terrablocks / aws-sftp-server Goto Github PK

View Code? Open in Web Editor NEW

17.0 3.0 16.0 25 KB

Terraform module to create a managed SFTP server using AWS Transfer service

License: MIT License

HCL 100.00%

aws sftp transfer terraform

aws-sftp-server's Introduction

Create a managed public or internal facing SFTP server using AWS Transfer service

This terraform module will deploy the following services:

IAM
- Role
- Role Policy
Route53
- DNS Record
Transfer
- Server
- User
- SSH Key

Usage Instructions

Example

module "sftp" {
  source = "github.com/terrablocks/aws-sftp-server.git" # Always use `ref` to point module to a specific version or hash
}

Requirements

Name	Version
terraform	>= 1.3.0
aws	>= 5.10.0
random	>= 3.1.0

Inputs

Name	Description	Type	Default	Required
api_gw_url	URL of the service endpoint to authenticate users when `identity_provider_type` is of type `API_GATEWAY`	`string`	`null`	no
as2_transports	Transport method to use for AS2 messages. Valid values: `HTTP`	`set(string)`	`null`	no
certificate_arn	ARN of ACM certificate. Required only in case of FTPS protocol	`string`	`null`	no
cloudwatch_log_group_arns	Set of ARN of the CloudWatch log group to which SFTP server will write JSON logs. Required if `enable_json_logging` is set to `true`	`set(string)`	`[]`	no
directory_id	ID of the directory service to authenticate users when `identity_provider_type` is of type `AWS_DIRECTORY_SERVICE`	`string`	`null`	no
endpoint_details	A block required to setup SFTP server if type is set to `VPC` or `VPC_ENDPOINT` { vpc_id = (Optional) ID of VPC in which SFTP server endpoint will be hosted. Required if endpoint type is set to VPC vpc_endpoint_id = (Optional) The ID of VPC endpoint to use for hosting internal SFTP server. Required if endpoint type is set to VPC_ENDPOINT subnet_ids = (Optional) List of subnets ids within the VPC for hosting SFTP server endpoint. Required if endpoint type is set to VPC security_group_ids = (Optional) List of security groups to attach to the SFTP endpoint. Supported only if endpoint is to type VPC. If left blank for VPC, a security group with port 22 open to the world will be created and attached address_allocation_ids = (Optional) List of address allocation IDs to attach an Elastic IP address to your SFTP server endpoint. Supported only if endpoint type is set to VPC. If left blank for VPC, an EIP will be automatically created per subnet and attached }	`object({ vpc_id = optional(string) vpc_endpoint_id = optional(string) subnet_ids = optional(list(string)) security_group_ids = optional(list(string)) address_allocation_ids = optional(list(string)) })`	`{}`	no
force_destroy	Whether to delete all the users associated with server so that server can be deleted successfully. Note: Supported only if `identity_provider_type` is set to `SERVICE_MANAGED`	`bool`	`true`	no
function_arn	ARN of the lambda function to authenticate users when `identity_provider_type` is of type `AWS_LAMBDA`	`string`	`null`	no
host_key	RSA private key that will be used to identify your server when clients connect to it over SFTP	`string`	`null`	no
hosted_zone	Hosted zone name to create DNS entry for SFTP server	`string`	`null`	no
identity_provider_type	Mode of authentication to use for accessing the service. Valid Values: `SERVICE_MANAGED`, `API_GATEWAY`, `AWS_DIRECTORY_SERVICE` or `AWS_LAMBDA`	`string`	`"SERVICE_MANAGED"`	no
invocation_role	ARN of the IAM role to authenticate the user when `identity_provider_type` is set to `API_GATEWAY`	`string`	`null`	no
logging_role	ARN of an IAM role to allow to write SFTP users activity to Amazon CloudWatch logs	`string`	`null`	no
name	Name of SFTP server. Ignore it to generate a random name for server	`string`	`null`	no
passive_ip	Use passive IP (PASV) capability to attach the IP address of the firewall or the load balancer to your FTPS/FTP server	`string`	`null`	no
post_authentication_login_banner	Message to display to user when trying to connect to the server after authentication	`string`	`null`	no
pre_authentication_login_banner	Message to display to user when trying to connect to the server before authentication	`string`	`null`	no
protocols	List of file transfer protocol(s) over which your FTP client can connect to your server endpoint. Possible Values: FTP, FTPS and SFTP	`list(string)`	`[ "SFTP" ]`	no
security_policy_name	Specifies the name of the security policy to associate with the server	`string`	`"TransferSecurityPolicy-2023-05"`	no
set_stat_option	Whether the server should ignore SETSTAT command. Valid values: `DEFAULT`, `ENABLE_NO_OP`	`string`	`null`	no
sftp_sub_domain	DNS name for SFTP server. NOTE: Only sub-domain name required. DO NOT provide entire URL	`string`	`"sftp"`	no
sftp_type	Type of SFTP server. Valid values: `PUBLIC`, `VPC` or `VPC_ENDPOINT`	`string`	`"PUBLIC"`	no
sftp_users	Map of users with key as username and value as their home directory. Home directory is the S3 bucket path which user should have access to `{ user = home_dir_path }`	`map(string)`	`{}`	no
sftp_users_ssh_key	Map of users with key as username and value as their public SSH key `{ user = ssh_public_key_content }`	`map(string)`	`{}`	no
storage_type	Where to store the files. Valid values: `S3` or `EFS`	`string`	`"S3"`	no
tags	A map of key value pair to assign to resources	`map(string)`	`{}`	no
tls_session_resumption_mode	TLS session resumption mode provides a mechanism to resume recently negotiated encrypted TLS sessions between the client and the FTPS server. Using one of the TLS session resumption modes, you can customize how you want to your FTPS server to process TLS session resumption requests	`string`	`null`	no

Outputs

Name	Description
arn	ARN of transfer server
domain_name	Custom DNS name mapped in Route53 for transfer server
endpoint	Endpoint of transfer server
id	ID of transfer server
sftp_eip	Elastic IP attached to the SFTP server. Available only if SFTP type is VPC and allocation id is not provided by you
sftp_sg_id	ID of security group created for SFTP server. Available only if SFTP type is VPC and security group is not provided by you

aws-sftp-server's People

Contributors

Stargazers

Watchers

Forkers

devopsglobalsolutions scottdspangler billychintscts isha1111 amos6224 mikeantonelli stasmo uj-devops marcelodevops sherwind adityaatpeak akitabox heindrickdumdum0217 shaunsmiley-xevo jmyuhan kfbnkbl

aws-sftp-server's Issues

Error when no Endpoint details are specified

I seem to be getting an error when defining a SELF MANAGED, PUBLIC facing SFTP Server.

The error I'm getting is;

│ Error: Invalid function argument
│
│ on .terraform/modules/sftp/main.tf line 100, in resource "aws_security_group" "sftp_vpc":
│ 100: count = var.sftp_type == "VPC" && length(lookup(var.endpoint_details, "security_group_ids", [])) == 0 ? 1 : 0
│ ├────────────────
│ │ var.endpoint_details is null
│
│ Invalid value for "inputMap" parameter: argument must not be null.

It shouldn't be throwing this error as it is not a required field if we aren't using VPC_ENDPOINT? Or am I missing something?

I am using SFTP Server

Thanks

[Bug] reason for module_variable_optional_attrs?

Prerequisites

I am running the latest version
I read the documentation properly and found no answer
I have checked to make sure that this issue has not already been filed

Expected Behavior

expect no warning when applying terraform

Current Behavior

is there a reason to have this? i want to use the module in production but this warning is preventing me as we dont want any warnings for prod. thanks.

╷
│ Warning: Experimental feature "module_variable_optional_attrs" is active
│
│   on .terraform/modules/sftp_server.sftp/requirements.tf line 14, in terraform:
│   14:   experiments = [module_variable_optional_attrs]
│
│ Experimental features are subject to breaking changes in future minor or patch releases, based on feedback.
│
│ If you have feedback on the design of this feature, please open a GitHub issue to discuss it.
╵

Steps To Reproduce

No response

Environment

- Operating System:
- Terraform Version: v1.2.9
- Provider version:
- Module Version: main

Anything else?

No response

[Bug] Subnet_ids invalid

Prerequisites

I am running the latest version
I read the documentation properly and found no answer
I have checked to make sure that this issue has not already been filed

Expected Behavior

Take the subnet_ids as expected

Current Behavior

│ Error: Invalid function argument
│
│ on transfer.tf line 89, in resource "aws_eip" "sftp_vpc":
│ 89: count = var.sftp_type == "VPC" && lookup(var.endpoint_details, "address_allocation_ids", null) == null ? length(lookup(var.endpoint_details, var.subnet_ids[0])) : 0
│ ├────────────────
│ │ var.endpoint_details is object with 4 attributes
│
│ Invalid value for "inputMap" parameter: the given object has no attribute "subnet-XXXXXXXXXXXX".

Steps To Reproduce

with this config:
resource "aws_eip" "sftp_vpc" {
count = var.sftp_type == "VPC" && lookup(var.endpoint_details, "address_allocation_ids", null) == null ? length(lookup(var.endpoint_details, var.subnet_ids[0])) : 0
vpc = true
tags = var.tags
}

resource "aws_transfer_server" "vpc" {
count = var.sftp_type != "PUBLIC" ? 1 : 0
endpoint_type = var.sftp_type
protocols = var.protocols
certificate = var.certificate_arn

endpoint_details {
vpc_id = lookup(var.endpoint_details, var.vpc_id, null)
# vpc_endpoint_id = lookup(var.endpoint_details, "vpc_endpoint_id", null)
subnet_ids = lookup(var.endpoint_details, var.subnet_ids[0], null)
security_group_ids = lookup(var.endpoint_details, "security_group_ids", aws_security_group.sftp_vpc..id)
address_allocation_ids = lookup(var.endpoint_details, "address_allocation_ids", aws_eip.sftp_vpc..allocation_id)
}

identity_provider_type = var.identity_provider_type
url = var.api_gw_url
invocation_role = var.invocation_role
directory_id = var.directory_id
function = var.function_arn

logging_role = var.logging_role == null ? join(",", aws_iam_role.logging.*.arn) : var.logging_role
force_destroy = var.force_destroy
security_policy_name = var.security_policy_name
host_key = var.host_key

tags = merge({
Name = local.name
}, var.tags)
}

Note:
Had to also comment out endpoint_details, because it was giving me null errors. Trying to create SFTP server VPC and internet facing.

Environment

- Operating System: WSL Ubuntu
- Terraform Version: Terraform v1.0.10
- Provider version:
- Module Version:

Anything else?

No response

Error when trying to use sftp_type PUBLIC

Hello, I am having some issues when trying to create a PUBLIC SFTP server. I have already tried with VPC option but I would like to have it exposed so anyone with the credentials can access to it.

My code is:

module "sftp" {
  source                 = "github.com/terrablocks/aws-sftp-server.git"
  name                   = local.main_name
  sftp_type              = "PUBLIC"
  protocols              = ["SFTP"]
  identity_provider_type = "API_GATEWAY"
  api_gw_url             = module.sftp-idp.invoke_url
  invocation_role        = aws_iam_role.sftp_iam_role.arn
  security_policy_name   = "TransferSecurityPolicy-2020-06"
  endpoint_details = {
    vpc_id                 = module.vpc.vpc_id
    subnet_ids             = [module.vpc.public_subnets[0]]
    address_allocation_ids = ["eipalloc-044623429a1d3265c"]
    security_group_ids     = null
  }
  hosted_zone     = data.terraform_remote_state.bootstrap.outputs.route53_zone_name
  sftp_sub_domain = var.sftp_conf.dns_subdomain_hostname
  sftp_users      = var.sftp_conf.sftp_users
  tags            = { Name = local.main_name }
}

If I set endpoint_details like that, I receive the next error message (allow me to terraform apply):

Error: error creating Transfer Server: InvalidRequestException: EndpointDetails invalid for PUBLIC endpoints
│ 
│   with module.sftp.aws_transfer_server.this,
│   on .terraform/modules/sftp/main.tf line 97, in resource "aws_transfer_server" "this":
│   97: resource "aws_transfer_server" "this" {
│ 
╵

And if I comment it, the message I get is (does not allow me to 'terraform apply'):

│ Error: Invalid function argument
│ 
│   on .terraform/modules/sftp/main.tf line 104, in resource "aws_transfer_server" "this":
│  104:     for_each = length(var.endpoint_details) == 0 ? [] : [var.endpoint_details]
│     ├────────────────
│     │ var.endpoint_details is null
│ 
│ Invalid value for "value" parameter: argument must not be null.

I have tried another options changing values and debugging with other resources but I have no clue about what I am missing, so maybe here I can find some help. Thanks a lot.

Terraform v1.0.5
aws-cli/2.4.9

[Bug] ${Transfer:HomeBucket} breaks s3 access

Prerequisites

I am running the latest version
I read the documentation properly and found no answer
I have checked to make sure that this issue has not already been filed

Expected Behavior

sftp domain
sftp> ls
.... results

Current Behavior

access denied

Steps To Reproduce

No response

Environment

- Operating System: NixOS
- Terraform Version: 1.3.9
- Provider version: 4.40.0
- Module Version: latest master (3399dcd8cd8ae952afc8c8de95d95b88bf37d071)

Anything else?

issue fixed by setting the line 235 to the bucket name: https://github.com/terrablocks/aws-sftp-server/compare/main...shaunsmiley-xevo:aws-sftp-server:minor?expand=1#diff-dc46acf24afd63ef8c556b77c126ccc6e578bc87e3aa09a931f33d9bf2532fbbR235

terrablocks / aws-sftp-server Goto Github PK

aws-sftp-server's Introduction

Create a managed public or internal facing SFTP server using AWS Transfer service

Usage Instructions

Example

Requirements

Inputs

Outputs

aws-sftp-server's People

Contributors

Stargazers

Watchers

Forkers

aws-sftp-server's Issues

Prerequisites

Expected Behavior

Current Behavior

Steps To Reproduce

Environment

Anything else?

Prerequisites

Expected Behavior

Current Behavior

Steps To Reproduce

Environment

Anything else?

Prerequisites

Expected Behavior

Current Behavior

Steps To Reproduce

Environment

Anything else?

Recommend Projects

Recommend Topics

Recommend Org