Merge pull request #1 from asicsdigital/casper-update-12

Merge changes from terraform-0.11-support-SREB-1279-support-pw-auth
asicsdigital · Apr 23, 2020 · 47e9c11 · 47e9c11
2 parents 0d6a784 + 0cf182a
commit 47e9c11
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 31 deletions.
diff --git a/iam.tf b/iam.tf
@@ -1,22 +1,7 @@
 # ---------------------------------------------------------------------------------------------------------------------
 # CREATE IAM POLICY RULES FOR SFTP BUCKET
 # ---------------------------------------------------------------------------------------------------------------------
-
-locals {
-  s3_actions = {
-    "rw" = [
-      "s3:PutObject",
-      "s3:GetObject",
-      "s3:GetObjectVersion",
-    ]
-    "ro" = [
-      "s3:GetObject",
-      "s3:GetObjectVersion",
-    ]
-  }
-}
-
-data "aws_iam_policy_document" "transfer_server_assume_role" {
+data "aws_iam_policy_document" "transfer_user_assume_role" {
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
@@ -28,7 +13,7 @@ data "aws_iam_policy_document" "transfer_server_assume_role" {
   }
 }
 
-data "aws_iam_policy_document" "transfer_server_assume_policy" {
+data "aws_iam_policy_document" "transfer_user_assume_policy" {
   statement {
     effect = "Allow"
 
@@ -71,13 +56,13 @@ data "aws_iam_policy_document" "transfer_server_assume_policy" {
 #   special = false
 # }
 
-resource "aws_iam_role" "transfer_server_assume_role" {
-  name               = "${var.iam_name}-${var.username}"
-  assume_role_policy = data.aws_iam_policy_document.transfer_server_assume_role.json
+resource "aws_iam_role" "transfer_user_assume_role" {
+  name               = "${var.iam_name}-user-role"
+  assume_role_policy = data.aws_iam_policy_document.transfer_user_assume_role.json
 }
 
-resource "aws_iam_role_policy" "transfer_server_policy" {
-  name   = "transfer-${var.transfer_server_id}-${var.username}"
-  role   = aws_iam_role.transfer_server_assume_role.name
-  policy = data.aws_iam_policy_document.transfer_server_assume_policy.json
+resource "aws_iam_role_policy" "transfer_user_policy" {
+  name   = "${var.iam_name}-user-policy"
+  role   = aws_iam_role.transfer_user_assume_role.name
+  policy = data.aws_iam_policy_document.transfer_user_assume_policy.json
 }
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,19 @@
+locals {
+  s3_actions = {
+    "rw" = [
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+    ]
+    "ro" = [
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+    ]
+  }
+  user_secret = {
+    Password      = var.transfer_server_enable_password_auth ? random_id.user_password_random_id[0].b64 : ""
+    Role          = aws_iam_role.transfer_user_assume_role.arn
+    HomeDirectory = "/${var.s3_bucket_name}/${var.s3_bucket_folder}${var.s3_bucket_folder == "" ? "" : "/"}"
+    PublicKey     = var.transfer_server_enable_password_auth ? var.ssh_public_keys[0] : ""  # TODO add warning if more than one
+  }
+}
diff --git a/main.tf b/main.tf
@@ -11,15 +11,32 @@ data "aws_s3_bucket" "bucket" {
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "aws_transfer_user" "transfer_user" {
+  count          = var.transfer_server_enable_password_auth ? 0 : 1
   server_id      = var.transfer_server_id
-  role           = aws_iam_role.transfer_server_assume_role.arn
+  role           = aws_iam_role.transfer_user_assume_role.arn
   home_directory = "/${data.aws_s3_bucket.bucket.id}/${var.s3_bucket_folder}"
   user_name      = var.username
 }
 
 resource "aws_transfer_ssh_key" "transfer_ssh_key" {
-  count     = length(var.ssh_public_keys)
+  count     = var.transfer_server_enable_password_auth ? 0 : var.ssh_public_keys_length
   server_id = var.transfer_server_id
-  user_name = aws_transfer_user.transfer_user.user_name
+  user_name = var.username
   body      = var.ssh_public_keys[count.index]
 }
+
+resource "aws_secretsmanager_secret" "user_secret" {
+  count = var.transfer_server_enable_password_auth ? 1 : 0
+  name  = "SFTP/${var.username}"
+}
+
+resource "random_id" "user_password_random_id" {
+  count       = var.transfer_server_enable_password_auth ? 1 : 0
+  byte_length = 32
+}
+
+resource "aws_secretsmanager_secret_version" "example" {
+  count         = var.transfer_server_enable_password_auth ? 1 : 0
+  secret_id     = aws_secretsmanager_secret.user_secret[count.index].id
+  secret_string = jsonencode(local.user_secret)
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,4 @@
+output "user_password" {
+  value     = local.user_secret["Password"]
+  sensitive = true
+}
diff --git a/variables.tf b/variables.tf
@@ -8,6 +8,10 @@ variable "ssh_public_keys" {
   description = "List of raw SSH public keys."
 }
 
+variable "ssh_public_keys_length" {
+  default = 0
+}
+
 variable "transfer_server_id" {
   type        = string
   description = "ID of the transfer server to use."
@@ -32,3 +36,8 @@ variable "access_type" {
 variable "iam_name" {
    type = string
 }
+
+variable "transfer_server_enable_password_auth" {
+  description = "Boolean for whether this transfer server uses password auth"
+  default     = false
+}
diff --git a/versions.tf b/versions.tf