feat: add pass-through file_system_config variable for EFS support (#181)

BrandonLWhite · Copilot · moritzzimmer · web-flow · commit fdf1d90e67a4 · 2026-03-10T08:28:34.000+01:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: Moritz Zimmer &lt;moritzzimmer@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -347,6 +347,7 @@ see [examples](examples/deployment) for details.
 - [deployment](examples/deployment)
 - [cloudwatch-logs](examples/cloudwatch-logs)
 - [with-cloudwatch-event-rules](examples/with-cloudwatch-event-rules)
+- [with-efs](examples/with-efs)
 - [with-event-source-mappings](examples/with-event-source-mappings)
 - [with-sns-subscriptions](examples/with-sns-subscriptions)
 - [with-vpc](examples/with-vpc)
@@ -443,6 +444,7 @@ No modules.
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment (e.g. env variables) configuration for the Lambda function enable you to dynamically pass settings to your function code and libraries | <pre>object({<br/>    variables = map(string)<br/>  })</pre> | `null` | no |
 | <a name="input_ephemeral_storage_size"></a> [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | The size of your Lambda functions ephemeral storage (/tmp) represented in MB. Valid value between 512 MB to 10240 MB. | `number` | `512` | no |
 | <a name="input_event_source_mappings"></a> [event\_source\_mappings](#input\_event\_source\_mappings) | Creates event source mappings to allow the Lambda function to get events from Kinesis, DynamoDB and SQS. The IAM role of this Lambda function will be enhanced with necessary minimum permissions to get those events. | `any` | `{}` | no |
+| <a name="input_file_system_config"></a> [file\_system\_config](#input\_file\_system\_config) | Configuration block for EFS file system, `local_mount_path` must start with `/mnt/` | <pre>object({<br/>    arn              = string<br/>    local_mount_path = string<br/>  })</pre> | `null` | no |
 | <a name="input_filename"></a> [filename](#input\_filename) | The path to the function's deployment package within the local filesystem. If defined, The s3\_-prefixed options and image\_uri cannot be used. | `string` | `null` | no |
 | <a name="input_function_name"></a> [function\_name](#input\_function\_name) | A unique name for your Lambda Function. | `string` | n/a | yes |
 | <a name="input_handler"></a> [handler](#input\_handler) | The function entrypoint in your code. | `string` | `""` | no |
diff --git a/examples/with-efs/README.md b/examples/with-efs/README.md
@@ -0,0 +1,55 @@
+# Example with EFS
+
+Creates an AWS Lambda function connected to an EFS file system via an access point.
+
+## usage
+
+```
+terraform init
+terraform plan
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` to destroy those resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_fixtures"></a> [fixtures](#module\_fixtures) | ../fixtures | n/a |
+| <a name="module_lambda"></a> [lambda](#module\_lambda) | ../../ | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_efs_access_point.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_access_point) | resource |
+| [aws_efs_file_system.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
+| [aws_efs_mount_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
+| [aws_security_group.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_region"></a> [region](#input\_region) | n/a | `string` | `"eu-west-1"` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/examples/with-efs/main.tf b/examples/with-efs/main.tf
@@ -0,0 +1,104 @@
+data "aws_availability_zones" "available" {}
+
+locals {
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+}
+
+module "fixtures" {
+  source = "../fixtures"
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  azs             = local.azs
+  cidr            = local.vpc_cidr
+  name            = module.fixtures.output_function_name
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+}
+
+resource "aws_security_group" "efs" {
+  name   = "${module.fixtures.output_function_name}-efs"
+  vpc_id = module.vpc.vpc_id
+
+  ingress {
+    from_port = 2049
+    to_port   = 2049
+    protocol  = "tcp"
+    self      = true
+  }
+
+  egress {
+    from_port = 2049
+    to_port   = 2049
+    protocol  = "tcp"
+    self      = true
+  }
+}
+
+resource "aws_efs_file_system" "this" {
+  creation_token = module.fixtures.output_function_name
+  encrypted      = true
+
+  tags = {
+    Name = module.fixtures.output_function_name
+  }
+}
+
+resource "aws_efs_mount_target" "this" {
+  count = length(module.vpc.private_subnets)
+
+  file_system_id  = aws_efs_file_system.this.id
+  subnet_id       = module.vpc.private_subnets[count.index]
+  security_groups = [aws_security_group.efs.id]
+}
+
+resource "aws_efs_access_point" "this" {
+  file_system_id = aws_efs_file_system.this.id
+
+  posix_user {
+    gid = 1000
+    uid = 1000
+  }
+
+  root_directory {
+    path = "/lambda"
+
+    creation_info {
+      owner_gid   = 1000
+      owner_uid   = 1000
+      permissions = "755"
+    }
+  }
+}
+
+module "lambda" {
+  source = "../../"
+
+  architectures    = ["arm64"]
+  description      = "Example AWS Lambda function with EFS file system."
+  filename         = module.fixtures.output_path
+  function_name    = module.fixtures.output_function_name
+  handler          = "index.handler"
+  memory_size      = 128
+  runtime          = "nodejs22.x"
+  publish          = false
+  snap_start       = false
+  source_code_hash = module.fixtures.output_base64sha256
+  timeout          = 30
+
+  file_system_config = {
+    arn              = aws_efs_access_point.this.arn
+    local_mount_path = "/mnt/efs"
+  }
+
+  vpc_config = {
+    security_group_ids = [aws_security_group.efs.id]
+    subnet_ids         = module.vpc.private_subnets
+  }
+
+  // EFS mount targets must be in available state before Lambda can use them
+  depends_on = [aws_efs_mount_target.this]
+}
diff --git a/examples/with-efs/provider.tf b/examples/with-efs/provider.tf
@@ -0,0 +1,8 @@
+provider "aws" {
+  region = var.region
+
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+
+}
diff --git a/examples/with-efs/variables.tf b/examples/with-efs/variables.tf
@@ -0,0 +1,4 @@
+variable "region" {
+  default = "eu-west-1"
+  type    = string
+}
diff --git a/examples/with-efs/versions.tf b/examples/with-efs/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -45,6 +45,14 @@ resource "aws_lambda_function" "lambda" {
     }
   }
 
+  dynamic "file_system_config" {
+    for_each = var.file_system_config == null ? [] : [var.file_system_config]
+    content {
+      arn              = file_system_config.value.arn
+      local_mount_path = file_system_config.value.local_mount_path
+    }
+  }
+
   dynamic "image_config" {
     for_each = length(var.image_config) > 0 ? [true] : []
     content {
@@ -135,6 +143,14 @@ resource "aws_lambda_function" "lambda_external_lifecycle" {
     }
   }
 
+  dynamic "file_system_config" {
+    for_each = var.file_system_config == null ? [] : [var.file_system_config]
+    content {
+      arn              = file_system_config.value.arn
+      local_mount_path = file_system_config.value.local_mount_path
+    }
+  }
+
   dynamic "image_config" {
     for_each = length(var.image_config) > 0 ? [true] : []
     content {
diff --git a/variables.tf b/variables.tf
@@ -101,6 +101,15 @@ variable "event_source_mappings" {
   type        = any
 }
 
+variable "file_system_config" {
+  description = "Configuration block for EFS file system, `local_mount_path` must start with `/mnt/`"
+  default     = null
+  type = object({
+    arn              = string
+    local_mount_path = string
+  })
+}
+
 variable "filename" {
   description = "The path to the function's deployment package within the local filesystem. If defined, The s3_-prefixed options and image_uri cannot be used."
   default     = null
