feat: add pass-through file_system_config variable for EFS support#181
feat: add pass-through file_system_config variable for EFS support#181BrandonLWhite wants to merge 4 commits intomoritzzimmer:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds support for AWS Lambda functions to mount Amazon EFS (Elastic File System) by introducing a new file_system_config variable. This allows users to configure Lambda functions with EFS access points for persistent file storage, expanding the module's capabilities to support stateful Lambda workloads.
Changes:
- Added a new optional
file_system_configvariable for configuring EFS Access Point connections - Updated both Lambda function resources (
lambdaandlambda_external_lifecycle) to support the EFS configuration using dynamic blocks - Added documentation for the new variable in the README
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| variables.tf | Defines the new file_system_config variable with arn and local_mount_path fields, following the nullable object pattern used for other optional Lambda configurations |
| main.tf | Adds dynamic file_system_config blocks to both Lambda function resources, consistently placed after environment configuration and using the standard null-check pattern |
| README.md | Documents the new input variable in the inputs table with type information and usage guidance |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| variable "file_system_config" { | ||
| description = "Connection settings for an EFS file system. Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details." | ||
| default = null | ||
| type = object({ | ||
| arn = string | ||
| local_mount_path = string | ||
| }) | ||
| } |
There was a problem hiding this comment.
Consider adding automatic IAM permissions for EFS access to maintain consistency with the module's pattern. The module automatically adds IAM policies for other features like VPC (AWSLambdaENIManagementAccess at iam.tf:25-30) and tracing (AWSXRayDaemonWriteAccess at iam.tf:32-37).
For EFS, the Lambda function needs elasticfilesystem:ClientMount and elasticfilesystem:ClientWrite permissions. While users can configure these separately, adding them automatically would align with the module's convention and improve user experience. You could create a custom IAM policy scoped to the EFS access point ARN provided in the variable, or document in the variable description that users must manually configure these IAM permissions.
variables.tf
Outdated
| } | ||
|
|
||
| variable "file_system_config" { | ||
| description = "Connection settings for an EFS file system. Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details." |
There was a problem hiding this comment.
The variable description should mention that local_mount_path must start with /mnt/ as per AWS Lambda requirements. This is a constraint enforced by AWS Lambda and documenting it here would help users avoid configuration errors. Consider adding this detail to the description, for example: "The local_mount_path must start with /mnt/."
| description = "Connection settings for an EFS file system. Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details." | |
| description = "Connection settings for an EFS file system. Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details. The `local_mount_path` must start with `/mnt/`." |
variables.tf
Outdated
| } | ||
|
|
||
| variable "file_system_config" { | ||
| description = "Connection settings for an EFS file system. Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details." |
There was a problem hiding this comment.
The documentation should mention that VPC configuration is required when using EFS. AWS Lambda functions must be configured with VPC access to connect to EFS file systems. Consider adding a note to the description such as: "Note: Lambda functions using EFS must be configured with vpc_config to access the file system within your VPC."
| description = "Connection settings for an EFS file system. Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details." | |
| description = "Connection settings for an EFS file system. Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. Note: Lambda functions using EFS must be configured with `vpc_config` to access the file system within your VPC. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details." |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
README.md
Outdated
| | <a name="input_description"></a> [description](#input\_description) | Description of what your Lambda Function does. | `string` | `"Instruction set architecture for your Lambda function. Valid values are [\"x86_64\"] and [\"arm64\"]."` | no | | ||
| | <a name="input_environment"></a> [environment](#input\_environment) | Environment (e.g. env variables) configuration for the Lambda function enable you to dynamically pass settings to your function code and libraries | <pre>object({<br> variables = map(string)<br> })</pre> | `null` | no | | ||
| | <a name="input_event_source_mappings"></a> [event\_source\_mappings](#input\_event\_source\_mappings) | Creates event source mappings to allow the Lambda function to get events from Kinesis, DynamoDB and SQS. The IAM role of this Lambda function will be enhanced with necessary minimum permissions to get those events. | `any` | `{}` | no | | ||
| | <a name="input_file_system_config"></a> [file\_system\_config](#input\_file\_system\_config) | Connection settings for an EFS file system. Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details. | <pre>object({<br> arn = string<br> local_mount_path = string<br> })</pre> | `null` | no | |
There was a problem hiding this comment.
There's a discrepancy between the documentation in variables.tf and README.md. The variable description in variables.tf (line 79) states "Connection settings for an EFS Access Point" and specifies the ARN format must be an access point ARN, but the README.md description (line 390) more generically says "Connection settings for an EFS file system". These should be consistent. The variables.tf description is more accurate since the arn field must specifically be an EFS Access Point ARN, not just any EFS ARN.
| variable "file_system_config" { | ||
| description = "Connection settings for an EFS Access Point. The `arn` must be an EFS Access Point ARN (format: `arn:aws:elasticfilesystem:region:account-id:access-point/fsap-xxxxxxxxx`). Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details." | ||
| default = null | ||
| type = object({ | ||
| arn = string | ||
| local_mount_path = string | ||
| }) |
There was a problem hiding this comment.
Lambda functions using EFS file systems must be configured with VPC settings. Consider adding validation or documentation that explicitly states file_system_config requires vpc_config to be set. Currently, the variable description mentions the dependency on EFS mount targets but doesn't mention the VPC requirement, which could lead to runtime errors.
| dynamic "file_system_config" { | ||
| for_each = var.file_system_config == null ? [] : [var.file_system_config] | ||
| content { | ||
| arn = file_system_config.value.arn | ||
| local_mount_path = file_system_config.value.local_mount_path | ||
| } | ||
| } |
There was a problem hiding this comment.
Following the pattern established in iam.tf where vpc_config automatically adds necessary IAM permissions (lines 25-30), the file_system_config feature should also automatically grant required EFS permissions. Lambda functions need elasticfilesystem:ClientMount and potentially elasticfilesystem:ClientWrite permissions on the EFS access point ARN. Consider adding an aws_iam_role_policy_attachment resource in iam.tf that conditionally attaches when file_system_config is not null, similar to how vpc_attachment works.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| type = object({ | ||
| arn = string | ||
| local_mount_path = string | ||
| }) |
There was a problem hiding this comment.
When file_system_config is set, Lambda/EFS has hard prerequisites (VPC config and a /mnt/... mount path). Consider adding validation blocks here to fail fast: require var.vpc_config to be non-null (and ideally have non-empty subnet_ids/security_group_ids), require local_mount_path to start with /mnt/, and optionally validate that arn looks like an EFS access point ARN (contains :access-point/).
| }) | |
| }) | |
| validation { | |
| condition = ( | |
| var.file_system_config == null || | |
| can(regex("^/mnt(/.*)?$", var.file_system_config.local_mount_path)) | |
| ) | |
| error_message = "When set, file_system_config.local_mount_path must be under /mnt (for example, /mnt/efs)." | |
| } | |
| validation { | |
| condition = ( | |
| var.file_system_config == null || | |
| can(contains(var.file_system_config.arn, ":access-point/")) | |
| ) | |
| error_message = "When set, file_system_config.arn must be an EFS access point ARN (it should contain ':access-point/')." | |
| } |
| dynamic "file_system_config" { | ||
| for_each = var.file_system_config == null ? [] : [var.file_system_config] | ||
| content { | ||
| arn = file_system_config.value.arn | ||
| local_mount_path = file_system_config.value.local_mount_path | ||
| } |
There was a problem hiding this comment.
Adding the file_system_config block alone isn’t sufficient for working EFS mounts: the Lambda execution role also needs EFS client permissions (e.g., elasticfilesystem:ClientMount/ClientWrite/ClientRootAccess on the access point), and EFS requires the function to be attached to a VPC. Since this module already manages IAM permissions for other optional features, consider extending it to add the required EFS permissions (gated on var.file_system_config != null) and/or enforcing the VPC prerequisite via variable validation.
| | <a name="input_environment"></a> [environment](#input\_environment) | Environment (e.g. env variables) configuration for the Lambda function enable you to dynamically pass settings to your function code and libraries | <pre>object({<br/> variables = map(string)<br/> })</pre> | `null` | no | | ||
| | <a name="input_ephemeral_storage_size"></a> [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | The size of your Lambda functions ephemeral storage (/tmp) represented in MB. Valid value between 512 MB to 10240 MB. | `number` | `512` | no | | ||
| | <a name="input_event_source_mappings"></a> [event\_source\_mappings](#input\_event\_source\_mappings) | Creates event source mappings to allow the Lambda function to get events from Kinesis, DynamoDB and SQS. The IAM role of this Lambda function will be enhanced with necessary minimum permissions to get those events. | `any` | `{}` | no | | ||
| | <a name="input_file_system_config"></a> [file\_system\_config](#input\_file\_system\_config) | Connection settings for an EFS Access Point. The `arn` must be an EFS Access Point ARN (format: `arn:aws:elasticfilesystem:region:account-id:access-point/fsap-xxxxxxxxx`). Before creating or updating Lambda functions with `file_system_config`, EFS mount targets must be in available lifecycle state. Use `depends_on` to explicitly declare this dependency. See [Amazon EFS for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html) for more details. | <pre>object({<br/> arn = string<br/> local_mount_path = string<br/> })</pre> | `null` | no | |
There was a problem hiding this comment.
The docs for file_system_config should call out the key prerequisites to avoid confusing apply/runtime failures: Lambda must be configured with vpc_config, the role needs EFS client permissions for the access point, and local_mount_path must start with /mnt/. Right now the row implies configuration-only support without mentioning these required additional inputs/permissions.
moritzzimmer
left a comment
moritzzimmer
left a comment
There was a problem hiding this comment.
Thx for the PR @BrandonLWhite. Could please also add a new example (like with-efs) to test this functionality
This pull request adds support for configuring AWS Lambda functions with an Amazon EFS (Elastic File System) file system. The changes introduce a new variable for file system configuration and update the Lambda resource definitions to utilize this configuration if provided.
Support for EFS file system configuration:
file_system_configvariable invariables.tfto allow specifying EFS connection settings, including the EFS ARN and local mount path.README.mdto describe the newfile_system_configinput and its requirements.Resource updates to support EFS:
aws_lambda_function.lambdaresource inmain.tfto dynamically include thefile_system_configblock if the variable is set.aws_lambda_function.lambda_external_lifecycleresource inmain.tfto also support the dynamic inclusion of thefile_system_configblock.