terraform-aws-sftp

This module aims to create a SFTP Server on AWS with an identity provider (IdP) based on users and passwords.

• The SFTP Server is created using the AWS Transfer Family service.
• The IdP is created using lambda functions and API Gateway.

This module will show the DNS and EndPoint that will allow us to connect to SFTP.

Credentials stored

The credentials can be stord as AWS Secrets Manager.

References

The infrastructure code is based on the example provided (in the CF template) in the AWS Storage Blog article https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-family-using-aws-secrets-manager-updated/

To DO

• IAM Roles for:
  • Lambda
  • Transfer
• Lambda functions
• API Gateway
• SFTP Server
• CloudWatch Log Group

Route53 DNS record is optional and can be created if the variable zone_name is set.

Usage

module "sftp" {
 source    = "andresb39/sftp/aws"
 version   = "0.0.3"
 zone_name = "example.com" # Optional
 stage     = "dev"

 tags = {
  Environment = "dev"
  Project     = "sftp"
  Team        = "devops"
 }
}

Examples

• Complete: With this example we are going to create a SFTP server with Identity Provider + S3 bucket + Credentials in AWS Secret Manage

Requirements

Name	Version
terraform	>= 1.6.0
archive	>= 2.4.0
aws	>= 5.38
random	>= 3.5.1

Providers

Name	Version
archive	>= 2.4.0
aws	>= 5.38
random	>= 3.5.1

Modules

No modules.

Resources

Name	Type
aws_api_gateway_account.api_gateway_account	resource
aws_api_gateway_deployment.deployment	resource
aws_api_gateway_method_settings.all	resource
aws_api_gateway_rest_api.apigateway_rest	resource
aws_api_gateway_stage.stage	resource
aws_cloudwatch_log_group.transfer	resource
aws_iam_policy.lambda_idp_policy	resource
aws_iam_role.apigateway_idp_role	resource
aws_iam_role.lambda_idp_role	resource
aws_iam_role.sftp	resource
aws_iam_role.sftp_log	resource
aws_iam_role_policy_attachment.apigateway_cloudwatchlogs	resource
aws_iam_role_policy_attachment.lambda_basic_execution	resource
aws_iam_role_policy_attachment.lambda_idp	resource
aws_kms_alias.sftp_log_group	resource
aws_kms_key.sftp_log_group	resource
aws_lambda_function.lambda_idp	resource
aws_lambda_permission.allow_apigateway	resource
aws_route53_record.this	resource
aws_transfer_server.sftp	resource
random_string.random_suffix	resource
archive_file.sftp_idp	data source
aws_caller_identity.current	data source
aws_iam_policy_document.assume_role_common	data source
aws_iam_policy_document.lambda_idp_policy	data source
aws_region.current	data source
aws_route53_zone.this	data source

Inputs

Name	Description	Type	Default	Required
aws_region	The AWS region to deploy to	string	"us-east-1"	no
sftp_name	The name of the SFTP server	string	"sftp"	no
stage	Stage (e.g. dev, test, prod)	string	"dev"	no
tags	Tags for the resources	map(string)	{ "Environment": "dev", "ManagedBy": "Terraform", "Project": "sftp", "Team": "DevOps" }	no
zone_name	The name of the Route53 zone	string	""	no

Outputs

Name	Description
endpoint	The endpoint of the SFTP server (e.g. s-12345678.server.transfer.us-west-2.amazonaws.com)
sftp_dns	The DNS of the SFTP server (e.g. sftp.example.com)