EFS Filesystem Encrypted
π¦ Overviewβ
This Terraform module provisions an encrypted Amazon EFS file system with data-at-rest encryption enabled by default using AWS-managed KMS keys.
Itβs ideal for secure, shared storage in compliance-driven or regulated workloads across multiple EC2 instances.
β Key Featuresβ
- Enables encryption-at-rest using AWS-managed KMS keys
- Creates mount targets in specified subnets
- Attaches custom security groups for access control
- Supports multi-AZ, scalable file storage
- Adds environment tags for visibility and cost tracking
πΌ Use Casesβ
- Encrypted storage for regulated workloads (HIPAA, PCI, FedRAMP)
- File sharing between EC2 instances across Availability Zones
- Secure NFS volumes in shared service environments
- Enterprise workloads requiring default encryption policies
π₯ Input Variablesβ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region to deploy the EFS filesystem |
| environment | string | Tag to specify the deployment environment (e.g., dev, staging, prod) |
| subnet_ids | list | List of subnet IDs for mount target placement |
| security_groups | list | List of security group IDs to associate with mount targets |
π€ Outputsβ
| Name | Description |
|---|---|
| efs_filesystem_id | The ID of the encrypted EFS filesystem |
| mount_target_ids | A list of mount target IDs created |
| efs_arn | The ARN of the EFS resource |
π Deployment Readinessβ
- β Compatible with Terraform 1.0+
- β Tested with AWS provider 5.x
- π§ͺ Requires existing VPC, subnets, and security groups
π οΈ Example Usageβ
module "efs_filesystem_encrypted" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//storage/efs-filesystem-encrypted?ref=v1.0.0"
region = "us-east-1"
environment = "prod"
subnet_ids = ["subnet-xxxxxxxx", "subnet-yyyyyyyy"]
security_groups = ["sg-zzzzzzzz"]
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
π§Ή Cleanup Optionsβ
Terraform Destroy (for test environments):
terraform destroy
or
tofu destroy
Manual Cleanup (recommended for production): Unmount the EFS filesystem from clients Delete the EFS filesystem manually via AWS Console or CLI Clean up mount targets and unused security groups as needed
π‘οΈ Notesβ
This is a Level 1 baseline module with encryption enabled. Use this as a secure foundation for any workload requiring encrypted, shared file storage.
π Deployment Package Noticeβ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.