From 8854ccdce4641d07a48ba6b1e70f898476b6bc2a Mon Sep 17 00:00:00 2001
From: Dmitry Kireev <dmitry@hazelops.com>
Date: Wed, 16 Oct 2024 17:33:43 +0000
Subject: [PATCH] - Add external EFS example to worker (with authorization
 config) - Fix efs_authorization_config variable type, provide defaults

---
 examples/complete-worker/efs.tf  | 47 ++++++++++++++++++++++++++++++++
 examples/complete-worker/main.tf | 10 +++++++
 variables.tf                     | 10 +++++--
 3 files changed, 65 insertions(+), 2 deletions(-)
 create mode 100644 examples/complete-worker/efs.tf

diff --git a/examples/complete-worker/efs.tf b/examples/complete-worker/efs.tf
new file mode 100644
index 0000000..e2b3dd5
--- /dev/null
+++ b/examples/complete-worker/efs.tf
@@ -0,0 +1,47 @@
+# Standard EFS Example from https://github.com/terraform-aws-modules/terraform-aws-efs/blob/v1.6.4/examples/complete/main.tf
+module "efs_data" {
+  source  = "registry.terraform.io/terraform-aws-modules/efs/aws"
+  version = "~> 1.6.0"
+
+  # File system
+  name           = "${var.env}-${var.namespace}-data"
+  creation_token = "${var.env}-${var.namespace}-data"
+  encrypted      = false # disabled for simplicity. Prod must be enabled.
+
+  lifecycle_policy = {
+    transition_to_ia                    = "AFTER_30_DAYS"
+    transition_to_primary_storage_class = "AFTER_1_ACCESS"
+  }
+
+  # File system policy
+  attach_policy                      = false
+  bypass_policy_lockout_safety_check = false
+
+  # Mount targets / security group
+  mount_targets              = { for k, v in zipmap(["${var.aws_region}"], module.vpc.private_subnets) : k => { subnet_id = v } }
+  security_group_description = "Example EFS security group"
+  security_group_vpc_id      = module.vpc.vpc_id
+  security_group_rules = {
+    vpc = {
+      # relying on the defaults provdied for EFS/NFS (2049/TCP + ingress)
+      description = "NFS ingress from VPC private subnets"
+      cidr_blocks = module.vpc.private_subnets_cidr_blocks
+    }
+  }
+
+  # Access point(s)
+  access_points = {
+    posix_example = {
+      name = "posix-example"
+      posix_user = {
+        gid            = 1001
+        uid            = 1001
+        secondary_gids = [1002]
+      }
+
+      tags = {
+        Additionl = "yes"
+      }
+    }
+  }
+}
diff --git a/examples/complete-worker/main.tf b/examples/complete-worker/main.tf
index a6ca0f6..daafb89 100644
--- a/examples/complete-worker/main.tf
+++ b/examples/complete-worker/main.tf
@@ -73,6 +73,16 @@ module "worker_complete" {
   docker_container_command = ["echo", "command-output"]
   deployment_minimum_healthy_percent = 0
 
+  # EFS settings (external)
+  efs_enabled     = true
+  efs_file_system_id = module.efs_data.id
+  efs_mount_point = "/mnt/efs"
+  efs_root_directory = "/"
+  efs_authorization_config = {
+    access_point_id = module.efs_data.access_points.posix_example.id
+    iam             = "ENABLED"
+  }
+
   # Network
   vpc_id          = module.vpc.vpc_id
   private_subnets = module.vpc.private_subnets
diff --git a/variables.tf b/variables.tf
index a0d081d..eae0345 100644
--- a/variables.tf
+++ b/variables.tf
@@ -610,9 +610,15 @@ variable "efs_root_directory" {
 }
 
 variable "efs_authorization_config" {
-  type = object({})
+  type = object({
+    access_point_id = string
+    iam             = string
+  })
   description = "EFS authorization config"
-  default = {}
+  default = {
+    access_point_id = null
+    iam             = "ENABLED"
+  }
 }
 
 variable "efs_access_points" {