├── .gitignore ├── .pre-commit-config.yaml ├── LICENSE ├── README.md ├── iam.tf ├── main.tf ├── output.tf └── variables.tf /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # .tfvars files 9 | *.tfvars 10 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: git://github.com/antonbabenko/pre-commit-terraform 3 | rev: v1.7.2 4 | hooks: 5 | - id: terraform_fmt 6 | - repo: git://github.com/pre-commit/pre-commit-hooks 7 | rev: v1.2.3 8 | hooks: 9 | - id: check-merge-conflict -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Felipe Frizzo 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # terraform-aws-transfer-server 2 | 3 | Terraform module to create a aws transfer server (SFTP) 4 | 5 | ## Usage 6 | 7 | ```hcl 8 | resource "aws_s3_bucket" "bucket" { 9 | bucket = "bucket_name" 10 | acl = "private" 11 | } 12 | 13 | module "sftp" { 14 | source = "git::https://github.com:felipefrizzo/terraform-aws-transfer-server.git?ref=master" 15 | 16 | transfer_server_name = "sftp-server-name" 17 | transfer_server_user_names = ["sftp-user-name-01", "sftp-user-name-02"] 18 | transfer_server_ssh_keys = ["ssh-rsa AAAA...", "ssh-rsa AAAA..."] 19 | bucket_name = aws_s3_bucket.bucket.id 20 | bucket_arn = aws_s3_bucket.bucket.arn 21 | } 22 | ``` 23 | 24 | ## Inputs 25 | 26 | | Name | Description | Type | Default | Required | 27 | |------|-------------|:----:|:-------:|:--------:| 28 | | bucket_name | S3 bucket name | string | `` | yes | 29 | | bucket_arn | S3 bucket arn | string | `` | yes | 30 | | transfer_server_name | Transfer Server name | string | `` | yes | 31 | | transfer_server_user_names | Username(s) for SFTP server | list(string) | `` | yes | 32 | | transfer_server_ssh_keys | SSH Key(s) for transfer server user(s) | list(string) | `` | yes | 33 | -------------------------------------------------------------------------------- /iam.tf: -------------------------------------------------------------------------------- 1 | data "aws_iam_policy_document" "transfer_server_assume_role" { 2 | statement { 3 | effect = "Allow" 4 | actions = ["sts:AssumeRole"] 5 | 6 | principals { 7 | type = "Service" 8 | identifiers = ["transfer.amazonaws.com"] 9 | } 10 | } 11 | } 12 | 13 | data "aws_iam_policy_document" "transfer_server_assume_policy" { 14 | statement { 15 | effect = "Allow" 16 | 17 | actions = [ 18 | "s3:DeleteObject", 19 | "s3:DeleteObjectVersion", 20 | "s3:GetBucketLocation", 21 | "s3:GetObject", 22 | "s3:GetObjectVersion", 23 | "s3:ListBucket", 24 | "s3:PutObject", 25 | ] 26 | 27 | resources = [ 28 | var.bucket_arn, 29 | "${var.bucket_arn}/*" 30 | ] 31 | } 32 | } 33 | 34 | data "aws_iam_policy_document" "transfer_server_to_cloudwatch_assume_policy" { 35 | statement { 36 | effect = "Allow" 37 | 38 | actions = [ 39 | "logs:CreateLogGroup", 40 | "logs:CreateLogStream", 41 | "logs:PutLogEvents", 42 | ] 43 | 44 | resources = ["*"] 45 | } 46 | } 47 | 48 | resource "aws_iam_role" "transfer_server_role" { 49 | name = "${var.transfer_server_name}-transfer_server_role" 50 | assume_role_policy = data.aws_iam_policy_document.transfer_server_assume_role.json 51 | } 52 | 53 | resource "aws_iam_role_policy" "transfer_server_policy" { 54 | name = "${var.transfer_server_name}-transfer_server_policy" 55 | role = aws_iam_role.transfer_server_role.name 56 | policy = data.aws_iam_policy_document.transfer_server_assume_policy.json 57 | } 58 | 59 | resource "aws_iam_role_policy" "transfer_server_to_cloudwatch_policy" { 60 | name = "${var.transfer_server_name}-transfer_server_to_cloudwatch_policy" 61 | role = aws_iam_role.transfer_server_role.name 62 | policy = data.aws_iam_policy_document.transfer_server_to_cloudwatch_assume_policy.json 63 | } -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_transfer_server" "transfer_server" { 2 | identity_provider_type = "SERVICE_MANAGED" 3 | logging_role = aws_iam_role.transfer_server_role.arn 4 | 5 | tags = { 6 | NAME = var.transfer_server_name 7 | } 8 | } 9 | 10 | resource "aws_transfer_user" "transfer_server_user" { 11 | count = length(var.transfer_server_user_names) 12 | 13 | server_id = aws_transfer_server.transfer_server.id 14 | user_name = element(var.transfer_server_user_names, count.index) 15 | role = aws_iam_role.transfer_server_role.arn 16 | home_directory = "/${var.bucket_name}" 17 | } 18 | 19 | resource "aws_transfer_ssh_key" "transfer_server_ssh_key" { 20 | count = length(var.transfer_server_user_names) 21 | 22 | server_id = aws_transfer_server.transfer_server.id 23 | user_name = element(aws_transfer_user.transfer_server_user.*.user_name, count.index) 24 | body = element(var.transfer_server_ssh_keys, count.index) 25 | } 26 | -------------------------------------------------------------------------------- /output.tf: -------------------------------------------------------------------------------- 1 | output "bucket_name" { 2 | value = var.bucket_name 3 | } 4 | 5 | output "transfer_server_id" { 6 | value = aws_transfer_server.transfer_server.id 7 | } 8 | 9 | output "transfer_server_endpoint" { 10 | value = aws_transfer_server.transfer_server.endpoint 11 | } -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | variable "bucket_name" { 2 | description = "The S3 bucket name" 3 | type = string 4 | } 5 | 6 | variable "bucket_arn" { 7 | description = "The S3 bucket arn" 8 | type = string 9 | } 10 | 11 | variable "transfer_server_name" { 12 | description = "Transfer Server name" 13 | type = string 14 | } 15 | 16 | variable "transfer_server_user_names" { 17 | description = "User name(s) for SFTP server" 18 | type = list(string) 19 | } 20 | 21 | variable "transfer_server_ssh_keys" { 22 | description = "SSH Key(s) for transfer server user(s)" 23 | type = list(string) 24 | } 25 | --------------------------------------------------------------------------------