AWS Amazon EFS Access Point
This page shows how to write Terraform and CloudFormation for Amazon EFS Access Point and write them securely.
aws_efs_access_point (Terraform)
The Access Point in Amazon EFS can be configured in Terraform with the resource name aws_efs_access_point. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_efs_access_point" "neo4j_data" {
file_system_id = aws_efs_file_system.amundsen.id
posix_user {
gid = 1000 # for amundsen, important that same gui/uid used across each access point
uid = 1000
}
resource "aws_efs_access_point" "hyperglance" {
file_system_id = aws_efs_file_system.hyperglance.id
root_directory {
path = "/hyperglance"
creation_info {
resource "aws_efs_access_point" "signer" {
file_system_id = aws_efs_file_system.this.id
posix_user {
gid = 999
uid = 999
}
Parameters
-
arnoptional computed - string -
file_system_arnoptional computed - string -
file_system_idrequired - string -
idoptional computed - string -
owner_idoptional computed - string -
tagsoptional - map from string to string -
posix_userlist block-
gidrequired - number -
secondary_gidsoptional - set of number -
uidrequired - number
-
-
root_directorylist block-
pathoptional computed - string -
creation_infolist block-
owner_gidrequired - number -
owner_uidrequired - number -
permissionsrequired - string
-
-
Explanation in Terraform Registry
Provides an Elastic File System (EFS) access point.
Tips: Best Practices for The Other AWS Amazon EFS Resources
In addition to the aws_efs_file_system, AWS Amazon EFS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_efs_file_system
Enable at rest encryption of EFS
It is better to enable at rest encryption of EFS to reduce the risk of data leakage.
AWS::EFS::AccessPoint (CloudFormation)
The AccessPoint in EFS can be configured in CloudFormation with the resource name AWS::EFS::AccessPoint. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EFS::AccessPoint
Properties:
ClientToken: !Sub ${AppName}-${EnvName}-${WorkloadName}
FileSystemId: !GetAtt EnvControllerAction.ManagedFileSystemID
PosixUser:
Uid: {{.Storage.ManagedVolumeInfo.UID}}
Type: AWS::EFS::AccessPoint
Properties:
ClientToken: !Sub ${AppName}-${EnvName}-${WorkloadName}
FileSystemId: !GetAtt EnvControllerAction.ManagedFileSystemID
PosixUser:
Uid: {{.Storage.ManagedVolumeInfo.UID}}
Type: AWS::EFS::AccessPoint
Properties:
FileSystemId: !Ref FileSystem
PosixUser:
Uid: '1000'
Gid: '1000'
Type: 'AWS::EFS::AccessPoint'
Properties:
FileSystemId: !Ref MyEFSFileSystemResource
PosixUser:
Uid: "1000"
Gid: "1000"
Type: "AWS::EFS::AccessPoint"
Properties:
FileSystemId: !Ref MyEFS
PosixUser:
Uid: 1000
Gid: 1000
"aws:cdk:cloudformation:type": "AWS::EFS::AccessPoint",
"aws:cdk:cloudformation:props": {
"fileSystemId": {
"Ref": "comvaultefs32A048FC"
},
"rootDirectory": {
"Type": "AWS::EFS::AccessPoint",
"Properties": {
"FileSystemId": {
"Ref": "comvaultefs32A048FC"
},
"RootDirectory": {
{ "LogicalResourceId":"AccessPoint", "ResourceType":"AWS::EFS::AccessPoint" },
{ "LogicalResourceId":"LambdaFunctionWithEfs", "ResourceType":"AWS::Lambda::Function" },
{ "LogicalResourceId":"MyVpc", "ResourceType":"AWS::EC2::VPC" },
{ "LogicalResourceId":"MySecurityGroup", "ResourceType":"AWS::EC2::SecurityGroup" },
{ "LogicalResourceId":"MySubnet", "ResourceType":"AWS::EC2::Subnet" },
{ "LogicalResourceId":"LambdaFunctionWithEfsRole", "ResourceType":"AWS::IAM::Role" }
"Type" : "AWS::EFS::AccessPoint",
"Properties" : {
"AccessPointTags" : [ {"Key": "Name", "Value": "ECS access point"} ],
"FileSystemId" : {"Ref": "StaticEfsFileSystem"},
"PosixUser" : {
"Gid": "123454",
"Type" : "AWS::EFS::AccessPoint",
"Properties" : {
"AccessPointTags" : [ {"Key": "Name", "Value": "ECS access point"} ],
"FileSystemId" : {"Ref": "StaticEfsFileSystem"},
"PosixUser" : {
"Gid": "123454",
Parameters
-
ClientTokenoptional - String -
AccessPointTagsoptional - List of AccessPointTag -
FileSystemIdrequired - String -
PosixUseroptional - PosixUser -
RootDirectoryoptional - RootDirectory
Explanation in CloudFormation Registry
The
AWS::EFS::AccessPointresource creates an EFS access point. An access point is an application-specific view into an EFS file system that applies an operating system user and group, and a file system path, to any file system request made through the access point. The operating system user and group override any identity information provided by the NFS client. The file system path is exposed as the access point's root directory. Applications using the access point can only access data in its own directory and below. To learn more, see Mounting a file system using EFS access points.This operation requires permissions for the
elasticfilesystem:CreateAccessPointaction.
Frequently asked questions
What is AWS Amazon EFS Access Point?
AWS Amazon EFS Access Point is a resource for Amazon EFS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EFS Access Point?
For Terraform, the iblaine/amundsen-terraform, hyperglance/deploy and planetway/xroad-securityserver-docker source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the bot-arate/B2, aws/copilot-cli and franjimenezj/aws-lambda-api-vpc-efs source code examples are useful. See the CloudFormation Example section for further details.
