feat: add support for IPv6 and dual-stack EFS mount targets (#163)

ngoyal16 · web-flow · commit a10c447e05ed · 2025-11-26T11:07:55.000-05:00
* feat: add support for IPv6 and dual-stack EFS mount targets

* formatingissue fixed

* ipv6 cidr rule added for security group
diff --git a/README.md b/README.md
@@ -126,6 +126,7 @@ module "efs" {
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br/>This is for some rare cases where resources want additional configuration of tags<br/>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
 | <a name="input_allow_all_egress"></a> [allow\_all\_egress](#input\_allow\_all\_egress) | Passed to the security group module (if one is created). | `bool` | `true` | no |
 | <a name="input_allowed_cidr_blocks"></a> [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | The CIDR blocks from which to allow `ingress` traffic to the EFS | `list(string)` | `[]` | no |
+| <a name="input_allowed_ipv6_cidr_blocks"></a> [allowed\_ipv6\_cidr\_blocks](#input\_allowed\_ipv6\_cidr\_blocks) | List of IPv6 CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no |
 | <a name="input_allowed_security_group_ids"></a> [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no |
 | <a name="input_associated_security_group_ids"></a> [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the EFS Mount Targets with, in addition to the created security group.<br/>These security groups will not be modified and, if `create_security_group` is `false`, must have rules providing the desired access. | `list(string)` | `[]` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br/>in the order they appear in the list. New attributes are appended to the<br/>end of the list. The elements of the list are joined by the `delimiter`<br/>and treated as a single ID element. | `list(string)` | `[]` | no |
@@ -148,6 +149,8 @@ module "efs" {
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br/>set as tag values, and output by this module individually.<br/>Does not affect values of tags passed in via the `tags` input.<br/>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br/>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br/>Default value: `lower`. | `string` | `null` | no |
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br/>Default is to include all labels.<br/>Tags with empty values will not be included in the `tags` output.<br/>Set to `[]` to suppress all generated tags.<br/>**Notes:**<br/>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br/>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br/>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br/>  "default"<br/>]</pre> | no |
 | <a name="input_mount_target_ip_address"></a> [mount\_target\_ip\_address](#input\_mount\_target\_ip\_address) | The address (within the address range of the specified subnet) at which the file system may be mounted via the mount target | `string` | `null` | no |
+| <a name="input_mount_target_ip_address_type"></a> [mount\_target\_ip\_address\_type](#input\_mount\_target\_ip\_address\_type) | IP address type for the mount target. Valid values are IPV4\_ONLY (only IPv4 addresses), IPV6\_ONLY (only IPv6 addresses), and DUAL\_STACK (dual-stack, both IPv4 and IPv6 addresses). Defaults to IPV4\_ONLY. | `string` | `"IPV4_ONLY"` | no |
+| <a name="input_mount_target_ipv6_address"></a> [mount\_target\_ipv6\_address](#input\_mount\_target\_ipv6\_address) | IPv6 address to use. Valid only when mount\_target\_ip\_address\_type is set to IPV6\_ONLY or DUAL\_STACK. | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br/>This is the only ID element not also included as a `tag`.<br/>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_performance_mode"></a> [performance\_mode](#input\_performance\_mode) | The file system performance mode. Can be either `generalPurpose` or `maxIO` | `string` | `"generalPurpose"` | no |
@@ -185,6 +188,7 @@ module "efs" {
 | <a name="output_mount_target_dns_names"></a> [mount\_target\_dns\_names](#output\_mount\_target\_dns\_names) | List of EFS mount target DNS names |
 | <a name="output_mount_target_ids"></a> [mount\_target\_ids](#output\_mount\_target\_ids) | List of EFS mount target IDs (one per Availability Zone) |
 | <a name="output_mount_target_ips"></a> [mount\_target\_ips](#output\_mount\_target\_ips) | List of EFS mount target IPs (one per Availability Zone) |
+| <a name="output_mount_target_ipv6_addresses"></a> [mount\_target\_ipv6\_addresses](#output\_mount\_target\_ipv6\_addresses) | List of EFS mount target IPv6 addresses (one per Availability Zone) |
 | <a name="output_network_interface_ids"></a> [network\_interface\_ids](#output\_network\_interface\_ids) | List of mount target network interface IDs |
 | <a name="output_security_group_arn"></a> [security\_group\_arn](#output\_security\_group\_arn) | EFS Security Group ARN |
 | <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | EFS Security Group ID |
diff --git a/main.tf b/main.tf
@@ -49,10 +49,12 @@ resource "aws_efs_file_system" "default" {
 }
 
 resource "aws_efs_mount_target" "default" {
-  count          = local.enabled && length(var.subnets) > 0 ? length(var.subnets) : 0
-  file_system_id = join("", aws_efs_file_system.default[*].id)
-  ip_address     = var.mount_target_ip_address
-  subnet_id      = var.subnets[count.index]
+  count           = local.enabled && length(var.subnets) > 0 ? length(var.subnets) : 0
+  file_system_id  = join("", aws_efs_file_system.default[*].id)
+  ip_address      = var.mount_target_ip_address_type == "IPV4_ONLY" || var.mount_target_ip_address_type == "DUAL_STACK" ? var.mount_target_ip_address : null
+  ip_address_type = var.mount_target_ip_address_type
+  ipv6_address    = var.mount_target_ip_address_type == "IPV6_ONLY" || var.mount_target_ip_address_type == "DUAL_STACK" ? var.mount_target_ipv6_address : null
+  subnet_id       = var.subnets[count.index]
   security_groups = compact(
     (concat(
       [module.security_group.id],
@@ -111,6 +113,7 @@ module "security_group" {
     {
       source_security_group_ids = local.allowed_security_group_ids
       cidr_blocks               = var.allowed_cidr_blocks
+      ipv6_cidr_blocks          = var.allowed_ipv6_cidr_blocks
       rules = [
         {
           key         = "in"
diff --git a/outputs.tf b/outputs.tf
@@ -43,6 +43,11 @@ output "mount_target_ips" {
   description = "List of EFS mount target IPs (one per Availability Zone)"
 }
 
+output "mount_target_ipv6_addresses" {
+  value       = local.enabled ? coalescelist(aws_efs_mount_target.default[*].ipv6_address, [""]) : null
+  description = "List of EFS mount target IPv6 addresses (one per Availability Zone)"
+}
+
 output "network_interface_ids" {
   value       = local.enabled ? coalescelist(aws_efs_mount_target.default[*].network_interface_id, [""]) : null
   description = "List of mount target network interface IDs"
diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,12 @@ variable "allowed_cidr_blocks" {
   description = "The CIDR blocks from which to allow `ingress` traffic to the EFS"
 }
 
+variable "allowed_ipv6_cidr_blocks" {
+  type        = list(string)
+  default     = []
+  description = "List of IPv6 CIDR blocks allowed to access the cluster"
+}
+
 variable "access_points" {
   type        = map(map(map(any)))
   default     = {}
@@ -79,6 +85,22 @@ variable "mount_target_ip_address" {
   default     = null
 }
 
+variable "mount_target_ip_address_type" {
+  type        = string
+  description = "IP address type for the mount target. Valid values are IPV4_ONLY (only IPv4 addresses), IPV6_ONLY (only IPv6 addresses), and DUAL_STACK (dual-stack, both IPv4 and IPv6 addresses). Defaults to IPV4_ONLY."
+  default     = "IPV4_ONLY"
+  validation {
+    condition     = contains(["IPV4_ONLY", "IPV6_ONLY", "DUAL_STACK"], var.mount_target_ip_address_type)
+    error_message = "Valid values for mount_target_ip_address_type are IPV4_ONLY, IPV6_ONLY, and DUAL_STACK."
+  }
+}
+
+variable "mount_target_ipv6_address" {
+  type        = string
+  description = "IPv6 address to use. Valid only when mount_target_ip_address_type is set to IPV6_ONLY or DUAL_STACK."
+  default     = null
+}
+
 variable "dns_name" {
   type        = string
   description = "Name of the CNAME record to create"
