Deploys an AWS ECS cluster running an SFTP service as a daemon.
This is a proof-of-concept for how to deploy a highly-available fleet of SFTP servers with an AWS FSx Windows file share, with multiple user folders from the share mounted in ECS-optimized Amazon Linux 2 instances.
This module deploys a subset of the resources described in the diagram below. Namely, it deploys the ECS cluster and SFTP daemon containers in the following architecture:
The AWS FSx for Windows file system must be configured with access for a domain user with permissions to read and write to the file share. This user's credentials will be stored in plaintext in the ECS container instance.
An example module to deploy FSx with Active Directory can be found in the Terraform registry: andreswebs/ad-fsx/aws.
FSx configuration values are injected into the ECS container instances via AWS SSM parameters. Parameters must be created separately with the correct values in the AWS account.
Refer to this FSx documentation for how to pass the SSM parameter names into this module.
The SFTP server configuration and cryptographic keys injection is done via AWS SSM parameters. Parameters must be created separately with the correct SSH keys and configuration values in the AWS account.
Refer to this SFTP documentation for how to pass the SSM parameter names into this module.
The values in the example below will create 3 users with UIDs 1001, 1002, 1003, respectively.
Example:
module "sftp" {
source = "github.com/andreswebs/terraform-aws-ecs-fsx-sftp"
cluster_name = "example"
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
cidr_whitelist = [var.corp_vpn]
sftp_users = ["user-1", "user-2", "user-3"]
sftp_uid_start = 2001
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ami_id | AMI ID for ECS container-instances | string |
null |
no |
| cidr_whitelist | CIDR whitelist for allowed container-instance ingress traffic for SSH and SFTP | list(string) |
null |
no |
| cluster_desired_capacity | ECS cluster ASG desired capacity | number |
2 |
no |
| cluster_max_size | ECS cluster ASG maximum instance count | number |
4 |
no |
| cluster_min_size | ECS cluster ASG minimum instance count | number |
1 |
no |
| cluster_name | ECS cluster name | string |
"sftp" |
no |
| execution_role_arn | ECS 'Task Execution Role' ARN; overrides execution_role_name |
string |
null |
no |
| execution_role_name | ECS 'Task Execution Role' name; overriden by execution_role_arn |
string |
"ecs-execution" |
no |
| fsx_cifs_max_buf_size | CIFS maximum buffer size; find it with the command: `modinfo cifs | grep` | string |
"130048" |
| fsx_creds_path | FSx credentials filesystem path | string |
"/etc/fsx/credentials" |
no |
| fsx_file_share | Name of the Windows file share to use | string |
"share" |
no |
| fsx_ip_address | FSx IP address; set to the correct value | string |
"127.0.0.1" |
no |
| fsx_mount_point | Filesystem path prefix for FSx shared stores; each SFTP user will have its own mount-point under this path, mapped to an FSx share path | string |
"/mnt/fsx" |
no |
| fsx_smb_version | SMB protocol version; if in doubt, leave it as default | string |
"3.0" |
no |
| fsx_ssm_param_domain | FSx domain SSM param path | string |
"/domain" |
no |
| fsx_ssm_param_ip_address | FSx IP address SSM param path | string |
"/ip-address" |
no |
| fsx_ssm_param_password | FSx password SSM param path | string |
"/password" |
no |
| fsx_ssm_param_prefix | Prefix for SSM parameters used for FSx configuration | string |
"/fsx" |
no |
| fsx_ssm_param_username | FSx username SSM param path | string |
"/username" |
no |
| instance_profile_name | ECS container-instance IAM profile name; if instance_role_arn is set, this must be an existing instance profile associated to that IAM role |
string |
"ecs-sftp-instance" |
no |
| instance_role_arn | ECS container-instance IAM role ARN; overrides instance_role_name |
string |
null |
no |
| instance_role_name | ECS container-instance IAM role name; overriden by instance_role_arn |
string |
"ecs-sftp-instance" |
no |
| instance_type | ECS container-instance type | string |
"t3a.micro" |
no |
| log_retention_in_days | CloudWatch Logs retention in days | number |
30 |
no |
| script_s3_bucket | Name of an S3 bucket to store the FSx configuration script | string |
n/a | yes |
| script_s3_key | S3 object key for the FSx configuration script | string |
"fsx-config/configure-fsx.bash" |
no |
| sftp_config_container_image | Config container image | string |
"bash:latest" |
no |
| sftp_host_port | Host port for SFTP access | number |
2222 |
no |
| sftp_main_container_image | Main SFTP container image | string |
"atmoz/sftp:latest" |
no |
| sftp_ssm_param_config_users_conf | SSM param path for the /etc/sftp/users.conf file |
string |
"/config/users-conf" |
no |
| sftp_ssm_param_host_priv_key | SSM param path for the host private key | string |
"/host/private-key" |
no |
| sftp_ssm_param_host_pub_key | SSM param path for the host public key | string |
"/host/public-key" |
no |
| sftp_ssm_param_prefix | Prefix for SSM parameters used for SFTP configuration | string |
"/sftp" |
no |
| sftp_ssm_param_user_pub_key | SSM param path for users' public keys | string |
"/user/public-key" |
no |
| sftp_task_port | ECS task port for SFTP access | number |
22 |
no |
| sftp_uid_start | Starting Unix UID for SFTP users; will be incremented by 1 for each extra user | number |
2001 |
no |
| sftp_users | List of SFTP users to add | list(string) |
[ |
no |
| sftp_volume_name_config | SFTP config-volume name | string |
"sftp-config" |
no |
| sftp_volume_name_host | SFTP host-volume name | string |
"sftp-host" |
no |
| sftp_volume_name_scripts | SFTP scripts-volume name | string |
"sftp-scripts" |
no |
| sftp_volume_name_storage | SFTP storage-volumes name prefix; user names will be added as suffixes | string |
"sftp-storage" |
no |
| sftp_volume_name_user | SFTP user-volumes name prefix; user names will be added as suffixes | string |
"sftp-user" |
no |
| ssh_key_name | ECS container-instance SSH key-pair name; must be an existing key-pair | string |
null |
no |
| subnet_ids | Subnet IDs | list(string) |
n/a | yes |
| task_role_arn | ECS 'Task Role' ARN; overrides task_role_name |
string |
null |
no |
| task_role_name | ECS 'Task Role' name; overriden by task_role_arn |
string |
"ecs-task" |
no |
| vpc_id | VPC ID | string |
n/a | yes |
| Name | Source | Version |
|---|---|---|
| iam | ./modules/iam | n/a |
| Name | Description |
|---|---|
| autoscaling_group | The aws_autoscaling_group resource |
| ecs_cluster | The aws_ecs_cluster resource |
| ecs_service | The aws_ecs_service resource |
| ecs_task_definition | The aws_ecs_task_definition resource |
| launch_template | The aws_launch_template resource |
| Name | Version |
|---|---|
| aws | >= 4.12 |
| Name | Version |
|---|---|
| terraform | >= 1.1.0 |
| aws | >= 4.12 |
| Name | Type |
|---|---|
| aws_autoscaling_group.this | resource |
| aws_cloudwatch_log_group.this | resource |
| aws_ecs_capacity_provider.this | resource |
| aws_ecs_cluster.this | resource |
| aws_ecs_cluster_capacity_providers.this | resource |
| aws_ecs_service.this | resource |
| aws_ecs_task_definition.this | resource |
| aws_launch_template.this | resource |
| aws_s3_object.script_configure_fsx | resource |
| aws_security_group.egress | resource |
| aws_security_group.internal | resource |
| aws_security_group.sftp | resource |
| aws_security_group.ssh | resource |
| aws_ssm_parameter.sftp_config_users_conf | resource |
| aws_ami.ecs_ami_latest | data source |
| aws_caller_identity.current | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| aws_s3_bucket.script | data source |
Andre Silva - @andreswebs
This project is licensed under the Unlicense.
This project is based on the public docker.io/atmoz/sftp image.