AWS Amazon EFS Access Point
This page shows how to write Terraform and CloudFormation for Amazon EFS Access Point and write them securely.
aws_efs_access_point (Terraform)
The Access Point in Amazon EFS can be configured in Terraform with the resource name aws_efs_access_point
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_efs_access_point" "neo4j_data" {
file_system_id = aws_efs_file_system.amundsen.id
posix_user {
gid = 1000 # for amundsen, important that same gui/uid used across each access point
uid = 1000
}
resource "aws_efs_access_point" "hyperglance" {
file_system_id = aws_efs_file_system.hyperglance.id
root_directory {
path = "/hyperglance"
creation_info {
resource "aws_efs_access_point" "signer" {
file_system_id = aws_efs_file_system.this.id
posix_user {
gid = 999
uid = 999
}
Parameters
-
arn
optional computed - string -
file_system_arn
optional computed - string -
file_system_id
required - string -
id
optional computed - string -
owner_id
optional computed - string -
tags
optional - map from string to string -
posix_user
list block-
gid
required - number -
secondary_gids
optional - set of number -
uid
required - number
-
-
root_directory
list block-
path
optional computed - string -
creation_info
list block-
owner_gid
required - number -
owner_uid
required - number -
permissions
required - string
-
-
Explanation in Terraform Registry
Provides an Elastic File System (EFS) access point.
Tips: Best Practices for The Other AWS Amazon EFS Resources
In addition to the aws_efs_file_system, AWS Amazon EFS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_efs_file_system
Enable at rest encryption of EFS
It is better to enable at rest encryption of EFS to reduce the risk of data leakage.
AWS::EFS::AccessPoint (CloudFormation)
The AccessPoint in EFS can be configured in CloudFormation with the resource name AWS::EFS::AccessPoint
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EFS::AccessPoint
Properties:
ClientToken: !Sub ${AppName}-${EnvName}-${WorkloadName}
FileSystemId: !GetAtt EnvControllerAction.ManagedFileSystemID
PosixUser:
Uid: {{.Storage.ManagedVolumeInfo.UID}}
Type: AWS::EFS::AccessPoint
Properties:
ClientToken: !Sub ${AppName}-${EnvName}-${WorkloadName}
FileSystemId: !GetAtt EnvControllerAction.ManagedFileSystemID
PosixUser:
Uid: {{.Storage.ManagedVolumeInfo.UID}}
Type: AWS::EFS::AccessPoint
Properties:
FileSystemId: !Ref FileSystem
PosixUser:
Uid: '1000'
Gid: '1000'
Type: 'AWS::EFS::AccessPoint'
Properties:
FileSystemId: !Ref MyEFSFileSystemResource
PosixUser:
Uid: "1000"
Gid: "1000"
Type: "AWS::EFS::AccessPoint"
Properties:
FileSystemId: !Ref MyEFS
PosixUser:
Uid: 1000
Gid: 1000
"aws:cdk:cloudformation:type": "AWS::EFS::AccessPoint",
"aws:cdk:cloudformation:props": {
"fileSystemId": {
"Ref": "comvaultefs32A048FC"
},
"rootDirectory": {
"Type": "AWS::EFS::AccessPoint",
"Properties": {
"FileSystemId": {
"Ref": "comvaultefs32A048FC"
},
"RootDirectory": {
{ "LogicalResourceId":"AccessPoint", "ResourceType":"AWS::EFS::AccessPoint" },
{ "LogicalResourceId":"LambdaFunctionWithEfs", "ResourceType":"AWS::Lambda::Function" },
{ "LogicalResourceId":"MyVpc", "ResourceType":"AWS::EC2::VPC" },
{ "LogicalResourceId":"MySecurityGroup", "ResourceType":"AWS::EC2::SecurityGroup" },
{ "LogicalResourceId":"MySubnet", "ResourceType":"AWS::EC2::Subnet" },
{ "LogicalResourceId":"LambdaFunctionWithEfsRole", "ResourceType":"AWS::IAM::Role" }
"Type" : "AWS::EFS::AccessPoint",
"Properties" : {
"AccessPointTags" : [ {"Key": "Name", "Value": "ECS access point"} ],
"FileSystemId" : {"Ref": "StaticEfsFileSystem"},
"PosixUser" : {
"Gid": "123454",
"Type" : "AWS::EFS::AccessPoint",
"Properties" : {
"AccessPointTags" : [ {"Key": "Name", "Value": "ECS access point"} ],
"FileSystemId" : {"Ref": "StaticEfsFileSystem"},
"PosixUser" : {
"Gid": "123454",
Parameters
-
ClientToken
optional - String -
AccessPointTags
optional - List of AccessPointTag -
FileSystemId
required - String -
PosixUser
optional - PosixUser -
RootDirectory
optional - RootDirectory
Explanation in CloudFormation Registry
The
AWS::EFS::AccessPoint
resource creates an EFS access point. An access point is an application-specific view into an EFS file system that applies an operating system user and group, and a file system path, to any file system request made through the access point. The operating system user and group override any identity information provided by the NFS client. The file system path is exposed as the access point's root directory. Applications using the access point can only access data in its own directory and below. To learn more, see Mounting a file system using EFS access points.This operation requires permissions for the
elasticfilesystem:CreateAccessPoint
action.
Frequently asked questions
What is AWS Amazon EFS Access Point?
AWS Amazon EFS Access Point is a resource for Amazon EFS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EFS Access Point?
For Terraform, the iblaine/amundsen-terraform, hyperglance/deploy and planetway/xroad-securityserver-docker source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the bot-arate/B2, aws/copilot-cli and franjimenezj/aws-lambda-api-vpc-efs source code examples are useful. See the CloudFormation Example section for further details.