Skip to main content
Type: rvn-efs · Latest version: 0.1.0

Dependencies and consumers

Every dependency input can be specified manually to reference existing external infrastructure rather than a Ravion module.

Readme

Amazon EFS file system with mount targets, security groups, automatic backups, and an optional access point.

Overview

Use this module to create an encrypted Amazon EFS file system inside a VPC. Select a VPC network and Ravion provisions the file system, one mount target per private subnet, a mount-target security group, a client security group for consumers, an automatic backup policy, and optionally an access point with fixed POSIX ownership. ECS services can reference this module directly: the service mounts the file system into the app container and attaches the client security group automatically. Terraform source: flightcontrolhq/modules/storage/efs

Use cases

Security model

The module creates two security groups:
  • A mount-target security group attached to every mount target. It allows NFS (TCP 2049) only from the client security group, plus any additional security groups or CIDR blocks you allow.
  • A client security group with no ingress rules of its own. Workloads that mount the file system attach this group. ECS services that reference this file system attach it automatically.
This keeps NFS access closed by default and means no security group changes are needed when consumers are added or removed.

File system settings

Encryption at rest is enabled by default and cannot be changed after creation. Leave KMS key ARN blank to use the AWS managed key.

Lifecycle and backups

Lifecycle policies reduce storage cost for files that are not accessed frequently. Transition to Infrequent Access moves idle files to cheaper storage; Transition to Archive requires an Infrequent Access period and suits rarely-read data; Transition back to Standard returns a file to primary storage on first access. Automatic backups through AWS Backup are enabled by default.

Access point

Enable the access point when clients should be scoped to one directory with fixed POSIX ownership instead of the file system root. EFS creates the root directory path with the configured user ID, group ID, and permissions on first use. All requests through the access point act as that POSIX user. ECS services that reference this file system mount through the access point automatically when it is enabled.

Configuration

*Conditionally required based on the selected throughput mode or access point setting.

Design decisions

  • Mount targets are created in the private subnets of the selected VPC network. EFS is internal storage; it is never exposed publicly.
  • The client security group pattern keeps the mount-target security group static. Consumers gain access by attaching the client group, not by editing ingress rules.
  • Encryption at rest defaults to on because it cannot be enabled later without recreating the file system.
  • A single optional access point covers the common case of scoping an application to one directory. Additional access points can be managed outside this module.

Learn more

Inputs reference

All inputs for rvn-efs version 0.1.0. Use the name shown for each field as the input key in module config.
network
$ref:rvn-aws-network
required
VPC network.
  • Immutable after creation

File system

name
string
required
Name slug. Name prefix for all EFS resources.
  • Default: <<project.given_id>>-<<environment.given_id>>-<<module.given_id>>
  • Immutable after creation
  • Pattern: ^[a-zA-Z0-9]([a-zA-Z0-9_-]{0,62}[a-zA-Z0-9])?$ — Use 1-64 letters, numbers, hyphens, and underscores, starting and ending with a letter or number.
encrypted
boolean
Encryption at rest. Encrypt file system data at rest. Cannot be changed after creation.
  • Default: true
  • Immutable after creation
kms_key_id
string
KMS key ARN. KMS key for encryption at rest. Leave blank to use the AWS managed key for EFS.
  • Shown when: {"encrypted":true}
performance_mode
string
Performance mode. General purpose fits most workloads. Max I/O trades higher latency for higher aggregate throughput and cannot be changed after creation.
  • Default: generalPurpose
  • Allowed values: generalPurpose (General purpose), maxIO (Max I/O)
  • Immutable after creation
throughput_mode
string
Throughput mode. How the file system scales throughput.
  • Default: bursting
  • Allowed values: bursting (Bursting), elastic (Elastic), provisioned (Provisioned)
provisioned_throughput_in_mibps
number
required
Provisioned throughput (MiB/s). Throughput to provision for the file system.
  • Default: 128
  • Min: 1
  • Shown when: {"throughput_mode":"provisioned"}

Lifecycle & backups

transition_to_ia
string
Transition to Infrequent Access. Move files not accessed for this period to the lower-cost Infrequent Access storage class. Leave blank to keep files in Standard storage.
  • Allowed values: AFTER_1_DAY (After 1 day), AFTER_7_DAYS (After 7 days), AFTER_14_DAYS (After 14 days), AFTER_30_DAYS (After 30 days), AFTER_60_DAYS (After 60 days), AFTER_90_DAYS (After 90 days), AFTER_180_DAYS (After 180 days), AFTER_270_DAYS (After 270 days), AFTER_365_DAYS (After 365 days)
transition_to_archive
string
Transition to Archive. Move files not accessed for this period to the Archive storage class. Requires a Transition to Infrequent Access period.
  • Allowed values: AFTER_1_DAY (After 1 day), AFTER_7_DAYS (After 7 days), AFTER_14_DAYS (After 14 days), AFTER_30_DAYS (After 30 days), AFTER_60_DAYS (After 60 days), AFTER_90_DAYS (After 90 days), AFTER_180_DAYS (After 180 days), AFTER_270_DAYS (After 270 days), AFTER_365_DAYS (After 365 days)
transition_to_primary_storage_class
string
Transition back to Standard. Move files back to Standard storage on first access, avoiding repeated Infrequent Access retrieval charges for files that become hot again.
  • Allowed values: AFTER_1_ACCESS (After 1 access)
backup_enabled
boolean
Automatic backups. Back up the file system automatically through AWS Backup.
  • Default: true

Access point

access_point_enabled
boolean
Access point. Create an EFS access point that scopes clients to a directory with fixed POSIX ownership. Recommended when containers should not access the whole file system as root.
  • Default: false
access_point_root_directory_path
string
required
Root directory path. Directory exposed through the access point. EFS creates it with the ownership below on first use when the path is not /.
  • Default: /data
  • Pattern: ^/ — Use an absolute path.
  • Shown when: {"access_point_enabled":true}
access_point_posix_uid
number
required
POSIX user ID. User ID applied to all requests through the access point and owner of the created directory.
  • Default: 1000
  • Min: 0
  • Shown when: {"access_point_enabled":true}
access_point_posix_gid
number
required
POSIX group ID. Group ID applied to all requests through the access point and owner of the created directory.
  • Default: 1000
  • Min: 0
  • Shown when: {"access_point_enabled":true}
access_point_permissions
string
required
Directory permissions. Octal permissions for the created root directory.
  • Default: 755
  • Pattern: ^[0-7]{3,4}$ — Use a 3- or 4-digit octal string such as 755.
  • Shown when: {"access_point_enabled":true}

Security

allowed_security_group_ids
string_array
Additional allowed security groups. Extra security groups allowed to reach the mount targets over NFS, beyond the managed client security group.
  • Pattern: ^sg-.+ — Security group ID must start with sg-.
allowed_cidr_blocks
string_array
Allowed IPv4 CIDR blocks. IPv4 CIDR blocks allowed to reach the mount targets over NFS.
allowed_ipv6_cidr_blocks
string_array
Allowed IPv6 CIDR blocks. IPv6 CIDR blocks allowed to reach the mount targets over NFS.

Misc

tags
keyvalue
Tags. A map of tags to assign to all resources. Default tags are Owner, ProjectGivenId, EnvironmentGivenId, ModuleGivenId, ModuleId

Terraform settings

opentofu_version
string
OpenTofu version override. Override the environment’s default version for this module
ravion_state_backend_workspace
string
Ravion Terraform workspace name. Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
  • Immutable after creation
advanced_terraform_variables
object
Advanced Terraform variables. Optional raw Terraform variable overrides for advanced module inputs or one-off overrides. Values here override the generated variables above.
  • Default: {}