Skip to main content
Data Storage Modules 0.40.1Last updated in version 0.36.0

EFS Module

View Source Release Notes

This module creates an Amazon Elastic File System (EFS) file system that provides NFSv4-compatible storage that can be used with other AWS services, such as EC2 instances.

EFS is also supported in Kubernetes via the EFS CSI driver. Among other features, it supports ReadWriteMany and ReadOnlyMany access modes in Kubernetes, allowing a volume to be attached to multiple pods (even across AZs) for failover/redundancy purposes. It also supports encryption-in-transit for an additional layer of security.

Features

  • Create a managed NFSv4-compliant file system

  • Supports encryption-at-rest and encryption-in-transit

  • Automatic failover to another availability zone

Learn

Note

This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

  • EFS documentation: Amazon’s docs for EFS that cover core concepts such as performance modes, throughput modes, mounting file systems, etc.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

  • examples folder: The examples folder contains sample code optimized for learning, experimenting, and testing (but not production usage).

Production deployment

If you want to deploy this repo in production, check out the following resources:

  • efs module variables: Configuration variables available for the EFS module. At minimum, you should configure the allow_connections_from_cidr_blocks and allow_connections_from_security_groups values to only allow access from your private VPC(s). You may also want to enable storage_encrypted to encrypt data at-rest.

Manage

Day-to-day operations

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EFS MODULE
# ------------------------------------------------------------------------------------------------------

module "efs" {

source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/efs?ref=v0.40.1"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# The name used to namespace all resources created by these templates,
# including the EFS file system. Must be unique for this region. May contain
# only lowercase alphanumeric characters, hyphens, underscores, periods, and
# spaces.
name = <string>

# A list of subnet ids where the file system should be deployed. In the
# standard Gruntwork VPC setup, these should be the private persistence subnet
# ids.
subnet_ids = <list(string)>

# The id of the VPC in which this file system should be deployed.
vpc_id = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# (Optional) Allow access to the EFS file system via mount targets. If set to
# true, any clients connecting to a mount target (i.e. from within the private
# app subnet) will be allowed access.
allow_access_via_mount_target = false

# A list of CIDR-formatted IP address ranges that can connect to this file
# system. Should typically be the CIDR blocks of the private app subnet in
# this VPC plus the private subnet in the mgmt VPC.
allow_connections_from_cidr_blocks = []

# A list of Security Groups that can connect to this file system.
allow_connections_from_security_groups = []

# The description of the aws_efs_security_group that is created. Defaults to
# 'Security group for the var.name file system' if not specified.
aws_efs_security_group_description = null

# The name of the aws_efs_security_group that is created. Defaults to var.name
# if not specified.
aws_efs_security_group_name = null

# A map of custom tags to apply to the EFS file system and the Security Group
# created for it. The key is the tag name and the value is the tag value.
custom_tags = {}

# (Optional) A list of EFS access points to be created and their settings.
# This is a map where the keys are the access point names and the values are
# objects that should have the fields described in
# https://www.terraform.io/docs/providers/aws/r/efs_access_point.html.
efs_access_points = {}

# Enforce in-transit encryption for all clients connecting to this EFS file
# system. If set to true, any clients connecting without in-transit encryption
# will be denied via an IAM policy.
enforce_in_transit_encryption = true

# The ARN of a KMS key that should be used to encrypt data on disk. Only used
# if var.storage_encrypted is true. If you leave this blank, the default EFS
# KMS key for the account will be used.
kms_key_arn = null

# The file system performance mode. Can be either "generalPurpose" or "maxIO".
# For more details:
# https://docs.aws.amazon.com/efs/latest/ug/performance.html#performancemodes
performance_mode = "generalPurpose"

# Indicates whether replication overwrite protection is enabled
protection_replication_overwrite = false

# The throughput, measured in MiB/s, that you want to provision for the file
# system. Only applicable with "throughput_mode" set to "provisioned".
provisioned_throughput_in_mibps = null

# Specifies whether the EFS file system is encrypted.
storage_encrypted = true

# Throughput mode for the file system. Valid values: "bursting",
# "provisioned". When using "provisioned", also set
# "provisioned_throughput_in_mibps".
throughput_mode = "bursting"

# If specified, files will be transitioned to the archive storage class after
# the designated time. Requires `var.transition_to_ia`, `elastic` in
# `var.throughput_mode` and `generalPurpose` in `performance_mode`. Valid
# values: AFTER_1_DAY, AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS,
# AFTER_60_DAYS, AFTER_90_DAYS, AFTER_180_DAYS, AFTER_270_DAYS, or
# AFTER_365_DAYS.
transition_to_archive = null

# If specified, files will be transitioned to the IA storage class after the
# designated time. Valid values: AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS,
# AFTER_60_DAYS, or AFTER_90_DAYS.
transition_to_ia = null

}


Reference

Required

namestringrequired

The name used to namespace all resources created by these templates, including the EFS file system. Must be unique for this region. May contain only lowercase alphanumeric characters, hyphens, underscores, periods, and spaces.

subnet_idslist(string)required

A list of subnet ids where the file system should be deployed. In the standard Gruntwork VPC setup, these should be the private persistence subnet ids.

vpc_idstringrequired

The id of the VPC in which this file system should be deployed.

Optional

(Optional) Allow access to the EFS file system via mount targets. If set to true, any clients connecting to a mount target (i.e. from within the private app subnet) will be allowed access.

false

A list of CIDR-formatted IP address ranges that can connect to this file system. Should typically be the CIDR blocks of the private app subnet in this VPC plus the private subnet in the mgmt VPC.

[]

A list of Security Groups that can connect to this file system.

[]

The description of the aws_efs_security_group that is created. Defaults to 'Security group for the name file system' if not specified.

null

The name of the aws_efs_security_group that is created. Defaults to name if not specified.

null
custom_tagsmap(string)optional

A map of custom tags to apply to the EFS file system and the Security Group created for it. The key is the tag name and the value is the tag value.

{}
efs_access_pointsmap(object(…))optional

(Optional) A list of EFS access points to be created and their settings. This is a map where the keys are the access point names and the values are objects that should have the fields described in https://www.terraform.io/docs/providers/aws/r/efs_access_point.html.

map(object({
root_access_arns = list(string)
read_write_access_arns = list(string)
read_only_access_arns = list(string)
posix_user = object({
uid = number
gid = number
secondary_gids = list(number)
})
root_directory = object({
path = string
owner_uid = number
owner_gid = number
permissions = number
})
}))
{}
Example
   efs_access_points = {
jenkins = {
root_access_arns = []
read_write_access_arns = [
"arn:aws:iam::123456789101:role/jenkins-iam-role",
]
read_only_access_arns = []
posix_user = {
uid = 1000
gid = 1000
secondary_gids = []
},
root_directory = {
path = "/jenkins"
owner_uid = 1000
owner_gid = 1000
permissions = 755
}
}
}

Enforce in-transit encryption for all clients connecting to this EFS file system. If set to true, any clients connecting without in-transit encryption will be denied via an IAM policy.

true
kms_key_arnstringoptional

The ARN of a KMS key that should be used to encrypt data on disk. Only used if storage_encrypted is true. If you leave this blank, the default EFS KMS key for the account will be used.

null
performance_modestringoptional

The file system performance mode. Can be either 'generalPurpose' or 'maxIO'. For more details: https://docs.aws.amazon.com/efs/latest/ug/performance.html#performancemodes

"generalPurpose"

Indicates whether replication overwrite protection is enabled

false

The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with 'throughput_mode' set to 'provisioned'.

null
storage_encryptedbooloptional

Specifies whether the EFS file system is encrypted.

true
throughput_modestringoptional

Throughput mode for the file system. Valid values: 'bursting', 'provisioned'. When using 'provisioned', also set 'provisioned_throughput_in_mibps'.

"bursting"
transition_to_archivestringoptional

If specified, files will be transitioned to the archive storage class after the designated time. Requires <a href="#transition_to_ia"><code>transition_to_ia</code></a>, elastic in <a href="#throughput_mode"><code>throughput_mode</code></a> and generalPurpose in performance_mode. Valid values: AFTER_1_DAY, AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS, AFTER_60_DAYS, AFTER_90_DAYS, AFTER_180_DAYS, AFTER_270_DAYS, or AFTER_365_DAYS.

null
transition_to_iastringoptional

If specified, files will be transitioned to the IA storage class after the designated time. Valid values: AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS, AFTER_60_DAYS, or AFTER_90_DAYS.

null