terraform-aws-efs
terraform-aws-efs copied to clipboard
Published
20 hours ago •
cloudposse
cloudposse
Adding missing EFS Terraform resources
Have a question? Please check out our Slack Community or visit our Slack Archive.
Describe the Feature
Adding missing EFS Terraform resources:
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system_policy
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_replication_configuration
Goals
- EFS Policy will make sure TLS connection only to EFS and enable encryption in transit
- EFS replication will help greatly with DR scenarios
Use Case
resource "aws_efs_file_system" "fs" {
creation_token = "my-product"
}
resource "aws_efs_file_system_policy" "policy" {
file_system_id = aws_efs_file_system.fs.id
bypass_policy_lockout_safety_check = true
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "${aws_efs_file_system.test.arn}",
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
POLICY
}
resource "aws_efs_replication_configuration" "example" {
source_file_system_id = aws_efs_file_system.fs.id
destination {
region = "us-west-2"
kms_key_id = "xxx"
}
}
also for the KMS key, if we used aws_kms_replica_key will allows to use the same key in DR regions:
provider "aws" {
alias = "primary"
region = "us-east-1"
}
provider "aws" {
region = "us-west-2"
}
resource "aws_kms_key" "primary" {
provider = aws.primary
description = "Multi-Region primary key"
deletion_window_in_days = 30
multi_region = true
}
resource "aws_kms_replica_key" "replica" {
description = "Multi-Region replica key"
deletion_window_in_days = 7
primary_key_arn = aws_kms_key.primary.arn
}
