Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

f-aws_transfer_server support for sftp authentication methods #37015

Merged
merged 9 commits into from
Apr 24, 2024
3 changes: 3 additions & 0 deletions .changelog/37015.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/aws_transfer_server: Add `sftp_authentication_methods` argument
```
25 changes: 24 additions & 1 deletion internal/service/transfer/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,12 @@ func resourceServer() *schema.Resource {
Default: SecurityPolicyName2018_11,
ValidateFunc: validation.StringInSlice(SecurityPolicyName_Values(), false),
},
"sftp_authentication_methods": {
Type: schema.TypeString,
Optional: true,
Computed: true,
ValidateFunc: validation.StringInSlice(transfer.SftpAuthenticationMethods_Values(), false),
},
"structured_log_destinations": {
Type: schema.TypeSet,
Elem: &schema.Schema{
Expand Down Expand Up @@ -372,6 +378,14 @@ func resourceServerCreate(ctx context.Context, d *schema.ResourceData, meta inte
input.IdentityProviderDetails.InvocationRole = aws.String(v.(string))
}

if v, ok := d.GetOk("sftp_authentication_methods"); ok {
if input.IdentityProviderDetails == nil {
input.IdentityProviderDetails = &transfer.IdentityProviderDetails{}
}

input.IdentityProviderDetails.SftpAuthenticationMethods = aws.String(v.(string))
}

if v, ok := d.GetOk("logging_role"); ok {
input.LoggingRole = aws.String(v.(string))
}
Expand Down Expand Up @@ -514,6 +528,11 @@ func resourceServerRead(ctx context.Context, d *schema.ResourceData, meta interf
} else {
d.Set("invocation_role", "")
}
if output.IdentityProviderDetails != nil {
d.Set("sftp_authentication_methods", output.IdentityProviderDetails.SftpAuthenticationMethods)
} else {
d.Set("sftp_authentication_methods", "")
}
d.Set("logging_role", output.LoggingRole)
d.Set("post_authentication_login_banner", output.PostAuthenticationLoginBanner)
d.Set("pre_authentication_login_banner", output.PreAuthenticationLoginBanner)
Expand Down Expand Up @@ -657,7 +676,7 @@ func resourceServerUpdate(ctx context.Context, d *schema.ResourceData, meta inte
}
}

if d.HasChanges("directory_id", "function", "invocation_role", "url") {
if d.HasChanges("directory_id", "function", "invocation_role", "sftp_authentication_methods", "url") {
identityProviderDetails := &transfer.IdentityProviderDetails{}

if attr, ok := d.GetOk("directory_id"); ok {
Expand All @@ -672,6 +691,10 @@ func resourceServerUpdate(ctx context.Context, d *schema.ResourceData, meta inte
identityProviderDetails.InvocationRole = aws.String(attr.(string))
}

if attr, ok := d.GetOk("sftp_authentication_methods"); ok {
identityProviderDetails.SftpAuthenticationMethods = aws.String(attr.(string))
}

if attr, ok := d.GetOk("url"); ok {
identityProviderDetails.Url = aws.String(attr.(string))
}
Expand Down
107 changes: 106 additions & 1 deletion internal/service/transfer/server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1005,6 +1005,7 @@ func testAccServer_apiGateway(t *testing.T) {
testAccCheckServerExists(ctx, resourceName, &conf),
resource.TestCheckResourceAttr(resourceName, "identity_provider_type", "API_GATEWAY"),
resource.TestCheckResourceAttrPair(resourceName, "invocation_role", "aws_iam_role.test", "arn"),
resource.TestCheckResourceAttr(resourceName, "sftp_authentication_methods", "PUBLIC_KEY_OR_PASSWORD"),
),
},
{
Expand Down Expand Up @@ -1210,6 +1211,78 @@ func testAccServer_lambdaFunction(t *testing.T) {
testAccCheckServerExists(ctx, resourceName, &conf),
resource.TestCheckResourceAttrPair(resourceName, "function", "aws_lambda_function.test", "arn"),
resource.TestCheckResourceAttr(resourceName, "identity_provider_type", "AWS_LAMBDA"),
resource.TestCheckResourceAttr(resourceName, "sftp_authentication_methods", "PUBLIC_KEY_OR_PASSWORD"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"force_destroy"},
},
},
})
}

func testAccServer_identityProviderType_sftpAuthenticationMethods(t *testing.T) {
ctx := acctest.Context(t)
var conf transfer.DescribedServer
resourceName := "aws_transfer_server.test"
rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)

resource.Test(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckAPIGatewayTypeEDGE(t); testAccPreCheck(ctx, t) },
ErrorCheck: acctest.ErrorCheck(t, names.TransferServiceID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckServerDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccServerConfig_identityProviderType_sftpAuthenticationMethods(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckServerExists(ctx, resourceName, &conf),
resource.TestCheckResourceAttr(resourceName, "identity_provider_type", "API_GATEWAY"),
resource.TestCheckResourceAttrPair(resourceName, "invocation_role", "aws_iam_role.test", "arn"),
resource.TestCheckResourceAttr(resourceName, "sftp_authentication_methods", "PASSWORD"),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"force_destroy"},
},
},
})
}

func testAccServer_updateIdentityProviderType_sftpAuthenticationMethods(t *testing.T) {
ctx := acctest.Context(t)
var conf transfer.DescribedServer
resourceName := "aws_transfer_server.test"
rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)

resource.Test(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckAPIGatewayTypeEDGE(t); testAccPreCheck(ctx, t) },
ErrorCheck: acctest.ErrorCheck(t, names.TransferServiceID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckServerDestroy(ctx),
Steps: []resource.TestStep{
{
Config: testAccServerConfig_identityProviderType_sftpAuthenticationMethods(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckServerExists(ctx, resourceName, &conf),
resource.TestCheckResourceAttr(resourceName, "identity_provider_type", "API_GATEWAY"),
resource.TestCheckResourceAttrPair(resourceName, "invocation_role", "aws_iam_role.test", "arn"),
resource.TestCheckResourceAttr(resourceName, "sftp_authentication_methods", "PASSWORD"),
),
},
{
Config: testAccServerConfig_identityProviderType_sftpAuthenticationMethods_updated(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckServerExists(ctx, resourceName, &conf),
resource.TestCheckResourceAttr(resourceName, "identity_provider_type", "API_GATEWAY"),
resource.TestCheckResourceAttrPair(resourceName, "invocation_role", "aws_iam_role.test", "arn"),
resource.TestCheckResourceAttr(resourceName, "sftp_authentication_methods", "PUBLIC_KEY_AND_PASSWORD"),
),
},
{
Expand All @@ -1228,7 +1301,7 @@ func testAccServer_authenticationLoginBanners(t *testing.T) {
resourceName := "aws_transfer_server.test"

resource.Test(t, resource.TestCase{
PreCheck: func() { acctest.PreCheck(ctx, t); testAccPreCheck(ctx, t) },
PreCheck: func() { acctest.PreCheck(ctx, t); acctest.PreCheckAPIGatewayTypeEDGE(t); testAccPreCheck(ctx, t) },
ErrorCheck: acctest.ErrorCheck(t, names.TransferServiceID),
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
CheckDestroy: testAccCheckServerDestroy(ctx),
Expand Down Expand Up @@ -2160,6 +2233,38 @@ resource "aws_transfer_server" "test" {
`, rName, forceDestroy))
}

func testAccServerConfig_identityProviderType_sftpAuthenticationMethods(rName string) string {
return acctest.ConfigCompose(testAccServerConfig_apiGatewayBase(rName), testAccServerConfig_loggingRoleBase(rName), fmt.Sprintf(`
resource "aws_transfer_server" "test" {
identity_provider_type = "API_GATEWAY"
url = "${aws_api_gateway_deployment.test.invoke_url}${aws_api_gateway_resource.test.path}"
invocation_role = aws_iam_role.test.arn
logging_role = aws_iam_role.test.arn
sftp_authentication_methods = "PASSWORD"

tags = {
Name = %[1]q
}
}
`, rName))
}

func testAccServerConfig_identityProviderType_sftpAuthenticationMethods_updated(rName string) string {
return acctest.ConfigCompose(testAccServerConfig_apiGatewayBase(rName), testAccServerConfig_loggingRoleBase(rName), fmt.Sprintf(`
resource "aws_transfer_server" "test" {
identity_provider_type = "API_GATEWAY"
url = "${aws_api_gateway_deployment.test.invoke_url}${aws_api_gateway_resource.test.path}"
invocation_role = aws_iam_role.test.arn
logging_role = aws_iam_role.test.arn
sftp_authentication_methods = "PUBLIC_KEY_AND_PASSWORD"

tags = {
Name = %[1]q
}
}
`, rName))
}

func testAccServerConfig_workflow(rName string) string {
return fmt.Sprintf(`
resource "aws_iam_role" "test" {
Expand Down
44 changes: 23 additions & 21 deletions internal/service/transfer/transfer_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,27 +25,29 @@ func TestAccTransfer_serial(t *testing.T) {
"tags": testAccAgreement_tags,
},
"Server": {
"basic": testAccServer_basic,
"disappears": testAccServer_disappears,
"tags": testAccServer_tags,
"APIGateway": testAccServer_apiGateway,
"APIGatewayForceDestroy": testAccServer_apiGateway_forceDestroy,
"AuthenticationLoginBanners": testAccServer_authenticationLoginBanners,
"DataSourceBasic": testAccServerDataSource_basic,
"DataSourceServiceManaged": testAccServerDataSource_Service_managed,
"DataSourceAPIGateway": testAccServerDataSource_apigateway,
"DirectoryService": testAccServer_directoryService,
"Domain": testAccServer_domain,
"ForceDestroy": testAccServer_forceDestroy,
"HostKey": testAccServer_hostKey,
"LambdaFunction": testAccServer_lambdaFunction,
"Protocols": testAccServer_protocols,
"ProtocolDetails": testAccServer_protocolDetails,
"S3StorageOptions": testAccServer_s3StorageOptions,
"SecurityPolicy": testAccServer_securityPolicy,
"SecurityPolicyFIPS": testAccServer_securityPolicyFIPS,
"StructuredLogDestinations": testAccServer_structuredLogDestinations,
"UpdateEndpointTypePublicToVPC": testAccServer_updateEndpointType_publicToVPC,
"basic": testAccServer_basic,
"disappears": testAccServer_disappears,
"tags": testAccServer_tags,
"APIGateway": testAccServer_apiGateway,
"APIGatewayForceDestroy": testAccServer_apiGateway_forceDestroy,
"AuthenticationLoginBanners": testAccServer_authenticationLoginBanners,
"DataSourceBasic": testAccServerDataSource_basic,
"DataSourceServiceManaged": testAccServerDataSource_Service_managed,
"DataSourceAPIGateway": testAccServerDataSource_apigateway,
"DirectoryService": testAccServer_directoryService,
"Domain": testAccServer_domain,
"ForceDestroy": testAccServer_forceDestroy,
"HostKey": testAccServer_hostKey,
"LambdaFunction": testAccServer_lambdaFunction,
"Protocols": testAccServer_protocols,
"ProtocolDetails": testAccServer_protocolDetails,
"S3StorageOptions": testAccServer_s3StorageOptions,
"SecurityPolicy": testAccServer_securityPolicy,
"SecurityPolicyFIPS": testAccServer_securityPolicyFIPS,
"SftpAuthenticationMethods": testAccServer_identityProviderType_sftpAuthenticationMethods,
"UpdateSftpAuthenticationMethods": testAccServer_updateIdentityProviderType_sftpAuthenticationMethods,
"StructuredLogDestinations": testAccServer_structuredLogDestinations,
"UpdateEndpointTypePublicToVPC": testAccServer_updateEndpointType_publicToVPC,
"UpdateEndpointTypePublicToVPCAddressAllocationIDs": testAccServer_updateEndpointType_publicToVPC_addressAllocationIDs,
"UpdateEndpointTypeVPCEndpointToVPC": testAccServer_updateEndpointType_vpcEndpointToVPC,
"UpdateEndpointTypeVPCEndpointToVPCAddressAllocationIDs": testAccServer_updateEndpointType_vpcEndpointToVPC_addressAllocationIDs,
Expand Down
1 change: 1 addition & 0 deletions website/docs/r/transfer_server.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ This resource supports the following arguments:
* `identity_provider_type` - (Optional) The mode of authentication enabled for this service. The default value is `SERVICE_MANAGED`, which allows you to store and access SFTP user credentials within the service. `API_GATEWAY` indicates that user authentication requires a call to an API Gateway endpoint URL provided by you to integrate an identity provider of your choice. Using `AWS_DIRECTORY_SERVICE` will allow for authentication against AWS Managed Active Directory or Microsoft Active Directory in your on-premises environment, or in AWS using AD Connectors. Use the `AWS_LAMBDA` value to directly use a Lambda function as your identity provider. If you choose this value, you must specify the ARN for the lambda function in the `function` argument.
* `directory_id` - (Optional) The directory service ID of the directory service you want to connect to with an `identity_provider_type` of `AWS_DIRECTORY_SERVICE`.
* `function` - (Optional) The ARN for a lambda function to use for the Identity provider.
* `sftp_authentication_methods` - (Optional) For SFTP-enabled servers, and for custom identity providers only. Valid values are `PASSWORD`, `PUBLIC_KEY`, `PUBLIC_KEY_OR_PASSWORD` and `PUBLIC_KEY_AND_PASSWORD`. Default value is: `PUBLIC_KEY_OR_PASSWORD`.
* `logging_role` - (Optional) Amazon Resource Name (ARN) of an IAM role that allows the service to write your SFTP users’ activity to your Amazon CloudWatch logs for monitoring and auditing purposes.
* `force_destroy` - (Optional) A boolean that indicates all users associated with the server should be deleted so that the Server can be destroyed without error. The default value is `false`. This option only applies to servers configured with a `SERVICE_MANAGED` `identity_provider_type`.
* `post_authentication_login_banner`- (Optional) Specify a string to display when users connect to a server. This string is displayed after the user authenticates. The SFTP protocol does not support post-authentication display banners.
Expand Down
Loading