terraform-aws-sftp's Introduction

terraform-aws-sftp

This module aims to create a SFTP Server on AWS with an identity provider (IdP) based on users and passwords.

The SFTP Server is created using the AWS Transfer Family service.
The IdP is created using lambda functions and API Gateway.

This module will show the DNS and EndPoint that will allow us to connect to SFTP.

Credentials stored

The credentials can be stord as AWS Secrets Manager.

References

The infrastructure code is based on the example provided (in the CF template) in the AWS Storage Blog article https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-family-using-aws-secrets-manager-updated/

To DO

Route53 DNS record is optional and can be created if the variable `zone_name` is set.

Usage

module "sftp" {
 source    = "andresb39/sftp/aws"
 version   = "0.0.3"
 zone_name = "example.com" # Optional
 stage     = "dev"

 tags = {
  Environment = "dev"
  Project     = "sftp"
  Team        = "devops"
 }
}

Examples

Complete: With this example we are going to create a SFTP server with Identity Provider + S3 bucket + Credentials in AWS Secret Manage

Requirements

Name	Version
terraform	>= 1.6.0
archive	>= 2.4.0
aws	>= 5.38
random	>= 3.5.1

Providers

Name	Version
archive	>= 2.4.0
aws	>= 5.38
random	>= 3.5.1

Modules

No modules.

Resources

Name	Type
aws_api_gateway_account.api_gateway_account	resource
aws_api_gateway_deployment.deployment	resource
aws_api_gateway_method_settings.all	resource
aws_api_gateway_rest_api.apigateway_rest	resource
aws_api_gateway_stage.stage	resource
aws_cloudwatch_log_group.transfer	resource
aws_iam_policy.lambda_idp_policy	resource
aws_iam_role.apigateway_idp_role	resource
aws_iam_role.lambda_idp_role	resource
aws_iam_role.sftp	resource
aws_iam_role.sftp_log	resource
aws_iam_role_policy_attachment.apigateway_cloudwatchlogs	resource
aws_iam_role_policy_attachment.lambda_basic_execution	resource
aws_iam_role_policy_attachment.lambda_idp	resource
aws_kms_alias.sftp_log_group	resource
aws_kms_key.sftp_log_group	resource
aws_lambda_function.lambda_idp	resource
aws_lambda_permission.allow_apigateway	resource
aws_route53_record.this	resource
aws_transfer_server.sftp	resource
random_string.random_suffix	resource
archive_file.sftp_idp	data source
aws_caller_identity.current	data source
aws_iam_policy_document.assume_role_common	data source
aws_iam_policy_document.lambda_idp_policy	data source
aws_region.current	data source
aws_route53_zone.this	data source

Inputs

Name	Description	Type	Default	Required
aws_region	The AWS region to deploy to	`string`	`"us-east-1"`	no
sftp_name	The name of the SFTP server	`string`	`"sftp"`	no
stage	Stage (e.g. dev, test, prod)	`string`	`"dev"`	no
tags	Tags for the resources	`map(string)`	{ "Environment": "dev", "ManagedBy": "Terraform", "Project": "sftp", "Team": "DevOps" }	no
zone_name	The name of the Route53 zone	`string`	`""`	no

Outputs

Name	Description
endpoint	The endpoint of the SFTP server (e.g. s-12345678.server.transfer.us-west-2.amazonaws.com)
sftp_dns	The DNS of the SFTP server (e.g. sftp.example.com)

terraform-aws-sftp's People

Contributors

Stargazers

Watchers

terraform-aws-sftp's Issues

lambda_idp_policy missing KMS permissions

@andresb39 I discovered what appears to be a permissions issue with the iam policy for lambda_idp_policy. The Lamba will need to have KMS rights to decrypt and rencrypt the key in order to access the secret.

Here is the original code:

resource "aws_iam_policy" "lambda_idp_policy" {
  name        = local.lambda_idp_iam_policy_name
  path        = "/"
  description = "IAM policy IdP service for SFTP in Lambda"

  policy = <<-EOF
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "secretsmanager:GetSecretValue",
                "Resource": "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:SFTP/*"
            }
        ]
    }
  EOF
}

Here is what I added in order to get this to have access to the aws secret. This may be too many privileges to grant this access but it worked for my situation.

resource "aws_iam_policy" "lambda_idp_policy" {
  name        = local.lambda_idp_iam_policy_name
  path        = "/"
  description = "IAM policy IdP service for SFTP in Lambda"

  policy = <<-EOF
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "secretsmanager:GetSecretValue",
                "Resource": "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:SFTP/*"
            },
           {
                "Effect": "Allow",
                "Action": [
                  "kms:Encrypt",
                  "kms:Decrypt",
                  "kms:ReEncrypt*",
                  "kms:GenerateDataKey*",
                  "kms:DescribeKey"
                ]
                "Resource": "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key:/*"
            }

        ]
    }
  EOF
}

Recommend Projects