Merge pull request caktus#87 from caktus/sftp

Add AWS SFTP service

Author: dpoirier

CHANGELOG.rst

@@ -35,6 +35,8 @@ What's new in 2.0.0:
 * Add CustomAppCertificateArn parameter to allow association with an existing ACM certificate.
 * Add VPC Endpoint for S3.
 * Add DatabaseReplication parameter to add a database replica (** this will fail if DatabaseBackupRetentionDays is 0.**).
+* Add optional SFTP server, including S3 bucket, transfer server, and user role and scopedown policy to use when creating
+  users in the transfer server.
 
 
 `1.4.0`_ (2019-08-05)

stack/__init__.py

@@ -1,5 +1,6 @@
 import os
 
+from . import sftp  # noqa: F401
 from . import assets  # noqa: F401
 from . import cache  # noqa: F401
 from . import database  # noqa: F401

stack/assets.py

@@ -8,6 +8,7 @@
     If,
     Join,
     Not,
+    NoValue,
     Output,
     Ref,
     Split,
@@ -42,6 +43,7 @@
     use_cmk_arn
 )
 from .domain import domain_name, domain_name_alternates, no_alt_domains
+from .sftp import use_sftp_condition, use_sftp_with_kms_condition
 from .template import template
 from .utils import ParameterWithDefaults as Parameter
 
@@ -102,32 +104,32 @@
     Bucket(
         "AssetsBucket",
         AccessControl=Ref(assets_bucket_access_control),
-        BucketEncryption=BucketEncryption(
-            ServerSideEncryptionConfiguration=If(
-                use_aes256_encryption_cond,
-                [
+        BucketEncryption=If(
+            use_aes256_encryption_cond,
+            BucketEncryption(
+                ServerSideEncryptionConfiguration=[
                     ServerSideEncryptionRule(
                         ServerSideEncryptionByDefault=ServerSideEncryptionByDefault(
                             SSEAlgorithm='AES256'
                         )
                     )
-                ],
-                [
-                    ServerSideEncryptionRule()
                 ]
-            )
+            ),
+            NoValue
         ),
         **common_bucket_conf,
     )
 )
 
 
 # Output S3 asset bucket name
-template.add_output(Output(
-    "AssetsBucketDomainName",
-    Description="Assets bucket domain name",
-    Value=GetAtt(assets_bucket, "DomainName")
-))
+template.add_output(
+    Output(
+        "AssetsBucketDomainName",
+        Description="Assets bucket domain name",
+        Value=GetAtt(assets_bucket, "DomainName"),
+    )
+)
 
 
 # Create an S3 bucket that holds user uploads or other non-public files
@@ -141,61 +143,122 @@
             IgnorePublicAcls=True,
             RestrictPublicBuckets=True,
         ),
-        BucketEncryption=BucketEncryption(
-            ServerSideEncryptionConfiguration=If(
-                use_aes256_encryption_cond,
-                [
+        BucketEncryption=If(
+            use_aes256_encryption_cond,
+            BucketEncryption(
+                ServerSideEncryptionConfiguration=[
                     ServerSideEncryptionRule(
                         ServerSideEncryptionByDefault=ServerSideEncryptionByDefault(
                             SSEAlgorithm=If(use_cmk_arn, 'aws:kms', 'AES256'),
                             KMSMasterKeyID=If(use_cmk_arn, Ref(cmk_arn), Ref("AWS::NoValue")),
                         )
                     )
-                ],
-                [
-                    ServerSideEncryptionRule()
                 ]
-            )
+            ),
+            NoValue
         ),
         **common_bucket_conf,
     )
 )
 
+# Output S3 private assets bucket name
+template.add_output(
+    Output(
+        "PrivateAssetsBucketDomainName",
+        Description="Private assets bucket domain name",
+        Value=GetAtt(private_assets_bucket, "DomainName"),
+    )
+)
 
-# Output S3 asset bucket name
-template.add_output(Output(
-    "PrivateAssetsBucketDomainName",
-    Description="Private assets bucket domain name",
-    Value=GetAtt(private_assets_bucket, "DomainName")
-))
+# Bucket for SFTP service
+sftp_assets_bucket = Bucket(
+    "SFTPAssetsBucket",
+    Condition=use_sftp_condition,
+    AccessControl=Private,
+    PublicAccessBlockConfiguration=PublicAccessBlockConfiguration(
+        BlockPublicAcls=True,
+        BlockPublicPolicy=True,
+        IgnorePublicAcls=True,
+        RestrictPublicBuckets=True,
+    ),
+    BucketEncryption=If(
+        use_aes256_encryption_cond,
+        BucketEncryption(
+            ServerSideEncryptionConfiguration=[
+                ServerSideEncryptionRule(
+                    ServerSideEncryptionByDefault=ServerSideEncryptionByDefault(
+                        SSEAlgorithm=If(use_cmk_arn, "aws:kms", "AES256"),
+                        KMSMasterKeyID=If(
+                            use_cmk_arn, Ref(cmk_arn), Ref("AWS::NoValue")
+                        ),
+                    )
+                )
+            ]
+        ),
+        NoValue,
+    ),
+    **common_bucket_conf,
+)
+template.add_resource(sftp_assets_bucket)
+
+# Output SFTP asset bucket name
+template.add_output(
+    Output(
+        "SFTPBucketDomainName",
+        Condition=use_sftp_condition,
+        Description="SFTP bucket domain name",
+        Value=GetAtt(sftp_assets_bucket, "DomainName"),
+    )
+)
 
+assets_management_policy_statements = [
+    dict(
+        Effect="Allow",
+        Action=["s3:ListBucket"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(assets_bucket)]),
+    ),
+    dict(
+        Effect="Allow",
+        Action=["s3:*"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(assets_bucket), "/*"]),
+    ),
+    dict(
+        Effect="Allow",
+        Action=["s3:ListBucket"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(private_assets_bucket)]),
+    ),
+    dict(
+        Effect="Allow",
+        Action=["s3:*"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(private_assets_bucket), "/*"]),
+    ),
+]
+
+assets_management_policy_statements_including_sftp_bucket = (
+    assets_management_policy_statements
+    + [
+        dict(
+            Effect="Allow",
+            Action=["s3:ListBucket"],
+            Resource=Join("", [arn_prefix, ":s3:::", Ref(sftp_assets_bucket)]),
+        ),
+        dict(
+            Effect="Allow",
+            Action=["s3:*"],
+            Resource=Join("", [arn_prefix, ":s3:::", Ref(sftp_assets_bucket), "/*"]),
+        ),
+    ]
+)
 
 # central asset management policy for use in instance roles
 assets_management_policy = iam.Policy(
     PolicyName="AssetsManagementPolicy",
     PolicyDocument=dict(
-        Statement=[
-            dict(
-                Effect="Allow",
-                Action=["s3:ListBucket"],
-                Resource=Join("", [arn_prefix, ":s3:::", Ref(assets_bucket)]),
-            ),
-            dict(
-                Effect="Allow",
-                Action=["s3:*"],
-                Resource=Join("", [arn_prefix, ":s3:::", Ref(assets_bucket), "/*"]),
-            ),
-            dict(
-                Effect="Allow",
-                Action=["s3:ListBucket"],
-                Resource=Join("", [arn_prefix, ":s3:::", Ref(private_assets_bucket)]),
-            ),
-            dict(
-                Effect="Allow",
-                Action=["s3:*"],
-                Resource=Join("", [arn_prefix, ":s3:::", Ref(private_assets_bucket), "/*"]),
-            ),
-        ],
+        Statement=If(
+            use_sftp_condition,
+            assets_management_policy_statements_including_sftp_bucket,
+            assets_management_policy_statements,
+        )
     ),
 )
 
@@ -321,11 +384,119 @@
     )
 
     # Output CloudFront url
-    template.add_output(Output(
-        "AssetsDistributionDomainName",
-        Description="The assets CDN domain name",
-        Value=GetAtt(distribution, "DomainName"),
-        Condition=assets_use_cloudfront_condition,
-    ))
+    template.add_output(
+        Output(
+            "AssetsDistributionDomainName",
+            Description="The assets CDN domain name",
+            Value=GetAtt(distribution, "DomainName"),
+            Condition=assets_use_cloudfront_condition,
+        )
+    )
 else:
     distribution = None
+
+# The scopedown policy is used to restrict a user's access to the parts of the bucket
+# we don't want them to access.
+common_sftp_scopedown_policy_statements = [
+    {
+        "Sid": "AllowListingOfSFTPUserFolder",
+        "Action": ["s3:ListBucket"],
+        "Effect": "Allow",
+        "Resource": ["arn:aws:s3:::${transfer:HomeBucket}"],
+        "Condition": {
+            "StringLike": {
+                "s3:prefix": ["${transfer:UserName}/*", "${transfer:UserName}"]
+            }
+        },
+    },
+    {
+        "Sid": "HomeDirObjectAccess",
+        "Effect": "Allow",
+        "Action": [
+            "s3:PutObject",
+            "s3:GetObject",
+            "s3:DeleteObjectVersion",
+            "s3:DeleteObject",
+            "s3:GetObjectVersion",
+        ],
+        "Resource": [
+            Join("/", [GetAtt(sftp_assets_bucket, "Arn"), "${transfer:UserName}"]),
+            Join("/", [GetAtt(sftp_assets_bucket, "Arn"), "${transfer:UserName}/*"]),
+        ],
+    },
+]
+
+sftp_kms_policy_statement = dict(
+    Effect="Allow",
+    Action=["kms:DescribeKey", "kms:GenerateDataKey", "kms:Encrypt", "kms:Decrypt"],
+    Resource=Ref(cmk_arn),
+)
+
+sftp_scopedown_policy = iam.ManagedPolicy(
+    # This is for applying when adding users to the transfer server. It's not used directly in the stack creation,
+    # other than adding it to IAM for later use.
+    "SFTPUserScopeDownPolicy",
+    PolicyDocument=dict(
+        Version="2012-10-17",
+        Statement=If(
+            use_sftp_with_kms_condition,
+            common_sftp_scopedown_policy_statements + [sftp_kms_policy_statement],
+            common_sftp_scopedown_policy_statements,
+        ),
+    ),
+)
+template.add_resource(sftp_scopedown_policy)
+
+# The ROLE is applied to users to let them access the bucket in general,
+# without regart to who they are.
+common_sftp_user_role_statements = [
+    dict(
+        Effect="Allow",
+        Action=["s3:ListBucket", "s3:GetBucketLocation"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(sftp_assets_bucket)]),
+    ),
+    dict(
+        Effect="Allow",
+        Action=[
+            "s3:PutObject",
+            "s3:GetObject",
+            "s3:DeleteObject",
+            "s3:DeleteObjectVersion",
+            "s3:GetObjectVersion",
+            "s3:GetObjectACL",
+            "s3:PutObjectACL",
+        ],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(sftp_assets_bucket), "/*"]),
+    ),
+]
+
+sftp_user_role = iam.Role(
+    # This also is not used directly during the stack setup, but is put into IAM
+    # to be used later when adding users to the transfer server.
+    "SFTPUserRole",
+    template=template,
+    AssumeRolePolicyDocument=dict(
+        Statement=[
+            dict(
+                Effect="Allow",
+                Principal=dict(Service=["transfer.amazonaws.com"]),
+                Action=["sts:AssumeRole"],
+            )
+        ]
+    ),
+    Policies=[
+        iam.Policy(
+            "SFTPSUserRolePolicy",
+            PolicyName="SFTPSUserRolePolicy",
+            PolicyDocument=dict(
+                Version="2012-10-17",
+                Statement=If(
+                    use_sftp_with_kms_condition,
+                    common_sftp_user_role_statements + [sftp_kms_policy_statement],
+                    common_sftp_user_role_statements,
+                ),
+            ),
+        )
+    ],
+    RoleName=Join("-", [Ref("AWS::StackName"), "SFTPUserRole"]),
+)