Merge pull request #1 from trussworks/setup

Initial setup

.circleci/config.yml

@@ -0,0 +1,23 @@
+version: 2
+jobs:
+  validate:
+    docker:
+      - image: trussworks/circleci-docker-primary:tf12-4c1fd54273446484259597ae3da9deb2806498ed
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+            - pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
+      - run:
+          name: Run pre-commit tests
+          command: pre-commit run --all-files
+      - save_cache:
+          key: pre-commit-dot-cache-{{ checksum ".pre-commit-config.yaml" }}
+          paths:
+            - ~/.cache/pre-commit
+
+workflows:
+  version: 2
+  validate:
+    jobs:
+      - validate

.gitignore

@@ -0,0 +1,2 @@
+.envrc
+.envrc.*

.markdownlintrc

@@ -0,0 +1,7 @@
+{
+  "default": true,
+  "first-header-h1": false,
+  "first-line-h1": false,
+  "line_length": false,
+  "no-multiple-blanks": false
+}

.pre-commit-config.yaml

@@ -0,0 +1,23 @@
+repos:
+  - repo: git://github.com/pre-commit/pre-commit-hooks
+    rev: v2.4.0
+    hooks:
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-yaml
+      - id: detect-private-key
+      - id: pretty-format-json
+        args:
+          - --autofix
+      - id: trailing-whitespace
+
+  - repo: git://github.com/igorshubovych/markdownlint-cli
+    rev: v0.19.0
+    hooks:
+      - id: markdownlint
+
+  - repo: git://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.19.0
+    hooks:
+      - id: terraform_docs
+      - id: terraform_fmt

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2019, TrussWorks, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -1,2 +1,51 @@
+
+Creates a user for an AWS Transfer for SFTP endpoint.
+
+Creates the following resources:
+
+* AWS Transfer user
+* IAM policy for the user to access S3.
+* SSH Keys attached to the Transfer user.
+
+## Usage
+
+```hcl
+module "sftp_user_alice" {
+  source                = "trussworks/sftp-user/aws"
+  version               = "~> 1.0.0"
+
+  sftp_server_id            = aws_transfer_server.my_app_sftp.id
+  ssh_public_keys           = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3F6tyPEFEzV0LX3X8BsXdMsQz1x2cEikKDEY0aIj41qgxMCP/iteneqXSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW9mxhJc7tgBNL0cYlWSYVkz4G/fslNfRPW5mYAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKFE6lymSDJpW0YHX/wqE9+cfEauh7xZcG0q9t2ta6F6fmX0agvpFyZo8aFbXeUBr7osSCJNgvavWbM/06niWrOvYX2xwWdhXmXSrbX8ZbabVohBK41 example@example.com"]
+  user_name                 = "alice"
+  role_name                 = "alice-sftp-role"
+  home_directory_bucket     = "myapp_sftp_bucket"
+  home_directory_key_prefix = "alice/"
+  allowed_actions = [
+    "s3:GetObject",
+    "s3:GetObjectACL",
+    "s3:PutObject",
+    "s3:PutObjectACL",
+ ]
+ tags = {
+   Application = "my_app"
+   Environment = "prod"
+ }
+}
+```
+
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| allowed\_actions | A list of allowed actions for objects in the backend bucket. | list(string) | `[ "s3:GetObject", "s3:GetObjectACL", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectACL", "s3:DeleteObject", "s3:DeleteObjectVersion" ]` | no |
+| home\_directory\_bucket | The S3 Bucket to use as the home directory | object | n/a | yes |
+| home\_directory\_key\_prefix | The home directory key prefix | string | `""` | no |
+| role\_name | The name of the IAM role for the SFTP user | string | n/a | yes |
+| sftp\_server\_id | Server ID of the AWS Transfer Server (aka SFTP Server) | string | n/a | yes |
+| ssh\_public\_keys | Public SSH key for the user.  If list is empty, then no SSH Keys are setup to authenticate as the user. | list(string) | `[]` | no |
+| tags | A mapping of tags to assign to all resources | map(string) | `{}` | no |
+| user\_name | The name of the user | string | n/a | yes |
+
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

main.tf

@@ -0,0 +1,101 @@
+/**
+ * Creates a user for an AWS Transfer for SFTP endpoint.
+ *
+ * Creates the following resources:
+ *
+ * * AWS Transfer user
+ * * IAM policy for the user to access S3.
+ * * SSH Keys attached to the Transfer user.
+ *
+ * ## Usage
+ * ```hcl
+ * module "sftp_user_alice" {
+ *   source                = "trussworks/sftp-user/aws"
+ *   version               = "~> 1.0.0"
+ *
+ *   sftp_server_id            = aws_transfer_server.my_app_sftp.id
+ *   ssh_public_keys           = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3F6tyPEFEzV0LX3X8BsXdMsQz1x2cEikKDEY0aIj41qgxMCP/iteneqXSIFZBp5vizPvaoIR3Um9xK7PGoW8giupGn+EPuxIA4cDM4vzOqOkiMPhz5XK0whEjkVzTo4+S0puvDZuwIsdiW9mxhJc7tgBNL0cYlWSYVkz4G/fslNfRPW5mYAM49f4fhtxPb5ok4Q2Lg9dPKVHO/Bgeu5woMc7RY0p1ej6D4CKFE6lymSDJpW0YHX/wqE9+cfEauh7xZcG0q9t2ta6F6fmX0agvpFyZo8aFbXeUBr7osSCJNgvavWbM/06niWrOvYX2xwWdhXmXSrbX8ZbabVohBK41 example@example.com"]
+ *   user_name                 = "alice"
+ *   role_name                 = "alice-sftp-role"
+ *   home_directory_bucket     = "myapp_sftp_bucket"
+ *   home_directory_key_prefix = "alice/"
+ *   allowed_actions = [
+ *     "s3:GetObject",
+ *     "s3:GetObjectACL",
+ *     "s3:PutObject",
+ *     "s3:PutObjectACL",
+ *   ]
+ *   tags = {
+ *     Application = "my_app"
+ *     Environment = "prod"
+ *   }
+ * }
+ * ```
+ */
+
+#
+# SFTP
+#
+
+data "aws_iam_policy_document" "assume_role_policy_doc" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["transfer.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "main" {
+  name               = var.role_name
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_doc.json
+}
+
+data "aws_iam_policy_document" "role_policy_doc" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation"
+    ]
+    resources = [
+      var.home_directory_bucket.arn
+    ]
+  }
+  statement {
+    effect  = "Allow"
+    actions = var.allowed_actions
+    resources = [
+      format("%s/%s*", var.home_directory_bucket.arn, var.home_directory_key_prefix)
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "main" {
+  name   = format("%s-policy", aws_iam_role.main.name)
+  role   = aws_iam_role.main.name
+  policy = data.aws_iam_policy_document.role_policy_doc.json
+}
+
+resource "aws_transfer_user" "main" {
+  server_id      = var.sftp_server_id
+  user_name      = var.user_name
+  role           = aws_iam_role.main.arn
+  home_directory = format("/%s/%s", var.home_directory_bucket.id, var.home_directory_key_prefix)
+
+  tags = merge(
+    var.tags,
+    {
+      "Automation" = "Terraform"
+    },
+  )
+}
+
+resource "aws_transfer_ssh_key" "main" {
+  count     = length(var.ssh_public_keys)
+  server_id = var.sftp_server_id
+  user_name = aws_transfer_user.main.user_name
+  body      = var.ssh_public_keys[count.index]
+}

variables.tf

@@ -0,0 +1,54 @@
+variable "user_name" {
+  description = "The name of the user"
+  type        = string
+}
+
+variable "role_name" {
+  description = "The name of the IAM role for the SFTP user"
+  type        = string
+}
+
+variable "home_directory_bucket" {
+  description = "The S3 Bucket to use as the home directory"
+  type = object({
+    arn = string
+    id  = string
+  })
+}
+
+variable "home_directory_key_prefix" {
+  description = "The home directory key prefix"
+  type        = string
+  default     = ""
+}
+
+variable "sftp_server_id" {
+  description = "Server ID of the AWS Transfer Server (aka SFTP Server)"
+  type        = string
+}
+
+variable "ssh_public_keys" {
+  description = "Public SSH key for the user.  If list is empty, then no SSH Keys are setup to authenticate as the user."
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "allowed_actions" {
+  description = "A list of allowed actions for objects in the backend bucket."
+  type        = list(string)
+  default = [
+    "s3:GetObject",
+    "s3:GetObjectACL",
+    "s3:GetObjectVersion",
+    "s3:PutObject",
+    "s3:PutObjectACL",
+    "s3:DeleteObject",
+    "s3:DeleteObjectVersion"
+  ]
+}