This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.

An Elastic File System (EFS) is similar to NFS or CIFS or a Linux Samba share, in that it's basically Network Attached Storage (NAS).

An Elastic File System (EFS) Access Point can be used to:

• Control the Identity and Access Management (IAM) users/groups that are allowed to mount the Elastic File System. 
• Set the root directory such as /data

For example, let's say you want to create 2 access points, the default / (root) access point and the /vault access point.

Then, if using the mount command to mount the Elastic File System, the accesspoint option can be used to mount either the / (root) access point.

mount --types efs --options tls,iam,accesspoint=fsap-05046c078d7543b8d fs-0d1500aa4f4b50839 /mountpoint

Or the /vault access point. It is important to recognize that according to https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html, "if you do not specify the ownership and permissions for an access point root directory, Amazon EFS will not create the root directory. All attempts to mount the access point will fail" which is why the /vault access point has POSIX user and Creation Info.

mount --types efs --options tls,iam,accesspoint=fsap-04164a446398febd3 fs-0d1500aa4f4b50839 /mountpoint

Let's say you have the following files on your Terraform server.

├── required_providers.tf
├── elastic_file_systems (directory)
│   ├── elastic_file_systems.tf
│   ├── provider.tf

required_providers.tf will almost always have this.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
    }
  }
}

Let's say provider.tf has the following. In this example, the "default" profile in /home/username/.aws/config and /home/username/.aws/credentials is being used. This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.

provider "aws" {
  alias   = "default"
  profile = "default"
  region  = "default"
}

And elastic_file_systems.tf could have something like this to create an Elastic File System (EFS) with the default root (/) path.

resource "aws_efs_file_system" "my-efs" {
  creation_token = "my-efs"
  encrypted      = "true"
}

resource "aws_efs_access_point" "my-ap" {
  file_system_id = aws_efs_file_system.my-efs.id

  # optional, not required
  tags = {
    Name = "EFS Access Point"  
    Role = "EFS Access Point"    
  }

}

I had a situation where I was able to mount the access point with the default root (/) path, but I was getting access denied by server while mounting 127.0.0.1:/ when attempting to mount my /vault access point.

~]$ sudo mount --types efs --options tls,accesspoint=fsap-0123456789abdefgs fs-9876543210plmokn:/ /mnt
b'mount.nfs4: access denied by server while mounting 127.0.0.1:/'

According to https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html, "if you do not specify the ownership and permissions for an access point root directory, Amazon EFS will not create the root directory. All attempts to mount the access point will fail". Once I set the POSIX user and Creation Info, I was then able to mount the /vault access point.

resource "aws_efs_file_system" "my-efs" {
  creation_token = "my-efs"
  encrypted      = "true"
}

resource "aws_efs_access_point" "foo_access_point" {
  file_system_id = aws_efs_file_system.my-efs.id

  root_directory {
    path = "/foo"
  
    creation_info {
      owner_uid = "1000"
      owner_gid = "1000"
      permissions = "0775"
    }
  }

  posix_user {
    uid = "1234"
    gid = "1234"
  }

  tags = {
    Name = "foo Access Point"  
    Role = "foo Access Point"    
  }

}

You may need to reissue the terraform init command.

~]# terraform init
Initializing the backend...
Initializing modules...
Initializing provider plugins...
Terraform has been successfully initialized!

The terraform plan command can be used to see what Terraform will try to do.

terraform apply -auto-approve

The terraform apply command can be used to create or update the EFS Access Point.

module.elastic_file_systems.aws_efs_file_system.my-efs: Creating...
module.elastic_file_systems.aws_efs_file_system.my-efs: Creation complete after 5s [id=fs-07dfd0ca8d293e06b]
module.elastic_file_systems.aws_efs_access_point.my-ap: Creating...
module.elastic_file_systems.aws_efs_access_point.my-ap: Creation complete after 2s [id=fsap-00187cac9f063f917 ]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.