FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment¶

This control checks whether an Amazon FSx for NetApp ONTAP file system is configured to use a multiple Availability Zones (Multi-AZ) deployment type. The control fails if the file system isn't configured to use a Multi-AZ deployment type. You can optionally specify a list of deployment types to include in the evaluation.

How to fix¶

Attribute deployment_type of aws_fsx_ontap_file_system must be one of: "MULTI_AZ_1", "MULTI_AZ_2".

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)¶

If you use terraform-aws-modules/fsx/aws//modules/ontap, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "fsx" {
  source  = "terraform-aws-modules/fsx/aws//modules/ontap"
  version = "~>1.3"

  name                = "abc123"
  preferred_subnet_id = "subnet-abc123"
  storage_capacity    = 1024
  subnet_ids          = ["subnet-abc123", "subnet-def456"]
  throughput_capacity = 512

  deployment_type = "MULTI_AZ_1"
}

Option 2: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_fsx_ontap_file_system.

resource "aws_fsx_ontap_file_system" "this" {
  preferred_subnet_id = element(["subnet-abc123", "subnet-def456"], 0)
  storage_capacity    = 1024
  subnet_ids          = ["subnet-abc123", "subnet-def456"]
  throughput_capacity = 128

  deployment_type = "MULTI_AZ_1"
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: fsx_netapp_ontap_file_system_multi_az_deployment_enabled

• Powerpipe Control: aws_compliance.control.fsx_netapp_ontap_file_system_multi_az_deployment_enabled