Skip to content

andreswebs/terraform-aws-ecs-fsx-sftp

Repository files navigation

terraform-aws-ecs-fsx-sftp

Deploys an AWS ECS cluster running an SFTP service as a daemon.

This is a proof-of-concept for how to deploy a highly-available fleet of SFTP servers with an AWS FSx Windows file share, with multiple user folders from the share mounted in ECS-optimized Amazon Linux 2 instances.

This module deploys a subset of the resources described in the diagram below. Namely, it deploys the ECS cluster and SFTP daemon containers in the following architecture:

Example SFTP service

Pre-requisites

FSx

The AWS FSx for Windows file system must be configured with access for a domain user with permissions to read and write to the file share. This user's credentials will be stored in plaintext in the ECS container instance.

An example module to deploy FSx with Active Directory can be found in the Terraform registry: andreswebs/ad-fsx/aws.

Configuration

FSx

FSx configuration values are injected into the ECS container instances via AWS SSM parameters. Parameters must be created separately with the correct values in the AWS account.

Refer to this FSx documentation for how to pass the SSM parameter names into this module.

SFTP

The SFTP server configuration and cryptographic keys injection is done via AWS SSM parameters. Parameters must be created separately with the correct SSH keys and configuration values in the AWS account.

Refer to this SFTP documentation for how to pass the SSM parameter names into this module.

The values in the example below will create 3 users with UIDs 1001, 1002, 1003, respectively.

Usage

Example:

module "sftp" {
  source         = "github.com/andreswebs/terraform-aws-ecs-fsx-sftp"
  cluster_name   = "example"
  vpc_id         = var.vpc_id
  subnet_ids     = var.subnet_ids
  cidr_whitelist = [var.corp_vpn]
  sftp_users     = ["user-1", "user-2", "user-3"]
  sftp_uid_start = 2001
}

Inputs

Name Description Type Default Required
ami_id AMI ID for ECS container-instances string null no
cidr_whitelist CIDR whitelist for allowed container-instance ingress traffic for SSH and SFTP list(string) null no
cluster_desired_capacity ECS cluster ASG desired capacity number 2 no
cluster_max_size ECS cluster ASG maximum instance count number 4 no
cluster_min_size ECS cluster ASG minimum instance count number 1 no
cluster_name ECS cluster name string "sftp" no
execution_role_arn ECS 'Task Execution Role' ARN; overrides execution_role_name string null no
execution_role_name ECS 'Task Execution Role' name; overriden by execution_role_arn string "ecs-execution" no
fsx_cifs_max_buf_size CIFS maximum buffer size; find it with the command: `modinfo cifs grep` string "130048"
fsx_creds_path FSx credentials filesystem path string "/etc/fsx/credentials" no
fsx_file_share Name of the Windows file share to use string "share" no
fsx_ip_address FSx IP address; set to the correct value string "127.0.0.1" no
fsx_mount_point Filesystem path prefix for FSx shared stores; each SFTP user will have its own mount-point under this path, mapped to an FSx share path string "/mnt/fsx" no
fsx_smb_version SMB protocol version; if in doubt, leave it as default string "3.0" no
fsx_ssm_param_domain FSx domain SSM param path string "/domain" no
fsx_ssm_param_ip_address FSx IP address SSM param path string "/ip-address" no
fsx_ssm_param_password FSx password SSM param path string "/password" no
fsx_ssm_param_prefix Prefix for SSM parameters used for FSx configuration string "/fsx" no
fsx_ssm_param_username FSx username SSM param path string "/username" no
instance_profile_name ECS container-instance IAM profile name; if instance_role_arn is set, this must be an existing instance profile associated to that IAM role string "ecs-sftp-instance" no
instance_role_arn ECS container-instance IAM role ARN; overrides instance_role_name string null no
instance_role_name ECS container-instance IAM role name; overriden by instance_role_arn string "ecs-sftp-instance" no
instance_type ECS container-instance type string "t3a.micro" no
log_retention_in_days CloudWatch Logs retention in days number 30 no
script_s3_bucket Name of an S3 bucket to store the FSx configuration script string n/a yes
script_s3_key S3 object key for the FSx configuration script string "fsx-config/configure-fsx.bash" no
sftp_config_container_image Config container image string "bash:latest" no
sftp_host_port Host port for SFTP access number 2222 no
sftp_main_container_image Main SFTP container image string "atmoz/sftp:latest" no
sftp_ssm_param_config_users_conf SSM param path for the /etc/sftp/users.conf file string "/config/users-conf" no
sftp_ssm_param_host_priv_key SSM param path for the host private key string "/host/private-key" no
sftp_ssm_param_host_pub_key SSM param path for the host public key string "/host/public-key" no
sftp_ssm_param_prefix Prefix for SSM parameters used for SFTP configuration string "/sftp" no
sftp_ssm_param_user_pub_key SSM param path for users' public keys string "/user/public-key" no
sftp_task_port ECS task port for SFTP access number 22 no
sftp_uid_start Starting Unix UID for SFTP users; will be incremented by 1 for each extra user number 2001 no
sftp_users List of SFTP users to add list(string)
[
"sftp-user"
]
no
sftp_volume_name_config SFTP config-volume name string "sftp-config" no
sftp_volume_name_host SFTP host-volume name string "sftp-host" no
sftp_volume_name_scripts SFTP scripts-volume name string "sftp-scripts" no
sftp_volume_name_storage SFTP storage-volumes name prefix; user names will be added as suffixes string "sftp-storage" no
sftp_volume_name_user SFTP user-volumes name prefix; user names will be added as suffixes string "sftp-user" no
ssh_key_name ECS container-instance SSH key-pair name; must be an existing key-pair string null no
subnet_ids Subnet IDs list(string) n/a yes
task_role_arn ECS 'Task Role' ARN; overrides task_role_name string null no
task_role_name ECS 'Task Role' name; overriden by task_role_arn string "ecs-task" no
vpc_id VPC ID string n/a yes

Modules

Name Source Version
iam ./modules/iam n/a

Outputs

Name Description
autoscaling_group The aws_autoscaling_group resource
ecs_cluster The aws_ecs_cluster resource
ecs_service The aws_ecs_service resource
ecs_task_definition The aws_ecs_task_definition resource
launch_template The aws_launch_template resource

Providers

Name Version
aws >= 4.12

Requirements

Name Version
terraform >= 1.1.0
aws >= 4.12

Resources

Name Type
aws_autoscaling_group.this resource
aws_cloudwatch_log_group.this resource
aws_ecs_capacity_provider.this resource
aws_ecs_cluster.this resource
aws_ecs_cluster_capacity_providers.this resource
aws_ecs_service.this resource
aws_ecs_task_definition.this resource
aws_launch_template.this resource
aws_s3_object.script_configure_fsx resource
aws_security_group.egress resource
aws_security_group.internal resource
aws_security_group.sftp resource
aws_security_group.ssh resource
aws_ssm_parameter.sftp_config_users_conf resource
aws_ami.ecs_ami_latest data source
aws_caller_identity.current data source
aws_partition.current data source
aws_region.current data source
aws_s3_bucket.script data source

Authors

Andre Silva - @andreswebs

License

This project is licensed under the Unlicense.

Acknowledgements

This project is based on the public docker.io/atmoz/sftp image.