Skip to content

Latest commit

 

History

History
65 lines (56 loc) · 5.7 KB

README.md

File metadata and controls

65 lines (56 loc) · 5.7 KB

Create a managed public or internal facing SFTP server using AWS Transfer service

License Tests Checkov Commit Release

This terraform module will deploy the following services:

  • IAM
    • Role
    • Role Policy
  • Route53
    • DNS Record
  • Transfer
    • Server
    • User
    • SSH Key

Usage Instructions

Example

module "sftp" {
  source = "github.com/terrablocks/aws-sftp-server.git"
}

Requirements

Name Version
terraform >= 1.3.0
aws >= 4.0.0
random >= 3.1.0

Inputs

Name Description Type Default Required
name Name of SFTP server. Ignore it to generate a random name for server string null no
sftp_type Type of SFTP server. Valid values: PUBLIC, VPC or VPC_ENDPOINT string "PUBLIC" no
protocols List of file transfer protocol(s) over which your FTP client can connect to your server endpoint. Possible Values: FTP, FTPS and SFTP list(string)
[
"SFTP"
]
no
certificate_arn ARN of ACM certificate. Required only in case of FTPS protocol string null no
endpoint_details A block required to setup SFTP server if type is set to VPC or VPC_ENDPOINT
{
vpc_id = (Optional) ID of VPC in which SFTP server endpoint will be hosted. Required if endpoint type is set to VPC
vpc_endpoint_id = (Optional) The ID of VPC endpoint to use for hosting internal SFTP server. Required if endpoint type is set to VPC_ENDPOINT
subnet_ids = (Optional) List of subnets ids within the VPC for hosting SFTP server endpoint. Required if endpoint type is set to VPC
security_group_ids = (Optional) List of security groups to attach to the SFTP endpoint. Supported only if endpoint is to type VPC. If left blank for VPC, a security group with port 22 open to the world will be created and attached
address_allocation_ids = (Optional) List of address allocation IDs to attach an Elastic IP address to your SFTP server endpoint. Supported only if endpoint type is set to VPC. If left blank for VPC, an EIP will be automatically created per subnet and attached
}
object({
vpc_id = optional(string)
vpc_endpoint_id = optional(string)
subnet_ids = optional(list(string))
security_group_ids = optional(list(string))
address_allocation_ids = optional(list(string))
})
{} no
identity_provider_type Mode of authentication to use for accessing the service. Valid Values: SERVICE_MANAGED, API_GATEWAY, AWS_DIRECTORY_SERVICE or AWS_LAMBDA string "SERVICE_MANAGED" no
api_gw_url URL of the service endpoint to authenticate users when identity_provider_type is of type API_GATEWAY string null no
invocation_role ARN of the IAM role to authenticate the user when identity_provider_type is set to API_GATEWAY string null no
directory_id ID of the directory service to authenticate users when identity_provider_type is of type AWS_DIRECTORY_SERVICE string null no
function_arn ARN of the lambda function to authenticate users when identity_provider_type is of type AWS_LAMBDA string null no
logging_role ARN of an IAM role to allow to write SFTP users activity to Amazon CloudWatch logs string null no
force_destroy Whether to delete all the users associated with server so that server can be deleted successfully. Note: Supported only if identity_provider_type is set to SERVICE_MANAGED bool true no
security_policy_name Specifies the name of the security policy to associate with the server string "TransferSecurityPolicy-2020-06" no
host_key RSA private key that will be used to identify your server when clients connect to it over SFTP string null no
hosted_zone Hosted zone name to create DNS entry for SFTP server string null no
sftp_sub_domain DNS name for SFTP server. NOTE: Only sub-domain name required. DO NOT provide entire URL string "sftp" no
sftp_users Map of users with key as username and value as their home directory. Home directory is the S3 bucket path which user should have access to
{
user = home_dir_path
}
map(string) {} no
sftp_users_ssh_key Map of users with key as username and value as their public SSH key
{
user = ssh_public_key_content
}
map(string) {} no
tags A map of key value pair to assign to resources map(string) {} no

Outputs

Name Description
arn ARN of transfer server
id ID of transfer server
endpoint Endpoint of transfer server
domain_name Custom DNS name mapped in Route53 for transfer server
sftp_sg_id ID of security group created for SFTP server. Available only if SFTP type is VPC and security group is not provided by you
sftp_eip Elastic IP attached to the SFTP server. Available only if SFTP type is VPC and allocation id is not provided by you