Skip to main content
Data Storage Modules 0.42.0Last updated in version 0.40.5

EFS Module

View Source Release Notes

This module creates an Amazon Elastic File System (EFS) with mount targets across multiple availability zones for NFSv4-compatible shared storage.

What This Module Creates

  • EFS file system
  • Mount targets in specified subnets
  • Security group for access control
  • Optional KMS encryption
  • Optional lifecycle policies
  • Optional backup policies

Usage

module "efs" {
  source = "../modules/efs"

  name       = "my-efs"
  vpc_id     = var.vpc_id
  subnet_ids = var.private_subnet_ids

  # Security
  allow_connections_from_security_groups = [var.app_security_group_id]
  allow_connections_from_cidr_blocks     = ["10.0.0.0/16"]

  # Encryption
  storage_encrypted = true
  kms_key_arn      = var.kms_key_arn

  # Performance
  performance_mode = "generalPurpose"
  throughput_mode  = "bursting"
}

Key Variables

Required

  • name - EFS file system name
  • vpc_id - VPC for deployment
  • subnet_ids - Subnets for mount targets (one per AZ)

Security

  • allow_connections_from_security_groups - Security groups that can mount
  • allow_connections_from_cidr_blocks - CIDR blocks that can mount
  • storage_encrypted - Enable encryption at rest
  • kms_key_arn - Custom KMS key for encryption

Performance

  • performance_mode - generalPurpose or maxIO
  • throughput_mode - bursting, provisioned, or elastic
  • provisioned_throughput_in_mibps - For provisioned mode

Outputs

  • file_system_id - EFS file system ID
  • file_system_dns_name - DNS name for mounting
  • file_system_arn - EFS ARN
  • security_group_id - Security group ID
  • mount_target_ids - List of mount target IDs

Mounting

# Mount using DNS name
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-12345678.efs.us-east-1.amazonaws.com:/ /mnt/efs

Common Issues

  • Mount hangs: Check security group rules allow NFS (port 2049)
  • Performance: Use maxIO mode for workloads with >7000 ops/sec
  • Cross-AZ costs: Data transfer between AZs incurs charges
  • Kubernetes: Use EFS CSI driver for EKS integration

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EFS MODULE
# ------------------------------------------------------------------------------------------------------

module "efs" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/efs?ref=v0.42.0"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The name used to namespace all resources created by these templates,
  # including the EFS file system. Must be unique for this region. May contain
  # only lowercase alphanumeric characters, hyphens, underscores, periods, and
  # spaces.
  name = <string>

  # A list of subnet ids where the file system should be deployed. In the
  # standard Gruntwork VPC setup, these should be the private persistence subnet
  # ids.
  subnet_ids = <list(string)>

  # The id of the VPC in which this file system should be deployed.
  vpc_id = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # (Optional) Allow access to the EFS file system via mount targets. If set to
  # true, any clients connecting to a mount target (i.e. from within the private
  # app subnet) will be allowed access.
  allow_access_via_mount_target = false

  # A list of CIDR-formatted IP address ranges that can connect to this file
  # system. Should typically be the CIDR blocks of the private app subnet in
  # this VPC plus the private subnet in the mgmt VPC.
  allow_connections_from_cidr_blocks = []

  # A list of Security Groups that can connect to this file system.
  allow_connections_from_security_groups = []

  # The description of the aws_efs_security_group that is created. Defaults to
  # 'Security group for the var.name file system' if not specified.
  aws_efs_security_group_description = null

  # The name of the aws_efs_security_group that is created. Defaults to var.name
  # if not specified.
  aws_efs_security_group_name = null

  # A map of custom tags to apply to the EFS file system and the Security Group
  # created for it. The key is the tag name and the value is the tag value.
  custom_tags = {}

  # (Optional) A list of EFS access points to be created and their settings.
  # This is a map where the keys are the access point names and the values are
  # objects that should have the fields described in
  # https://www.terraform.io/docs/providers/aws/r/efs_access_point.html.
  efs_access_points = {}

  # Enforce in-transit encryption for all clients connecting to this EFS file
  # system. If set to true, any clients connecting without in-transit encryption
  # will be denied via an IAM policy.
  enforce_in_transit_encryption = true

  # The ARN of a KMS key that should be used to encrypt data on disk. Only used
  # if var.storage_encrypted is true. If you leave this blank, the default EFS
  # KMS key for the account will be used.
  kms_key_arn = null

  # The file system performance mode. Can be either "generalPurpose" or "maxIO".
  # For more details:
  # https://docs.aws.amazon.com/efs/latest/ug/performance.html#performancemodes
  performance_mode = "generalPurpose"

  # Indicates whether replication overwrite protection is enabled
  protection_replication_overwrite = false

  # The throughput, measured in MiB/s, that you want to provision for the file
  # system. Only applicable with "throughput_mode" set to "provisioned".
  provisioned_throughput_in_mibps = null

  # Specifies whether the EFS file system is encrypted.
  storage_encrypted = true

  # Throughput mode for the file system. Valid values: "bursting",
  # "provisioned". When using "provisioned", also set
  # "provisioned_throughput_in_mibps".
  throughput_mode = "bursting"

  # If specified, files will be transitioned to the archive storage class after
  # the designated time. Requires `var.transition_to_ia`, `elastic` in
  # `var.throughput_mode` and `generalPurpose` in  `performance_mode`. Valid
  # values: AFTER_1_DAY, AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS,
  # AFTER_60_DAYS, AFTER_90_DAYS, AFTER_180_DAYS, AFTER_270_DAYS, or
  # AFTER_365_DAYS.
  transition_to_archive = null

  # If specified, files will be transitioned to the IA storage class after the
  # designated time. Valid values: AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS,
  # AFTER_60_DAYS, or AFTER_90_DAYS.
  transition_to_ia = null

}


Reference

Required

namestringrequired

The name used to namespace all resources created by these templates, including the EFS file system. Must be unique for this region. May contain only lowercase alphanumeric characters, hyphens, underscores, periods, and spaces.

subnet_idslist(string)required

A list of subnet ids where the file system should be deployed. In the standard Gruntwork VPC setup, these should be the private persistence subnet ids.

vpc_idstringrequired

The id of the VPC in which this file system should be deployed.

Optional

(Optional) Allow access to the EFS file system via mount targets. If set to true, any clients connecting to a mount target (i.e. from within the private app subnet) will be allowed access.

false

A list of CIDR-formatted IP address ranges that can connect to this file system. Should typically be the CIDR blocks of the private app subnet in this VPC plus the private subnet in the mgmt VPC.

[]

A list of Security Groups that can connect to this file system.

[]

The description of the aws_efs_security_group that is created. Defaults to 'Security group for the name file system' if not specified.

null

The name of the aws_efs_security_group that is created. Defaults to name if not specified.

null
custom_tagsmap(string)optional

A map of custom tags to apply to the EFS file system and the Security Group created for it. The key is the tag name and the value is the tag value.

{}
efs_access_pointsmap(object(…))optional

(Optional) A list of EFS access points to be created and their settings. This is a map where the keys are the access point names and the values are objects that should have the fields described in https://www.terraform.io/docs/providers/aws/r/efs_access_point.html.

map(object({
    root_access_arns       = list(string)
    read_write_access_arns = list(string)
    read_only_access_arns  = list(string)
    posix_user = object({
      uid            = number
      gid            = number
      secondary_gids = list(number)
    })
    root_directory = object({
      path        = string
      owner_uid   = number
      owner_gid   = number
      permissions = number
    })
  }))
{}
Example
   efs_access_points = {
     jenkins = {
       root_access_arns = []
       read_write_access_arns = [
         "arn:aws:iam::123456789101:role/jenkins-iam-role",
       ]
       read_only_access_arns = []
       posix_user = {
         uid            = 1000
         gid            = 1000
         secondary_gids = []
       },
       root_directory = {
         path = "/jenkins"
         owner_uid   = 1000
         owner_gid   = 1000
         permissions = 755
       }
     }
   }

Enforce in-transit encryption for all clients connecting to this EFS file system. If set to true, any clients connecting without in-transit encryption will be denied via an IAM policy.

true
kms_key_arnstringoptional

The ARN of a KMS key that should be used to encrypt data on disk. Only used if storage_encrypted is true. If you leave this blank, the default EFS KMS key for the account will be used.

null
performance_modestringoptional

The file system performance mode. Can be either 'generalPurpose' or 'maxIO'. For more details: https://docs.aws.amazon.com/efs/latest/ug/performance.html#performancemodes

"generalPurpose"

Indicates whether replication overwrite protection is enabled

false

The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with 'throughput_mode' set to 'provisioned'.

null
storage_encryptedbooloptional

Specifies whether the EFS file system is encrypted.

true
throughput_modestringoptional

Throughput mode for the file system. Valid values: 'bursting', 'provisioned'. When using 'provisioned', also set 'provisioned_throughput_in_mibps'.

"bursting"
transition_to_archivestringoptional

If specified, files will be transitioned to the archive storage class after the designated time. Requires <a href="#transition_to_ia"><code>transition_to_ia</code></a>, elastic in <a href="#throughput_mode"><code>throughput_mode</code></a> and generalPurpose in performance_mode. Valid values: AFTER_1_DAY, AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS, AFTER_60_DAYS, AFTER_90_DAYS, AFTER_180_DAYS, AFTER_270_DAYS, or AFTER_365_DAYS.

null
transition_to_iastringoptional

If specified, files will be transitioned to the IA storage class after the designated time. Valid values: AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS, AFTER_60_DAYS, or AFTER_90_DAYS.

null