Network problems when configuring AWS Lambda with EFS

This is all new to me so I’m not 100% sure what I’m doing.

EFS requires a VPC and I was using the default VPC. I suspect there’s some more network configurations I need to add but I don’t yet know enough to know what to change.

What I have written deploys successfully, but when I try to test the lambda I get:

Calling the invoke API action failed with this message: The function couldn’t connect to the Amazon EFS file system with access point arn:aws:elasticfilesystem:us-west-2:REDACTED:access-point/REDACTED. Check your network configuration and try again

Thanks a lot to anyone who takes the time to read this and help me out

This is what I have:


resource "aws_lambda_function" "downloader" {
  function_name = "downloader"
  role          = aws_iam_role.downloader.arn
  package_type  = "Image"
  image_uri     = REDACTED
  #  timeout = 600
  file_system_config {
    arn = aws_efs_access_point.downloader_lambda.arn
    # Must start with '/mnt/'
    local_mount_path = "/mnt/efs"
  }
  # Explicitly declare dependency on EFS mount target.
  # When creating or updating Lambda functions, mount target must be in
  # 'available' lifecycle state.
  depends_on = [aws_efs_mount_target.alpha]
  vpc_config {
    # Every subnet should be able to reach an EFS mount target in the same
    # Availability Zone. Cross-AZ mounts are not permitted.
    subnet_ids         = data.aws_subnet_ids.default.ids
    security_group_ids = [aws_default_security_group.default.id]
  }
}

resource "aws_iam_role" "downloader" {
  name = "downloader"
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole",
    "arn:aws:iam::aws:policy/AmazonElasticFileSystemClientFullAccess"
  ]
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_default_vpc" "default" {}

data "aws_subnet_ids" "default" {
  vpc_id = aws_default_vpc.default.id
}

data "aws_subnet" "default" {
  for_each = data.aws_subnet_ids.default.ids
  id       = each.value
}

resource "aws_default_security_group" "default" {
  vpc_id = aws_default_vpc.default.id
}

resource "aws_efs_file_system" "downloads" {
  # FIXME: Consider using just one availability for cost savings
  tags = {
    Name = "downloads"
  }
}

resource "aws_efs_mount_target" "alpha" {
  for_each        = data.aws_subnet.default
  file_system_id  = aws_efs_file_system.downloads.id
  subnet_id       = each.value.id
  security_groups = [aws_default_security_group.default.id]
}

resource "aws_efs_access_point" "downloader_lambda" {
  file_system_id = aws_efs_file_system.downloads.id
  root_directory {
    path = "/lambda"
    creation_info {
      owner_gid   = 1000
      owner_uid   = 1000
      permissions = "777"
    }
  }
  posix_user {
    gid = 1000
    uid = 1000
  }
}

I highly discourage use of default VPC due to security concerns. Therefore I recommend learning the basics of VPCs and Security Groups so that resources get deployed from scratch.

A good start might be an already existing Github project or different terraform modules.

This could be a starting point.

Thanks, I’ll check that out.