Skip to content

Module Structure

terraform-aws-arc-efs

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Overview

SourceFuse AWS Reference Architecture (ARC) Terraform module for managing AWS Elastic File System.

Usage

Basic Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
module "efs" {
  source = "sourcefuse/arc-efs/aws"

  namespace   = "arc"
  environment = "dev"
  name        = "my-efs"

  # Mount targets
  mount_targets = {
    "us-east-1a" = {
      subnet_id = "subnet-12345678"
    }
    "us-east-1b" = {
      subnet_id = "subnet-87654321"
    }
  }

  # Security configuration
  mount_target_security_group_vpc_id = "vpc-12345678"
  allowed_cidr_blocks               = ["10.0.0.0/16"]

  tags = {
    Project = "MyProject"
  }
}

Advanced Example with Access Points

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
module "efs" {
  source = "sourcefuse/arc-efs/aws"

  namespace   = "arc"
  environment = "prod"
  name        = "app-storage"

  # High-performance configuration
  performance_mode                = "maxIO"
  throughput_mode                 = "provisioned"
  provisioned_throughput_in_mibps = 500

  # Encryption
  encrypted  = true
  kms_key_id = aws_kms_key.efs.arn

  # Mount targets
  mount_targets = {
    "us-east-1a" = { subnet_id = "subnet-12345678" }
    "us-east-1b" = { subnet_id = "subnet-87654321" }
  }

  # Security configuration
  mount_target_security_group_vpc_id = "vpc-12345678"
  allowed_cidr_blocks               = ["10.0.0.0/8"]

  # Access points
  access_points = {
    web_app = {
      path = "/web"
      creation_info = {
        owner_gid   = 1001
        owner_uid   = 1001
        permissions = "755"
      }
      posix_user = {
        gid = 1001
        uid = 1001
      }
    }
    database = {
      path = "/db"
      creation_info = {
        owner_gid   = 999
        owner_uid   = 999
        permissions = "750"
      }
    }
  }

  # Lifecycle policy for cost optimization
  lifecycle_policy = {
    transition_to_ia = "AFTER_30_DAYS"
    transition_to_primary_storage_class = "AFTER_1_ACCESS"
  }

  # Cross-region replication
  replication_configuration = {
    destination = {
      region = "us-west-2"
    }
  }

  tags = {
    Environment = "Production"
    Compliance  = "Required"
  }
}

Examples

This module includes several comprehensive examples:

  • Basic - Simple EFS setup with mount targets
  • With Access Points - Multiple access points for different applications
  • With Replication - Cross-region replication for disaster recovery
  • Complete - All features including encryption, lifecycle policies, and access points

Important Notes

EFS Replication Cleanup Behavior

Important: When using cross-region EFS replication (replication_configuration), AWS creates a destination EFS file system in the target region. By AWS design, when replication is deleted (e.g., during terraform destroy), the destination EFS is preserved as a standalone, writeable file system rather than being automatically deleted.

This is an AWS safety feature to prevent accidental data loss, but it means the destination EFS will continue to incur charges unless manually cleaned up.

To avoid ongoing charges: 1. After running terraform destroy, manually check the destination region (e.g., us-east-2) 2. Delete any remaining EFS file systems that were created by replication if you no longer need them 3. You can identify these by their creation time matching when you deployed your Terraform configuration

Example cleanup commands: 

1
2
3
4
5
# List EFS file systems in the replication region
aws efs describe-file-systems --region us-east-2

# Delete the destination EFS if no longer needed (replace with actual file system ID)
aws efs delete-file-system --region us-east-2 --file-system-id fs-xxxxxxxxx

Why this happens: According to AWS documentation: "Deleting a replication configuration ends the replication process. After a replication configuration is deleted, the destination file system becomes Writeable and its replication overwrite protection is re-enabled."

This behavior ensures that valuable data in the destination EFS is not accidentally lost when replication is stopped.

Requirements

Name Version
terraform >= 1.3
aws >= 5.0, < 7.0

Providers

Name Version
aws 6.25.0

Modules

No modules.

Resources

Name Type
aws_efs_access_point.this resource
aws_efs_backup_policy.this resource
aws_efs_file_system.this resource
aws_efs_file_system_policy.this resource
aws_efs_mount_target.this resource
aws_efs_replication_configuration.this resource
aws_security_group.mount_target resource
aws_security_group_rule.additional resource
aws_security_group_rule.nfs_ingress_cidr resource
aws_security_group_rule.nfs_ingress_sg resource

Inputs

Name Description Type Default Required
access_points A map of EFS access points to create 
map(object({
    path = optional(string, "/")
    creation_info = optional(object({
      owner_gid   = number
      owner_uid   = number
      permissions = string
    }))
    posix_user = optional(object({
      gid            = number
      uid            = number
      secondary_gids = optional(list(number))
    }))
    tags = optional(map(string), {})
  }))
 {} no
additional_security_group_rules A map of additional security group rules to add to the mount target security group 
map(object({
    type             = string
    from_port        = number
    to_port          = number
    protocol         = string
    cidr_blocks      = optional(list(string))
    ipv6_cidr_blocks = optional(list(string))
    prefix_list_ids  = optional(list(string))
    security_groups  = optional(list(string))
    self             = optional(bool)
    description      = optional(string)
  }))
 {} no
allowed_cidr_blocks List of CIDR blocks allowed to access EFS list(string) [] no
allowed_security_group_ids List of security group IDs allowed to access EFS list(string) [] no
availability_zone_name AWS Availability Zone in which to create the file system. Used to create a file system that uses One Zone storage classes string null no
bypass_policy_lockout_safety_check A flag to indicate whether to bypass the aws_efs_file_system_policy lockout safety check bool false no
create_mount_target_security_group Create a security group for mount targets bool true no
creation_token A unique name (a maximum of 64 characters are allowed) used as reference when creating the EFS string null no
enable_backup_policy A boolean that indicates whether or not to apply Backup Policy to the file system bool true no
encrypted If true, the disk will be encrypted bool true no
kms_key_id The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true string null no
lifecycle_policy A file system lifecycle policy object 
object({
    transition_to_ia                    = optional(string)
    transition_to_primary_storage_class = optional(string)
  })
 {} no
mount_target_security_group_description Description of the mount target security group string "EFS mount target security group" no
mount_target_security_group_name Name of the mount target security group string null no
mount_target_security_group_vpc_id ID of the VPC where mount target security group will be created string null no
mount_targets A map of mount target configurations where key is the AZ name 
map(object({
    subnet_id       = string
    security_groups = optional(list(string), [])
  }))
 {} no
name Name of the EFS file system string n/a yes
performance_mode The file system performance mode. Can be either generalPurpose or maxIO string "generalPurpose" no
policy A valid JSON formatted policy for the EFS file system string null no
provisioned_throughput_in_mibps The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with throughput_mode set to provisioned number null no
replication_configuration A map of replication configuration 
object({
    destination = object({
      region                 = optional(string)
      availability_zone_name = optional(string)
      kms_key_id             = optional(string)
    })
  })
 null no
tags Additional tags (e.g. {'BusinessUnit': 'XYZ'}) map(string) {} no
throughput_mode Throughput mode for the file system. Defaults to bursting. Valid values: bursting, elastic, provisioned string "bursting" no

Outputs

Name Description
access_point_arns List of access point ARNs
access_point_ids List of access point IDs
access_points Map of access points created
backup_policy_id ID of the backup policy
complete_efs_config Complete EFS configuration for reference
efs_arn ARN of the EFS file system
efs_creation_token Creation token of the EFS file system
efs_dns_name DNS name of the EFS file system
efs_encrypted Whether the EFS file system is encrypted
efs_id ID of the EFS file system
efs_kms_key_id The ARN for the KMS encryption key used to encrypt the EFS file system
efs_owner_id AWS account ID that created the file system
efs_performance_mode Performance mode of the EFS file system
efs_size_in_bytes Current byte count used by the file system
efs_throughput_mode Throughput mode of the EFS file system
mount_target_dns_names List of mount target DNS names
mount_target_ids List of mount target IDs
mount_target_network_interface_ids List of mount target network interface IDs
mount_targets Map of mount targets created
replication_configuration_destination_file_system_id The file system ID of the replica
replication_configuration_id ID of the replication configuration
security_group_arn ARN of the mount target security group
security_group_id ID of the mount target security group
security_group_name Name of the mount target security group

Versioning

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

When you intend to commit to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development

Prerequisites

Configurations

  • Configure pre-commit hooks 
    1
    pre-commit install

Versioning

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

1
git commit -m "your commit message #major"
By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly

Tests

  • Tests are available in test directory
  • Configure the dependencies 
    1
2
3
    cd test/
go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name>
go get github.com/gruntwork-io/terratest/modules/terraform
  • Now execute the test
    1
    go test -timeout  30m

Authors

This project is authored by: - SourceFuse ARC Team