tessl/golang-github-com-pulumi-pulumi-aws-sdk-v7
A Pulumi provider SDK for creating and managing Amazon Web Services (AWS) cloud resources in Go, providing strongly-typed resource classes and data sources for all major AWS services.
ebs-efs.mddocs/reference/storage/
EBS and EFS Packages
This document covers the ebs (Elastic Block Store) and efs (Elastic File System) packages.
EBS Package
Import path: github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ebs
The ebs package provides resources for managing Amazon Elastic Block Store (EBS) volumes, snapshots, and account-level settings. EBS provides persistent block storage volumes for use with EC2 instances.
EBS Resources
Volume
Manages a single EBS volume. At least one of Size or SnapshotId is required.
func NewVolume(ctx *pulumi.Context, name string, args *VolumeArgs, opts ...pulumi.ResourceOption) (*Volume, error)func GetVolume(ctx *pulumi.Context, name string, id pulumi.IDInput, state *VolumeState, opts ...pulumi.ResourceOption) (*Volume, error)VolumeArgs fields:
| Field | Type | Description |
|---|---|---|
AvailabilityZone | pulumi.StringInput | Required. AZ where the volume will exist (e.g., us-west-2a). |
Size | pulumi.IntPtrInput | Size of the volume in GiB. Required if SnapshotId is not set. |
Type | pulumi.StringPtrInput | Volume type: standard, gp2, gp3, io1, io2, sc1, st1. Default: gp2. |
Iops | pulumi.IntPtrInput | Provisioned IOPS. Only valid for io1, io2, or gp3. |
Throughput | pulumi.IntPtrInput | Throughput in MiB/s. Only valid for gp3. |
Encrypted | pulumi.BoolPtrInput | Encrypt the volume. Default: false. |
KmsKeyId | pulumi.StringPtrInput | KMS key ARN for encryption. Requires Encrypted: true. |
SnapshotId | pulumi.StringPtrInput | Snapshot to base the volume on. |
MultiAttachEnabled | pulumi.BoolPtrInput | Enable Multi-Attach (supported on io1 and io2). |
OutpostArn | pulumi.StringPtrInput | Outpost ARN for Outposts-based volumes. |
FinalSnapshot | pulumi.BoolPtrInput | Create a snapshot before deletion. Default: false. |
VolumeInitializationRate | pulumi.IntPtrInput | Download rate in MiB/s for snapshot-based volume initialization. Only with SnapshotId. |
Tags | pulumi.StringMapInput | Resource tags. |
Region | pulumi.StringPtrInput | AWS region. Defaults to provider region. |
Volume output attributes:
| Attribute | Type | Description |
|---|---|---|
Arn | pulumi.StringOutput | Volume ARN (e.g., arn:aws:ec2:us-east-1:123456789012:volume/vol-...) |
SnapshotId | pulumi.StringOutput | Snapshot ID (if created from snapshot) |
Iops | pulumi.IntOutput | Actual IOPS provisioned |
Throughput | pulumi.IntOutput | Actual throughput in MiB/s |
KmsKeyId | pulumi.StringOutput | KMS key used for encryption |
CreateTime | pulumi.StringOutput | Timestamp when volume creation was initiated |
Example: High-Performance io2 Volume
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ebs"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ebs.NewVolume(ctx, "dataVolume", &ebs.VolumeArgs{
AvailabilityZone: pulumi.String("us-west-2a"),
Type: pulumi.String("io2"),
Size: pulumi.Int(500),
Iops: pulumi.Int(10000),
Encrypted: pulumi.Bool(true),
Tags: pulumi.StringMap{
"Name": pulumi.String("app-data"),
"Environment": pulumi.String("production"),
},
})
if err != nil {
return err
}
return nil
})
}Example: gp3 Volume with Custom Throughput
_, err := ebs.NewVolume(ctx, "gp3Volume", &ebs.VolumeArgs{
AvailabilityZone: pulumi.String("us-east-1a"),
Type: pulumi.String("gp3"),
Size: pulumi.Int(100),
Iops: pulumi.Int(4000),
Throughput: pulumi.Int(250),
Encrypted: pulumi.Bool(true),
})Import:
pulumi import aws:ebs/volume:Volume example vol-049df61146c4d7901Snapshot
Creates a snapshot of an EBS volume.
func NewSnapshot(ctx *pulumi.Context, name string, args *SnapshotArgs, opts ...pulumi.ResourceOption) (*Snapshot, error)func GetSnapshot(ctx *pulumi.Context, name string, id pulumi.IDInput, state *SnapshotState, opts ...pulumi.ResourceOption) (*Snapshot, error)SnapshotArgs fields:
| Field | Type | Description |
|---|---|---|
VolumeId | pulumi.StringInput | Required. ID of the EBS volume to snapshot. |
Description | pulumi.StringPtrInput | Description of the snapshot. |
OutpostArn | pulumi.StringPtrInput | Outpost ARN for local snapshot creation. |
StorageTier | pulumi.StringPtrInput | archive or standard. Default: standard. |
PermanentRestore | pulumi.BoolPtrInput | Permanently restore an archived snapshot. |
TemporaryRestoreDays | pulumi.IntPtrInput | Days to temporarily restore an archived snapshot. |
Tags | pulumi.StringMapInput | Resource tags. |
Snapshot output attributes:
| Attribute | Type | Description |
|---|---|---|
Arn | pulumi.StringOutput | Snapshot ARN |
VolumeSize | pulumi.IntOutput | Size of the source volume in GiB |
Encrypted | pulumi.BoolOutput | Whether the snapshot is encrypted |
KmsKeyId | pulumi.StringOutput | KMS key ARN if encrypted |
OwnerId | pulumi.StringOutput | AWS account ID of snapshot owner |
OwnerAlias | pulumi.StringOutput | Owner alias (e.g., amazon) |
DataEncryptionKeyId | pulumi.StringOutput | Data encryption key identifier |
Example: Snapshot with Auto-Tags
volume, err := ebs.NewVolume(ctx, "appVolume", &ebs.VolumeArgs{
AvailabilityZone: pulumi.String("us-west-2a"),
Size: pulumi.Int(40),
Tags: pulumi.StringMap{
"Name": pulumi.String("app-volume"),
},
})
_, err = ebs.NewSnapshot(ctx, "appSnapshot", &ebs.SnapshotArgs{
VolumeId: volume.ID(),
Description: pulumi.String("Nightly backup of app volume"),
Tags: pulumi.StringMap{
"Name": pulumi.String("app-volume-snapshot"),
},
})Import:
pulumi import aws:ebs/snapshot:Snapshot example snap-049df61146c4d7901SnapshotCopy
Copies an EBS snapshot within or between AWS regions, optionally re-encrypting.
func NewSnapshotCopy(ctx *pulumi.Context, name string, args *SnapshotCopyArgs, opts ...pulumi.ResourceOption) (*SnapshotCopy, error)func GetSnapshotCopy(ctx *pulumi.Context, name string, id pulumi.IDInput, state *SnapshotCopyState, opts ...pulumi.ResourceOption) (*SnapshotCopy, error)SnapshotCopyArgs fields:
| Field | Type | Description |
|---|---|---|
SourceSnapshotId | pulumi.StringInput | Required. ARN of the snapshot to copy. |
SourceRegion | pulumi.StringInput | Required. Region of the source snapshot. |
Description | pulumi.StringPtrInput | Description for the copied snapshot. |
Encrypted | pulumi.BoolPtrInput | Encrypt the copy. |
KmsKeyId | pulumi.StringPtrInput | KMS key ARN for encryption of the copy. |
StorageTier | pulumi.StringPtrInput | archive or standard. Default: standard. |
PermanentRestore | pulumi.BoolPtrInput | Permanently restore archived snapshot. |
TemporaryRestoreDays | pulumi.IntPtrInput | Days for temporary restore of archived snapshot. |
CompletionDurationMinutes | pulumi.IntPtrInput | Time-based copy completion duration (15-2880 minutes, in 15-minute increments). |
Tags | pulumi.StringMapInput | Resource tags. |
SnapshotImport
Imports a disk image from S3 as an EBS snapshot (VM Import/Export).
func NewSnapshotImport(ctx *pulumi.Context, name string, args *SnapshotImportArgs, opts ...pulumi.ResourceOption) (*SnapshotImport, error)func GetSnapshotImport(ctx *pulumi.Context, name string, id pulumi.IDInput, state *SnapshotImportState, opts ...pulumi.ResourceOption) (*SnapshotImport, error)SnapshotImportArgs fields:
| Field | Type | Description |
|---|---|---|
DiskContainer | SnapshotImportDiskContainerInput | Required. Disk container info with Format (VHD, VMDK, RAW) and UserBucket (S3 location). |
Description | pulumi.StringPtrInput | Description of the import task. |
Encrypted | pulumi.BoolPtrInput | Encrypt the imported snapshot. |
KmsKeyId | pulumi.StringPtrInput | KMS key ARN for encryption. |
RoleName | pulumi.StringPtrInput | IAM role name for VM Import. Default: vmimport. |
ClientData | SnapshotImportClientDataPtrInput | Client-specific data including upload start/end times and comment. |
StorageTier | pulumi.StringPtrInput | archive or standard. Default: standard. |
Tags | pulumi.StringMapInput | Resource tags. |
EncryptionByDefault
Manages whether default EBS encryption is enabled for the AWS account in the current region.
func NewEncryptionByDefault(ctx *pulumi.Context, name string, args *EncryptionByDefaultArgs, opts ...pulumi.ResourceOption) (*EncryptionByDefault, error)func GetEncryptionByDefault(ctx *pulumi.Context, name string, id pulumi.IDInput, state *EncryptionByDefaultState, opts ...pulumi.ResourceOption) (*EncryptionByDefault, error)EncryptionByDefaultArgs fields:
| Field | Type | Description |
|---|---|---|
Enabled | pulumi.BoolPtrInput | Enable default encryption. Default: true. |
Region | pulumi.StringPtrInput | AWS region. |
Note: Removing this resource disables default EBS encryption. Use together with
DefaultKmsKeyto specify a CMK.
Example:
_, err := ebs.NewEncryptionByDefault(ctx, "encryptionDefault", &ebs.EncryptionByDefaultArgs{
Enabled: pulumi.Bool(true),
})Import:
pulumi import aws:ebs/encryptionByDefault:EncryptionByDefault example defaultDefaultKmsKey
Sets the default KMS customer master key (CMK) used for EBS encryption in the current region.
func NewDefaultKmsKey(ctx *pulumi.Context, name string, args *DefaultKmsKeyArgs, opts ...pulumi.ResourceOption) (*DefaultKmsKey, error)func GetDefaultKmsKey(ctx *pulumi.Context, name string, id pulumi.IDInput, state *DefaultKmsKeyState, opts ...pulumi.ResourceOption) (*DefaultKmsKey, error)DefaultKmsKeyArgs fields:
| Field | Type | Description |
|---|---|---|
KeyArn | pulumi.StringInput | Required. ARN of the KMS customer master key. |
Region | pulumi.StringPtrInput | AWS region. |
Note: Does not enable default encryption on its own. Use
EncryptionByDefaultto enable default encryption. Destroying resets the CMK to the AWS-managed default.
Example: Enable Default Encryption with Custom CMK
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ebs"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cmk, err := kms.NewKey(ctx, "ebsCmk", &kms.KeyArgs{
Description: pulumi.String("EBS default encryption key"),
DeletionWindowInDays: pulumi.Int(10),
})
if err != nil {
return err
}
_, err = ebs.NewDefaultKmsKey(ctx, "ebsDefaultKms", &ebs.DefaultKmsKeyArgs{
KeyArn: cmk.Arn,
})
if err != nil {
return err
}
_, err = ebs.NewEncryptionByDefault(ctx, "encryptDefault", &ebs.EncryptionByDefaultArgs{
Enabled: pulumi.Bool(true),
})
return err
})
}SnapshotBlockPublicAccess
Controls whether EBS snapshots in the current region can be shared publicly.
func NewSnapshotBlockPublicAccess(ctx *pulumi.Context, name string, args *SnapshotBlockPublicAccessArgs, opts ...pulumi.ResourceOption) (*SnapshotBlockPublicAccess, error)func GetSnapshotBlockPublicAccess(ctx *pulumi.Context, name string, id pulumi.IDInput, state *SnapshotBlockPublicAccessState, opts ...pulumi.ResourceOption) (*SnapshotBlockPublicAccess, error)SnapshotBlockPublicAccessArgs fields:
| Field | Type | Description |
|---|---|---|
State | pulumi.StringInput | Required. block-all-sharing, block-new-sharing, or unblocked. |
Region | pulumi.StringPtrInput | AWS region. |
Import:
pulumi import aws:ebs/snapshotBlockPublicAccess:SnapshotBlockPublicAccess example defaultFastSnapshotRestore
Enables fast snapshot restore for a specific EBS snapshot in a given availability zone.
func NewFastSnapshotRestore(ctx *pulumi.Context, name string, args *FastSnapshotRestoreArgs, opts ...pulumi.ResourceOption) (*FastSnapshotRestore, error)func GetFastSnapshotRestore(ctx *pulumi.Context, name string, id pulumi.IDInput, state *FastSnapshotRestoreState, opts ...pulumi.ResourceOption) (*FastSnapshotRestore, error)FastSnapshotRestoreArgs fields:
| Field | Type | Description |
|---|---|---|
SnapshotId | pulumi.StringInput | Required. ID of the snapshot to enable fast restore on. |
AvailabilityZone | pulumi.StringInput | Required. AZ in which to enable fast restore. |
FastSnapshotRestore output attributes:
| Attribute | Type | Description |
|---|---|---|
State | pulumi.StringOutput | One of: enabling, optimizing, enabled, disabling, disabled |
Import:
pulumi import aws:ebs/fastSnapshotRestore:FastSnapshotRestore example us-west-2a,snap-0123456789abcdef0EBS Data Sources
GetEbsVolumes
Returns IDs of EBS volumes matching specified criteria.
func GetEbsVolumes(ctx *pulumi.Context, args *GetEbsVolumesArgs, opts ...pulumi.InvokeOption) (*GetEbsVolumesResult, error)func GetEbsVolumesOutput(ctx *pulumi.Context, args *GetEbsVolumesOutputArgs, opts ...pulumi.InvokeOption) GetEbsVolumesResultOutputGetEbsVolumesArgs fields:
| Field | Type | Description |
|---|---|---|
Filters | []GetEbsVolumesFilter | Filter by name/value pairs. See EC2 describe-volumes filters. |
Tags | map[string]string | Filter by tags. |
Example:
volumes, err := ebs.GetEbsVolumes(ctx, &ebs.GetEbsVolumesArgs{
Tags: map[string]string{
"Environment": "production",
},
}, nil)GetSnapshot (Data Source)
Retrieves a specific EBS snapshot matching given criteria.
func GetSnapshot(ctx *pulumi.Context, args *GetSnapshotArgs, opts ...pulumi.InvokeOption) (*GetSnapshotResult, error)GetSnapshotArgs fields:
| Field | Type | Description |
|---|---|---|
SnapshotIds | []string | List of snapshot IDs to filter. |
Owners | []string | AWS account IDs or amazon/aws-marketplace/self. |
Filters | []GetSnapshotFilter | Filter by name/value pairs (e.g., tag:Name, status). |
MostRecent | *bool | Return the most recent snapshot when multiple match. |
RestorableByUserIds | []string | AWS account IDs that can restore the snapshot. |
Example:
latestSnapshot, err := ebs.GetSnapshot(ctx, &ebs.GetSnapshotArgs{
MostRecent: pulumi.BoolRef(true),
Owners: []string{"self"},
Filters: []ebs.GetSnapshotFilter{
{
Name: "tag:Name",
Values: []string{"app-volume-snapshot"},
},
},
}, nil)GetSnapshotIds
Returns a list of EBS snapshot IDs matching given criteria.
func GetSnapshotIds(ctx *pulumi.Context, args *GetSnapshotIdsArgs, opts ...pulumi.InvokeOption) (*GetSnapshotIdsResult, error)func GetSnapshotIdsOutput(ctx *pulumi.Context, args *GetSnapshotIdsOutputArgs, opts ...pulumi.InvokeOption) GetSnapshotIdsResultOutputGetSnapshotIdsArgs fields:
| Field | Type | Description |
|---|---|---|
Filters | []GetSnapshotIdsFilter | Filter by name/value pairs. |
Owners | []string | Snapshot owner account IDs. |
RestorableByUserIds | []string | Account IDs that can restore. |
Region | *string | AWS region. |
GetEncryptionByDefault
Returns the current default EBS encryption state for the account/region.
func GetEncryptionByDefault(ctx *pulumi.Context, args *GetEncryptionByDefaultArgs, opts ...pulumi.InvokeOption) (*GetEncryptionByDefaultResult, error)GetDefaultKmsKey
Returns the default EBS encryption KMS key for the current region.
func GetDefaultKmsKey(ctx *pulumi.Context, args *GetDefaultKmsKeyArgs, opts ...pulumi.InvokeOption) (*GetDefaultKmsKeyResult, error)EBS Complete Usage Example
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ebs"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Custom CMK for EBS
ebsKey, err := kms.NewKey(ctx, "ebsKey", &kms.KeyArgs{
Description: pulumi.String("EBS encryption key"),
DeletionWindowInDays: pulumi.Int(10),
})
if err != nil {
return err
}
// Set as default regional CMK
_, err = ebs.NewDefaultKmsKey(ctx, "defaultKey", &ebs.DefaultKmsKeyArgs{
KeyArn: ebsKey.Arn,
})
if err != nil {
return err
}
// Enable encryption by default
_, err = ebs.NewEncryptionByDefault(ctx, "encryptDefault", &ebs.EncryptionByDefaultArgs{
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
// Block public sharing of snapshots
_, err = ebs.NewSnapshotBlockPublicAccess(ctx, "blockPublic", &ebs.SnapshotBlockPublicAccessArgs{
State: pulumi.String("block-all-sharing"),
})
if err != nil {
return err
}
// Create an encrypted gp3 volume
dataVol, err := ebs.NewVolume(ctx, "dataVolume", &ebs.VolumeArgs{
AvailabilityZone: pulumi.String("us-west-2a"),
Type: pulumi.String("gp3"),
Size: pulumi.Int(200),
Iops: pulumi.Int(3000),
Throughput: pulumi.Int(125),
Encrypted: pulumi.Bool(true),
KmsKeyId: ebsKey.Arn,
Tags: pulumi.StringMap{
"Name": pulumi.String("application-data"),
},
})
if err != nil {
return err
}
// Snapshot the volume
_, err = ebs.NewSnapshot(ctx, "dataSnapshot", &ebs.SnapshotArgs{
VolumeId: dataVol.ID(),
Description: pulumi.String("Backup snapshot of application data volume"),
Tags: pulumi.StringMap{
"Name": pulumi.String("application-data-backup"),
},
})
if err != nil {
return err
}
ctx.Export("volumeId", dataVol.ID())
ctx.Export("volumeArn", dataVol.Arn)
return nil
})
}EFS Package
Import path: github.com/pulumi/pulumi-aws/sdk/v7/go/aws/efs
The efs package provides resources for managing Amazon Elastic File System (EFS). EFS provides scalable, elastic, cloud-native NFS file storage for use with AWS services and on-premises resources.
EFS Resources
FileSystem
Creates an EFS file system. Supports regional (multi-AZ) and One Zone (single-AZ) storage.
func NewFileSystem(ctx *pulumi.Context, name string, args *FileSystemArgs, opts ...pulumi.ResourceOption) (*FileSystem, error)func GetFileSystem(ctx *pulumi.Context, name string, id pulumi.IDInput, state *FileSystemState, opts ...pulumi.ResourceOption) (*FileSystem, error)FileSystemArgs fields:
| Field | Type | Description |
|---|---|---|
CreationToken | pulumi.StringPtrInput | Idempotency token (max 64 chars). Auto-generated if omitted. |
PerformanceMode | pulumi.StringPtrInput | generalPurpose (default) or maxIO. maxIO is not supported for One Zone storage. |
ThroughputMode | pulumi.StringPtrInput | bursting (default), provisioned, or elastic. |
ProvisionedThroughputInMibps | pulumi.Float64PtrInput | Provisioned throughput in MiB/s. Required when ThroughputMode is provisioned. |
Encrypted | pulumi.BoolPtrInput | Enable encryption at rest. |
KmsKeyId | pulumi.StringPtrInput | KMS key ARN for encryption. Requires Encrypted: true. |
AvailabilityZoneName | pulumi.StringPtrInput | AZ for One Zone storage (e.g., us-east-1a). |
LifecyclePolicies | FileSystemLifecyclePolicyArrayInput | Lifecycle policies for automatic tiering. |
Protection | FileSystemProtectionPtrInput | File system protection settings. |
Tags | pulumi.StringMapInput | Resource tags. |
Region | pulumi.StringPtrInput | AWS region. |
FileSystem output attributes:
| Attribute | Type | Description |
|---|---|---|
Arn | pulumi.StringOutput | File system ARN |
DnsName | pulumi.StringOutput | DNS name (fs-xxxxxxxx.efs.region.amazonaws.com) |
Name | pulumi.StringOutput | Value of the Name tag |
OwnerId | pulumi.StringOutput | AWS account that created the file system |
NumberOfMountTargets | pulumi.IntOutput | Current number of mount targets |
SizeInBytes | FileSystemSizeInByteArrayOutput | Latest known metered size |
AvailabilityZoneId | pulumi.StringOutput | AZ ID (for One Zone file systems) |
Lifecycle Policy fields:
| Field | Description |
|---|---|
TransitionToIa | When to move to Infrequent Access tier. Values: AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS, AFTER_60_DAYS, AFTER_90_DAYS, AFTER_180_DAYS, AFTER_270_DAYS, AFTER_365_DAYS. |
TransitionToPrimaryStorageClass | Set to AFTER_1_ACCESS to move back from IA on access. |
TransitionToArchive | When to move to Archive tier. |
Example: Regional EFS with Lifecycle Policy
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/efs"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
fs, err := efs.NewFileSystem(ctx, "appFileSystem", &efs.FileSystemArgs{
CreationToken: pulumi.String("app-shared-storage"),
PerformanceMode: pulumi.String("generalPurpose"),
ThroughputMode: pulumi.String("elastic"),
Encrypted: pulumi.Bool(true),
LifecyclePolicies: efs.FileSystemLifecyclePolicyArray{
&efs.FileSystemLifecyclePolicyArgs{
TransitionToIa: pulumi.String("AFTER_30_DAYS"),
},
&efs.FileSystemLifecyclePolicyArgs{
TransitionToPrimaryStorageClass: pulumi.String("AFTER_1_ACCESS"),
},
},
Tags: pulumi.StringMap{
"Name": pulumi.String("app-shared-storage"),
"Environment": pulumi.String("production"),
},
})
if err != nil {
return err
}
ctx.Export("fsId", fs.ID())
ctx.Export("fsDnsName", fs.DnsName)
return nil
})
}Example: One Zone File System
_, err := efs.NewFileSystem(ctx, "oneZoneFs", &efs.FileSystemArgs{
CreationToken: pulumi.String("one-zone-fs"),
AvailabilityZoneName: pulumi.String("us-east-1a"),
Tags: pulumi.StringMap{
"Name": pulumi.String("one-zone-storage"),
},
})Import:
pulumi import aws:efs/fileSystem:FileSystem example fs-6fa144c6MountTarget
Creates an EFS mount target in a specific subnet, making the file system accessible from that AZ.
func NewMountTarget(ctx *pulumi.Context, name string, args *MountTargetArgs, opts ...pulumi.ResourceOption) (*MountTarget, error)func GetMountTarget(ctx *pulumi.Context, name string, id pulumi.IDInput, state *MountTargetState, opts ...pulumi.ResourceOption) (*MountTarget, error)MountTargetArgs fields:
| Field | Type | Description |
|---|---|---|
FileSystemId | pulumi.StringInput | Required. ID of the EFS file system. |
SubnetId | pulumi.StringInput | Required. Subnet ID in which to create the mount target. |
SecurityGroups | pulumi.StringArrayInput | Up to 5 VPC security group IDs. |
IpAddress | pulumi.StringPtrInput | IPv4 address within the subnet's range. Auto-assigned if omitted. |
IpAddressType | pulumi.StringPtrInput | IPV4_ONLY (default), IPV6_ONLY, or DUAL_STACK. |
Ipv6Address | pulumi.StringPtrInput | IPv6 address. Only when IpAddressType is IPV6_ONLY or DUAL_STACK. |
Region | pulumi.StringPtrInput | AWS region. |
MountTarget output attributes:
| Attribute | Type | Description |
|---|---|---|
DnsName | pulumi.StringOutput | DNS name of the EFS file system |
MountTargetDnsName | pulumi.StringOutput | AZ-specific DNS name |
IpAddress | pulumi.StringOutput | Assigned IP address |
NetworkInterfaceId | pulumi.StringOutput | Network interface ID created by EFS |
AvailabilityZoneId | pulumi.StringOutput | AZ ID |
AvailabilityZoneName | pulumi.StringOutput | AZ name |
OwnerId | pulumi.StringOutput | AWS account ID that owns the resource |
FileSystemArn | pulumi.StringOutput | File system ARN |
Example: Mount Targets in Multiple AZs
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/efs"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
// Create mount targets in two subnets (different AZs)
for i, subnetId := range []pulumi.StringInput{subnetA.ID(), subnetB.ID()} {
_, err = efs.NewMountTarget(ctx, fmt.Sprintf("mt-%d", i), &efs.MountTargetArgs{
FileSystemId: fileSystem.ID(),
SubnetId: subnetId,
SecurityGroups: pulumi.StringArray{efsSg.ID()},
})
if err != nil {
return err
}
}Import:
pulumi import aws:efs/mountTarget:MountTarget example fsmt-52a643fbAccessPoint
Creates an EFS access point providing application-specific entry points to a file system.
func NewAccessPoint(ctx *pulumi.Context, name string, args *AccessPointArgs, opts ...pulumi.ResourceOption) (*AccessPoint, error)func GetAccessPoint(ctx *pulumi.Context, name string, id pulumi.IDInput, state *AccessPointState, opts ...pulumi.ResourceOption) (*AccessPoint, error)AccessPointArgs fields:
| Field | Type | Description |
|---|---|---|
FileSystemId | pulumi.StringInput | Required. ID of the EFS file system. |
PosixUser | AccessPointPosixUserPtrInput | POSIX user and group for all file system requests. Contains Uid, Gid, optional SecondaryGids. |
RootDirectory | AccessPointRootDirectoryPtrInput | Root directory on the EFS file system exposed via this access point. Contains Path and optional CreationInfo (with OwnerUid, OwnerGid, Permissions). |
Tags | pulumi.StringMapInput | Resource tags. |
AccessPoint output attributes:
| Attribute | Type | Description |
|---|---|---|
Arn | pulumi.StringOutput | Access point ARN |
FileSystemArn | pulumi.StringOutput | File system ARN |
OwnerId | pulumi.StringOutput | Owner AWS account ID |
Example: Containerized App Access Point
_, err = efs.NewAccessPoint(ctx, "appAccessPoint", &efs.AccessPointArgs{
FileSystemId: fileSystem.ID(),
PosixUser: &efs.AccessPointPosixUserArgs{
Uid: pulumi.Int(1001),
Gid: pulumi.Int(1001),
},
RootDirectory: &efs.AccessPointRootDirectoryArgs{
Path: pulumi.String("/app-data"),
CreationInfo: &efs.AccessPointRootDirectoryCreationInfoArgs{
OwnerUid: pulumi.Int(1001),
OwnerGid: pulumi.Int(1001),
Permissions: pulumi.String("755"),
},
},
Tags: pulumi.StringMap{
"Name": pulumi.String("app-access-point"),
},
})Import:
pulumi import aws:efs/accessPoint:AccessPoint example fsap-52a643fbFileSystemPolicy
Manages a resource-based IAM policy for an EFS file system.
func NewFileSystemPolicy(ctx *pulumi.Context, name string, args *FileSystemPolicyArgs, opts ...pulumi.ResourceOption) (*FileSystemPolicy, error)func GetFileSystemPolicy(ctx *pulumi.Context, name string, id pulumi.IDInput, state *FileSystemPolicyState, opts ...pulumi.ResourceOption) (*FileSystemPolicy, error)FileSystemPolicyArgs fields:
| Field | Type | Description |
|---|---|---|
FileSystemId | pulumi.StringInput | Required. EFS file system ID. |
Policy | pulumi.StringInput | Required. JSON IAM policy document. Use iam.GetPolicyDocument. |
BypassPolicyLockoutSafetyCheck | pulumi.BoolPtrInput | Bypass the lockout safety check. Default: false. Only set to true when deliberately locking yourself out. |
Example: Enforce TLS-Only Access
policy := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("AWS"),
Identifiers: pulumi.StringArray{pulumi.String("*")},
},
},
Actions: pulumi.StringArray{
pulumi.String("elasticfilesystem:ClientMount"),
pulumi.String("elasticfilesystem:ClientWrite"),
},
Resources: pulumi.StringArray{fileSystem.Arn},
Conditions: iam.GetPolicyDocumentStatementConditionArray{
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("Bool"),
Variable: pulumi.String("aws:SecureTransport"),
Values: pulumi.StringArray{pulumi.String("true")},
},
},
},
},
}, nil)
_, err = efs.NewFileSystemPolicy(ctx, "fsPolicy", &efs.FileSystemPolicyArgs{
FileSystemId: fileSystem.ID(),
Policy: policy.Json(),
})BackupPolicy
Enables or disables automatic AWS Backup for an EFS file system.
func NewBackupPolicy(ctx *pulumi.Context, name string, args *BackupPolicyArgs, opts ...pulumi.ResourceOption) (*BackupPolicy, error)func GetBackupPolicy(ctx *pulumi.Context, name string, id pulumi.IDInput, state *BackupPolicyState, opts ...pulumi.ResourceOption) (*BackupPolicy, error)BackupPolicyArgs fields:
| Field | Type | Description |
|---|---|---|
FileSystemId | pulumi.StringInput | Required. EFS file system ID. |
BackupPolicy | BackupPolicyBackupPolicyInput | Required. Nested block with Status: ENABLED or DISABLED. |
Example:
_, err = efs.NewBackupPolicy(ctx, "backup", &efs.BackupPolicyArgs{
FileSystemId: fileSystem.ID(),
BackupPolicy: &efs.BackupPolicyBackupPolicyArgs{
Status: pulumi.String("ENABLED"),
},
})Import:
pulumi import aws:efs/backupPolicy:BackupPolicy example fs-6fa144c6ReplicationConfiguration
Creates a replica of an EFS file system in the same or a different region. The replica is read-only.
func NewReplicationConfiguration(ctx *pulumi.Context, name string, args *ReplicationConfigurationArgs, opts ...pulumi.ResourceOption) (*ReplicationConfiguration, error)func GetReplicationConfiguration(ctx *pulumi.Context, name string, id pulumi.IDInput, state *ReplicationConfigurationState, opts ...pulumi.ResourceOption) (*ReplicationConfiguration, error)ReplicationConfigurationArgs fields:
| Field | Type | Description |
|---|---|---|
SourceFileSystemId | pulumi.StringInput | Required. ID of the source file system to replicate. |
Destination | ReplicationConfigurationDestinationInput | Required. Destination configuration with Region, optional AvailabilityZoneName, KmsKeyId, and FileSystemId (to replicate into an existing file system). |
ReplicationConfiguration output attributes:
| Attribute | Type | Description |
|---|---|---|
CreationTime | pulumi.StringOutput | When the replication was created |
OriginalSourceFileSystemArn | pulumi.StringOutput | ARN of the original source file system |
SourceFileSystemArn | pulumi.StringOutput | ARN of the current source file system |
SourceFileSystemRegion | pulumi.StringOutput | AWS region of the source |
Note: Deleting this resource stops replication but does NOT delete the destination file system.
Example: Cross-Region Replication
_, err = efs.NewReplicationConfiguration(ctx, "drReplica", &efs.ReplicationConfigurationArgs{
SourceFileSystemId: fileSystem.ID(),
Destination: &efs.ReplicationConfigurationDestinationArgs{
Region: pulumi.String("us-west-2"),
},
})EFS Data Sources
GetFileSystem
Looks up an existing EFS file system by ID, creation token, or tags.
func GetFileSystem(ctx *pulumi.Context, args *GetFileSystemArgs, opts ...pulumi.InvokeOption) (*GetFileSystemResult, error)GetMountTarget
Retrieves details of an existing EFS mount target.
func GetMountTarget(ctx *pulumi.Context, args *GetMountTargetArgs, opts ...pulumi.InvokeOption) (*GetMountTarget, error)GetAccessPoint
Looks up an EFS access point by ID.
func GetAccessPoint(ctx *pulumi.Context, args *GetAccessPointArgs, opts ...pulumi.InvokeOption) (*GetAccessPointResult, error)GetAccessPoints
Lists all EFS access points for a given file system.
func GetAccessPoints(ctx *pulumi.Context, args *GetAccessPointsArgs, opts ...pulumi.InvokeOption) (*GetAccessPointsResult, error)func GetAccessPointsOutput(ctx *pulumi.Context, args *GetAccessPointsOutputArgs, opts ...pulumi.InvokeOption) GetAccessPointsResultOutputGetBackupPolicy
func GetBackupPolicy(ctx *pulumi.Context, args *GetBackupPolicyArgs, opts ...pulumi.InvokeOption) (*GetBackupPolicyResult, error)GetFileSystemPolicy
func GetFileSystemPolicy(ctx *pulumi.Context, args *GetFileSystemPolicyArgs, opts ...pulumi.InvokeOption) (*GetFileSystemPolicyResult, error)GetReplicationConfiguration
func GetReplicationConfiguration(ctx *pulumi.Context, args *GetReplicationConfigurationArgs, opts ...pulumi.InvokeOption) (*GetReplicationConfigurationResult, error)EFS Complete Usage Example
This example creates a fully configured EFS file system with mount targets in two availability zones, an IAM resource policy, automatic backups, and an application-specific access point:
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/efs"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Create VPC and subnets
vpc, err := ec2.NewVpc(ctx, "appVpc", &ec2.VpcArgs{
CidrBlock: pulumi.String("10.0.0.0/16"),
})
if err != nil {
return err
}
subnetA, err := ec2.NewSubnet(ctx, "subnetA", &ec2.SubnetArgs{
VpcId: vpc.ID(),
CidrBlock: pulumi.String("10.0.1.0/24"),
AvailabilityZone: pulumi.String("us-east-1a"),
})
if err != nil {
return err
}
subnetB, err := ec2.NewSubnet(ctx, "subnetB", &ec2.SubnetArgs{
VpcId: vpc.ID(),
CidrBlock: pulumi.String("10.0.2.0/24"),
AvailabilityZone: pulumi.String("us-east-1b"),
})
if err != nil {
return err
}
// Security group for EFS mount targets
efsSg, err := ec2.NewSecurityGroup(ctx, "efsSg", &ec2.SecurityGroupArgs{
VpcId: vpc.ID(),
Description: pulumi.String("EFS mount target security group"),
Ingress: ec2.SecurityGroupIngressArray{
&ec2.SecurityGroupIngressArgs{
FromPort: pulumi.Int(2049),
ToPort: pulumi.Int(2049),
Protocol: pulumi.String("tcp"),
CidrBlocks: pulumi.StringArray{pulumi.String("10.0.0.0/16")},
},
},
})
if err != nil {
return err
}
// Create EFS file system
fileSystem, err := efs.NewFileSystem(ctx, "appFs", &efs.FileSystemArgs{
CreationToken: pulumi.String("app-shared-storage"),
PerformanceMode: pulumi.String("generalPurpose"),
ThroughputMode: pulumi.String("elastic"),
Encrypted: pulumi.Bool(true),
LifecyclePolicies: efs.FileSystemLifecyclePolicyArray{
&efs.FileSystemLifecyclePolicyArgs{
TransitionToIa: pulumi.String("AFTER_30_DAYS"),
},
&efs.FileSystemLifecyclePolicyArgs{
TransitionToPrimaryStorageClass: pulumi.String("AFTER_1_ACCESS"),
},
},
Tags: pulumi.StringMap{
"Name": pulumi.String("app-shared-storage"),
"Environment": pulumi.String("production"),
},
})
if err != nil {
return err
}
// Mount target in AZ1
_, err = efs.NewMountTarget(ctx, "mtA", &efs.MountTargetArgs{
FileSystemId: fileSystem.ID(),
SubnetId: subnetA.ID(),
SecurityGroups: pulumi.StringArray{efsSg.ID()},
})
if err != nil {
return err
}
// Mount target in AZ2
_, err = efs.NewMountTarget(ctx, "mtB", &efs.MountTargetArgs{
FileSystemId: fileSystem.ID(),
SubnetId: subnetB.ID(),
SecurityGroups: pulumi.StringArray{efsSg.ID()},
})
if err != nil {
return err
}
// Enable automatic backups
_, err = efs.NewBackupPolicy(ctx, "backup", &efs.BackupPolicyArgs{
FileSystemId: fileSystem.ID(),
BackupPolicy: &efs.BackupPolicyBackupPolicyArgs{
Status: pulumi.String("ENABLED"),
},
})
if err != nil {
return err
}
// Enforce TLS policy
tlsPolicy := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("AWS"),
Identifiers: pulumi.StringArray{pulumi.String("*")},
},
},
Actions: pulumi.StringArray{
pulumi.String("elasticfilesystem:ClientMount"),
pulumi.String("elasticfilesystem:ClientWrite"),
},
Resources: pulumi.StringArray{fileSystem.Arn},
Conditions: iam.GetPolicyDocumentStatementConditionArray{
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("Bool"),
Variable: pulumi.String("aws:SecureTransport"),
Values: pulumi.StringArray{pulumi.String("true")},
},
},
},
},
}, nil)
_, err = efs.NewFileSystemPolicy(ctx, "fsPolicy", &efs.FileSystemPolicyArgs{
FileSystemId: fileSystem.ID(),
Policy: tlsPolicy.Json(),
})
if err != nil {
return err
}
// Application-specific access point
_, err = efs.NewAccessPoint(ctx, "appAccessPoint", &efs.AccessPointArgs{
FileSystemId: fileSystem.ID(),
PosixUser: &efs.AccessPointPosixUserArgs{
Uid: pulumi.Int(1001),
Gid: pulumi.Int(1001),
},
RootDirectory: &efs.AccessPointRootDirectoryArgs{
Path: pulumi.String("/application"),
CreationInfo: &efs.AccessPointRootDirectoryCreationInfoArgs{
OwnerUid: pulumi.Int(1001),
OwnerGid: pulumi.Int(1001),
Permissions: pulumi.String("750"),
},
},
Tags: pulumi.StringMap{
"Name": pulumi.String("app-data-access-point"),
},
})
if err != nil {
return err
}
ctx.Export("fileSystemId", fileSystem.ID())
ctx.Export("fileSystemArn", fileSystem.Arn)
ctx.Export("fileSystemDnsName", fileSystem.DnsName)
return nil
})
}Mounting EFS on EC2
After creating an EFS file system and mount target, mount using the NFS client:
# Install NFS client
sudo yum install -y amazon-efs-utils
# Mount using EFS mount helper (recommended - supports TLS and IAM)
sudo mount -t efs -o tls fs-12345678:/ /mnt/efs
# Mount using standard NFS client
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport \
fs-12345678.efs.us-east-1.amazonaws.com:/ /mnt/efsIn Pulumi, use the DNS name output:
// The mount DNS name to pass to EC2 user data
ctx.Export("efsMountDns", fileSystem.DnsName)Install with Tessl CLI
npx tessl i tessl/golang-github-com-pulumi-pulumi-aws-sdk-v7@7.16.1docs