AWS EFS Terraform module

January 8, 2026 · View on GitHub

Terraform module which creates AWS EFS (elastic file system) resources.

Usage

See examples directory for working examples to reference:

module "efs" {
  source = "terraform-aws-modules/efs/aws"

  # File system
  name           = "example"
  creation_token = "example-token"
  encrypted      = true
  kms_key_arn    = "arn:aws:kms:eu-west-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

  # performance_mode                = "maxIO"
  # NB! PROVISIONED TROUGHPUT MODE WITH 256 MIBPS IS EXPENSIVE ~\$1500/month
  # throughput_mode                 = "provisioned"
  # provisioned_throughput_in_mibps = 256

  lifecycle_policy = {
    transition_to_ia = "AFTER_30_DAYS"
  }

  # File system policy
  attach_policy                      = true
  bypass_policy_lockout_safety_check = false
  policy_statements = [
    {
      sid     = "Example"
      actions = ["elasticfilesystem:ClientMount"]
      principals = [
        {
          type        = "AWS"
          identifiers = ["arn:aws:iam::111122223333:role/EfsReadOnly"]
        }
      ]
    }
  ]

  # Mount targets / security group
  mount_targets = {
    "eu-west-1a" = {
      subnet_id = "subnet-abcde012"
    }
    "eu-west-1b" = {
      subnet_id = "subnet-bcde012a"
    }
    "eu-west-1c" = {
      subnet_id = "subnet-fghi345a"
    }
  }
  security_group_description = "Example EFS security group"
  security_group_vpc_id      = "vpc-1234556abcdef"
  security_group_ingress_rules = {
    vpc_1 = {
      # relying on the defaults provided for EFS/NFS (2049/TCP + ingress)
      description = "NFS ingress from VPC private subnets"
      cidr_ipv4   = "10.99.3.0/24"
    }
    vpc_2 = {
      # relying on the defaults provided for EFS/NFS (2049/TCP + ingress)
      description = "NFS ingress from VPC private subnets"
      cidr_ipv4   = "10.99.4.0/24"
    }
    vpc_3 = {
      # relying on the defaults provided for EFS/NFS (2049/TCP + ingress)
      description = "NFS ingress from VPC private subnets"
      cidr_ipv4   = "10.99.5.0/24"
    }
  }

  # Access point(s)
  access_points = {
    posix_example = {
      name = "posix-example"
      posix_user = {
        gid            = 1001
        uid            = 1001
        secondary_gids = [1002]
      }

      tags = {
        Additionl = "yes"
      }
    }
    root_example = {
      root_directory = {
        path = "/example"
        creation_info = {
          owner_gid   = 1001
          owner_uid   = 1001
          permissions = "755"
        }
      }
    }
  }

  # Backup policy
  enable_backup_policy = true

  # Replication configuration
  create_replication_configuration = true
  replication_configuration_destination = {
    region = "eu-west-2"
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Complete

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 6.28

Providers

Name	Version
aws	>= 6.28

Modules

No modules.

Resources

Name	Type
aws_efs_access_point.this	resource
aws_efs_backup_policy.this	resource
aws_efs_file_system.this	resource
aws_efs_file_system_policy.this	resource
aws_efs_mount_target.this	resource
aws_efs_replication_configuration.this	resource
aws_security_group.this	resource
aws_vpc_security_group_egress_rule.this	resource
aws_vpc_security_group_ingress_rule.this	resource
aws_iam_policy_document.policy	data source

Inputs

Name	Description	Type	Default	Required
access_points	A map of access point definitions to create	map(object({ name = optional(string) tags = optional(map(string), {}) posix_user = optional(object({ gid = number uid = number secondary_gids = optional(list(number)) })) root_directory = optional(object({ path = optional(string) creation_info = optional(object({ owner_gid = number owner_uid = number permissions = string })) })) }))	`{}`	no
attach_policy	Determines whether a policy is attached to the file system	`bool`	`true`	no
availability_zone_name	The AWS Availability Zone in which to create the file system. Used to create a file system that uses One Zone storage classes	`string`	`null`	no
bypass_policy_lockout_safety_check	A flag to indicate whether to bypass the `aws_efs_file_system_policy` lockout safety check. Defaults to `false`	`bool`	`null`	no
create	Determines whether resources will be created (affects all resources)	`bool`	`true`	no
create_backup_policy	Determines whether a backup policy is created	`bool`	`true`	no
create_replication_configuration	Determines whether a replication configuration is created	`bool`	`false`	no
create_security_group	Determines whether a security group is created	`bool`	`true`	no
creation_token	A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform	`string`	`null`	no
deny_nonsecure_transport	Determines whether `aws:SecureTransport` is required when connecting to elastic file system	`bool`	`true`	no
deny_nonsecure_transport_via_mount_target	Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target	`bool`	`true`	no
enable_backup_policy	Determines whether a backup policy is `ENABLED` or `DISABLED`	`bool`	`true`	no
encrypted	If `true`, the disk will be encrypted	`bool`	`true`	no
kms_key_arn	The ARN for the KMS encryption key. When specifying `kms_key_arn`, encrypted needs to be set to `true`	`string`	`null`	no
lifecycle_policy	A file system lifecycle policy object	object({ transition_to_ia = optional(string) transition_to_archive = optional(string) transition_to_primary_storage_class = optional(string) })	`{}`	no
mount_targets	A map of mount target definitions to create	map(object({ ip_address = optional(string) ip_address_type = optional(string) ipv6_address = optional(string) region = optional(string) security_groups = optional(list(string), []) subnet_id = string }))	`{}`	no
name	The name of the file system	`string`	`""`	no
override_policy_documents	List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`	`list(string)`	`[]`	no
performance_mode	The file system performance mode. Can be either `generalPurpose` or `maxIO`. Default is `generalPurpose`	`string`	`null`	no
policy_statements	A list of IAM policy statements for custom permission usage	map(object({ sid = optional(string) actions = optional(list(string)) not_actions = optional(list(string)) effect = optional(string) resources = optional(list(string)) not_resources = optional(list(string)) principals = optional(list(object({ type = string identifiers = list(string) }))) not_principals = optional(list(object({ type = string identifiers = list(string) }))) conditions = optional(list(object({ test = string values = list(string) variable = string }))) condition = optional(list(object({ test = string values = list(string) variable = string }))) }))	`null`	no
protection	A map of file protection configurations	object({ replication_overwrite = optional(string) })	`null`	no
provisioned_throughput_in_mibps	The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with `throughput_mode` set to `provisioned`	`number`	`null`	no
region	Region where this resource will be managed. Defaults to the Region set in the provider configuration	`string`	`null`	no
replication_configuration_destination	A destination configuration block	object({ availability_zone_name = optional(string) file_system_id = optional(string) kms_key_id = optional(string) region = optional(string) })	`null`	no
security_group_description	Security group description. Defaults to Managed by Terraform	`string`	`null`	no
security_group_egress_rules	Map of security group egress rules to add to the security group created	map(object({ name = optional(string) cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = optional(string) from_port = optional(number, 2049) ip_protocol = optional(string, "tcp") prefix_list_id = optional(string) referenced_security_group_id = optional(string) region = optional(string) tags = optional(map(string), {}) to_port = optional(number, 2049) }))	`{}`	no
security_group_ingress_rules	Map of security group ingress rules to add to the security group created	map(object({ name = optional(string) cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = optional(string) from_port = optional(number, 2049) ip_protocol = optional(string, "tcp") prefix_list_id = optional(string) referenced_security_group_id = optional(string) region = optional(string) tags = optional(map(string), {}) to_port = optional(number, 2049) }))	`{}`	no
security_group_name	Name to assign to the security group. If omitted, Terraform will assign a random, unique name	`string`	`null`	no
security_group_use_name_prefix	Determines whether to use a name prefix for the security group. If `true`, the `security_group_name` value will be used as a prefix	`bool`	`false`	no
security_group_vpc_id	The VPC ID where the security group will be created	`string`	`null`	no
source_policy_documents	List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s	`list(string)`	`[]`	no
tags	A map of tags to add to all resources	`map(string)`	`{}`	no
throughput_mode	Throughput mode for the file system. Defaults to `bursting`. Valid values: `bursting`, `elastic`, and `provisioned`. When using `provisioned`, also set `provisioned_throughput_in_mibps`	`string`	`null`	no

Outputs

Name	Description
access_points	Map of access points created and their attributes
arn	Amazon Resource Name of the file system
dns_name	The DNS name for the filesystem per documented convention
id	The ID that identifies the file system (e.g., `fs-ccfc0d65`)
mount_targets	Map of mount targets created and their attributes
replication_configuration_destination_file_system_id	The file system ID of the replica
security_group_arn	ARN of the security group
security_group_id	ID of the security group
size_in_bytes	The latest known metered size (in bytes) of data stored in the file system, the value is not the exact size that the file system was at any point in time

License

Apache-2.0 Licensed. See LICENSE.