performance modes, throughput modes, mounting file systems, etc.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this repo out for experimenting and learning, check out the following resources:
- examples folder: The
examples
folder contains sample code optimized for learning, experimenting, and testing (but not production usage).
Production deployment
If you want to deploy this repo in production, check out the following resources:
- efs module variables: Configuration variables available for the EFS module. At minimum, you should configure the
allow_connections_from_cidr_blocks
andallow_connections_from_security_groups
values to only allow access from your private VPC(s). You may also want to enablestorage_encrypted
to encrypt data at-rest.
Manage
Day-to-day operations
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EFS MODULE
# ------------------------------------------------------------------------------------------------------
module "efs" {
source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/efs?ref=v0.40.1"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The name used to namespace all resources created by these templates,
# including the EFS file system. Must be unique for this region. May contain
# only lowercase alphanumeric characters, hyphens, underscores, periods, and
# spaces.
name = <string>
# A list of subnet ids where the file system should be deployed. In the
# standard Gruntwork VPC setup, these should be the private persistence subnet
# ids.
subnet_ids = <list(string)>
# The id of the VPC in which this file system should be deployed.
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# (Optional) Allow access to the EFS file system via mount targets. If set to
# true, any clients connecting to a mount target (i.e. from within the private
# app subnet) will be allowed access.
allow_access_via_mount_target = false
# A list of CIDR-formatted IP address ranges that can connect to this file
# system. Should typically be the CIDR blocks of the private app subnet in
# this VPC plus the private subnet in the mgmt VPC.
allow_connections_from_cidr_blocks = []
# A list of Security Groups that can connect to this file system.
allow_connections_from_security_groups = []
# The description of the aws_efs_security_group that is created. Defaults to
# 'Security group for the var.name file system' if not specified.
aws_efs_security_group_description = null
# The name of the aws_efs_security_group that is created. Defaults to var.name
# if not specified.
aws_efs_security_group_name = null
# A map of custom tags to apply to the EFS file system and the Security Group
# created for it. The key is the tag name and the value is the tag value.
custom_tags = {}
# (Optional) A list of EFS access points to be created and their settings.
# This is a map where the keys are the access point names and the values are
# objects that should have the fields described in
# https://www.terraform.io/docs/providers/aws/r/efs_access_point.html.
efs_access_points = {}
# Enforce in-transit encryption for all clients connecting to this EFS file
# system. If set to true, any clients connecting without in-transit encryption
# will be denied via an IAM policy.
enforce_in_transit_encryption = true
# The ARN of a KMS key that should be used to encrypt data on disk. Only used
# if var.storage_encrypted is true. If you leave this blank, the default EFS
# KMS key for the account will be used.
kms_key_arn = null
# The file system performance mode. Can be either "generalPurpose" or "maxIO".
# For more details:
# https://docs.aws.amazon.com/efs/latest/ug/performance.html#performancemodes
performance_mode = "generalPurpose"
# Indicates whether replication overwrite protection is enabled
protection_replication_overwrite = false
# The throughput, measured in MiB/s, that you want to provision for the file
# system. Only applicable with "throughput_mode" set to "provisioned".
provisioned_throughput_in_mibps = null
# Specifies whether the EFS file system is encrypted.
storage_encrypted = true
# Throughput mode for the file system. Valid values: "bursting",
# "provisioned". When using "provisioned", also set
# "provisioned_throughput_in_mibps".
throughput_mode = "bursting"
# If specified, files will be transitioned to the archive storage class after
# the designated time. Requires `var.transition_to_ia`, `elastic` in
# `var.throughput_mode` and `generalPurpose` in `performance_mode`. Valid
# values: AFTER_1_DAY, AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS,
# AFTER_60_DAYS, AFTER_90_DAYS, AFTER_180_DAYS, AFTER_270_DAYS, or
# AFTER_365_DAYS.
transition_to_archive = null
# If specified, files will be transitioned to the IA storage class after the
# designated time. Valid values: AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS,
# AFTER_60_DAYS, or AFTER_90_DAYS.
transition_to_ia = null
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EFS MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/efs?ref=v0.40.1"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The name used to namespace all resources created by these templates,
# including the EFS file system. Must be unique for this region. May contain
# only lowercase alphanumeric characters, hyphens, underscores, periods, and
# spaces.
name = <string>
# A list of subnet ids where the file system should be deployed. In the
# standard Gruntwork VPC setup, these should be the private persistence subnet
# ids.
subnet_ids = <list(string)>
# The id of the VPC in which this file system should be deployed.
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# (Optional) Allow access to the EFS file system via mount targets. If set to
# true, any clients connecting to a mount target (i.e. from within the private
# app subnet) will be allowed access.
allow_access_via_mount_target = false
# A list of CIDR-formatted IP address ranges that can connect to this file
# system. Should typically be the CIDR blocks of the private app subnet in
# this VPC plus the private subnet in the mgmt VPC.
allow_connections_from_cidr_blocks = []
# A list of Security Groups that can connect to this file system.
allow_connections_from_security_groups = []
# The description of the aws_efs_security_group that is created. Defaults to
# 'Security group for the var.name file system' if not specified.
aws_efs_security_group_description = null
# The name of the aws_efs_security_group that is created. Defaults to var.name
# if not specified.
aws_efs_security_group_name = null
# A map of custom tags to apply to the EFS file system and the Security Group
# created for it. The key is the tag name and the value is the tag value.
custom_tags = {}
# (Optional) A list of EFS access points to be created and their settings.
# This is a map where the keys are the access point names and the values are
# objects that should have the fields described in
# https://www.terraform.io/docs/providers/aws/r/efs_access_point.html.
efs_access_points = {}
# Enforce in-transit encryption for all clients connecting to this EFS file
# system. If set to true, any clients connecting without in-transit encryption
# will be denied via an IAM policy.
enforce_in_transit_encryption = true
# The ARN of a KMS key that should be used to encrypt data on disk. Only used
# if var.storage_encrypted is true. If you leave this blank, the default EFS
# KMS key for the account will be used.
kms_key_arn = null
# The file system performance mode. Can be either "generalPurpose" or "maxIO".
# For more details:
# https://docs.aws.amazon.com/efs/latest/ug/performance.html#performancemodes
performance_mode = "generalPurpose"
# Indicates whether replication overwrite protection is enabled
protection_replication_overwrite = false
# The throughput, measured in MiB/s, that you want to provision for the file
# system. Only applicable with "throughput_mode" set to "provisioned".
provisioned_throughput_in_mibps = null
# Specifies whether the EFS file system is encrypted.
storage_encrypted = true
# Throughput mode for the file system. Valid values: "bursting",
# "provisioned". When using "provisioned", also set
# "provisioned_throughput_in_mibps".
throughput_mode = "bursting"
# If specified, files will be transitioned to the archive storage class after
# the designated time. Requires `var.transition_to_ia`, `elastic` in
# `var.throughput_mode` and `generalPurpose` in `performance_mode`. Valid
# values: AFTER_1_DAY, AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS,
# AFTER_60_DAYS, AFTER_90_DAYS, AFTER_180_DAYS, AFTER_270_DAYS, or
# AFTER_365_DAYS.
transition_to_archive = null
# If specified, files will be transitioned to the IA storage class after the
# designated time. Valid values: AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS,
# AFTER_60_DAYS, or AFTER_90_DAYS.
transition_to_ia = null
}
Reference
- Inputs
- Outputs
Required
name
stringThe name used to namespace all resources created by these templates, including the EFS file system. Must be unique for this region. May contain only lowercase alphanumeric characters, hyphens, underscores, periods, and spaces.
subnet_ids
list(string)A list of subnet ids where the file system should be deployed. In the standard Gruntwork VPC setup, these should be the private persistence subnet ids.
vpc_id
stringThe id of the VPC in which this file system should be deployed.
Optional
(Optional) Allow access to the EFS file system via mount targets. If set to true, any clients connecting to a mount target (i.e. from within the private app subnet) will be allowed access.
false
allow_connections_from_cidr_blocks
list(string)A list of CIDR-formatted IP address ranges that can connect to this file system. Should typically be the CIDR blocks of the private app subnet in this VPC plus the private subnet in the mgmt VPC.
[]
allow_connections_from_security_groups
list(string)A list of Security Groups that can connect to this file system.
[]
The description of the aws_efs_security_group that is created. Defaults to 'Security group for the name
file system' if not specified.
null
The name of the aws_efs_security_group that is created. Defaults to name
if not specified.
null
custom_tags
map(string)A map of custom tags to apply to the EFS file system and the Security Group created for it. The key is the tag name and the value is the tag value.
{}
efs_access_points
map(object(…))(Optional) A list of EFS access points to be created and their settings. This is a map where the keys are the access point names and the values are objects that should have the fields described in https://www.terraform.io/docs/providers/aws/r/efs_access_point.html.
map(object({
root_access_arns = list(string)
read_write_access_arns = list(string)
read_only_access_arns = list(string)
posix_user = object({
uid = number
gid = number
secondary_gids = list(number)
})
root_directory = object({
path = string
owner_uid = number
owner_gid = number
permissions = number
})
}))
{}
Example
efs_access_points = {
jenkins = {
root_access_arns = []
read_write_access_arns = [
"arn:aws:iam::123456789101:role/jenkins-iam-role",
]
read_only_access_arns = []
posix_user = {
uid = 1000
gid = 1000
secondary_gids = []
},
root_directory = {
path = "/jenkins"
owner_uid = 1000
owner_gid = 1000
permissions = 755
}
}
}
Enforce in-transit encryption for all clients connecting to this EFS file system. If set to true, any clients connecting without in-transit encryption will be denied via an IAM policy.
true
kms_key_arn
stringThe ARN of a KMS key that should be used to encrypt data on disk. Only used if storage_encrypted
is true. If you leave this blank, the default EFS KMS key for the account will be used.
null
performance_mode
stringThe file system performance mode. Can be either 'generalPurpose' or 'maxIO'. For more details: https://docs.aws.amazon.com/efs/latest/ug/performance.html#performancemodes
"generalPurpose"
Indicates whether replication overwrite protection is enabled
false
The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with 'throughput_mode' set to 'provisioned'.
null
Specifies whether the EFS file system is encrypted.
true
throughput_mode
stringThroughput mode for the file system. Valid values: 'bursting', 'provisioned'. When using 'provisioned', also set 'provisioned_throughput_in_mibps'.
"bursting"
transition_to_archive
stringIf specified, files will be transitioned to the archive storage class after the designated time. Requires <a href="#transition_to_ia"><code>transition_to_ia</code></a>
, elastic
in <a href="#throughput_mode"><code>throughput_mode</code></a>
and generalPurpose
in performance_mode
. Valid values: AFTER_1_DAY, AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS, AFTER_60_DAYS, AFTER_90_DAYS, AFTER_180_DAYS, AFTER_270_DAYS, or AFTER_365_DAYS.
null
transition_to_ia
stringIf specified, files will be transitioned to the IA storage class after the designated time. Valid values: AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS, AFTER_60_DAYS, or AFTER_90_DAYS.
null
A map of EFS access point names to the IDs of the access point (e.g. fsap-52a643fb) for that name.
Amazon Resource Name of the file system.
The DNS name for the filesystem per documented convention: http://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html
The ID that identifies the file system (e.g. fs-ccfc0d65).
The IDs of the mount targets (e.g. fsmt-f9a14450).
The IDs of the security groups created for the file system.