Add efs volume to ecs fargate

Question

I want use EFS with fargate but I have this error when the task start:

ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: Failed to resolve "fs-xxxxx.efs.eu-west-1.amazonaws.com" - check that your file system ID is correct

I have checked the file system ID, it is corrects...how can I have more info about this error? Could it be related to the security groups?

This is the code that I use with terraform, I use two mount points for the two availability zones:

resource "aws_efs_file_system" "efs_apache" {
}

resource "aws_efs_mount_target" "efs-mount" {
  count                     = 2

  file_system_id            = aws_efs_file_system.efs_apache.id
  subnet_id                 = sort(var.subnet_ids)[count.index]
  security_groups           = [aws_security_group.efs.id]
}

resource "aws_efs_access_point" "efs-access-point" {
  file_system_id = aws_efs_file_system.efs_apache.id
}

resource "aws_security_group" "efs" {
  name        = "${var.name}-efs-sg"
  description = "Allow traffic from self"
  vpc_id      = var.vpc_id

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port = 2049
    to_port   = 2049
    protocol  = "tcp"
    security_groups = [aws_security_group.fargate_sg.id]
  }
}

this is the fargate service:

resource "aws_ecs_task_definition" "task_definition" {
  family                    = var.name
  requires_compatibilities  = ["FARGATE"]
  network_mode              = "awsvpc"
  execution_role_arn        = aws_iam_role.task_execution_role.arn
  task_role_arn             = aws_iam_role.task_role.arn
  cpu                       = var.cpu
  memory                    = var.memoryHardLimit
  volume {
    name      = "efs-apache"

    efs_volume_configuration {
      file_system_id = aws_efs_file_system.efs_apache.id
      root_directory = "/"
      transit_encryption      = "ENABLED"

      authorization_config {
        access_point_id = aws_efs_access_point.efs-access-point.id
        iam             = "ENABLED"
      }
    }
  }

  depends_on                = [aws_efs_file_system.efs_apache]

  container_definitions     = <<EOF
    [
      {
        "name": "${var.name}",
        "image": "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${lower(var.project_name)}_app:latest",
        "memory": ${var.memoryHardLimit},
        "memoryReservation":  ${var.memorySoftLimit},
        "cpu": ${var.cpu},
        "essential": true,
        "command": [
          "/bin/sh -c \"/app/start.sh"
        ],
        "entryPoint": [
          "sh",
          "-c"
        ],
        "mountPoints": [
          {
            "containerPath": "/var/www/sites_json",
            "sourceVolume": "efs-apache",
            "readOnly": false
          }
        ],
        "portMappings": [
          {
            "containerPort": ${var.docker_container_port},
            "hostPort": ${var.docker_container_port}
          }
        ],
        "logConfiguration": {
            "logDriver": "awslogs",
            "options": {
                "awslogs-group": "${var.name}-Task-LogGroup",
                "awslogs-region": "${data.aws_region.current.name}",
                "awslogs-stream-prefix": "ecs"
            }
        }
      }
    ]
EOF
}

How can I solve?

have you checked whether your fargate service runs in the same subnet as the efs? What also helped me (and some aws consultants told me) is to spin up some free tier linux instance and try to mount the file system there - if it doesn't work you can enable verbose logging etc.. — Matthias Herrmann, Oct 19 '20 at 19:51

sephr_ · Accepted Answer · 2020-12-07T23:09:55.137

Make sure you have enabled DNS Resolution and DNS hostnames in your VPC. EFS needs both these options enabled to work since it relies on the DNS hostname to resolve the connection. This had me stuck for a while since most documentation on the internet focuses on the security groups for this error.

The terraform AWS provider resource aws_vpc sets enable_dns_hostnames = false by default, so you'll need to explicitly set it to true. Your terraform VPC config should look something like this:

resource "aws_vpc" "main" {
cidr_block             = "10.255.248.0/22"
enable_dns_hostnames   = true
}

score 2 · Answer 2 · answered Aug 11 '21 at 11:31

2

I've spent a few hours investigating the saùe issue and the problem was that EFS was not mounted on subnets (aws_efs_mount_target missing in Terraform script)

answered Aug 11 '21 at 11:31

Harold

455
4
10

Add efs volume to ecs fargate

2 Answers2

Linked