Skip to content

Latest commit

 

History

History

scenario3

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
users
users
 
 
.terraform.lock.hcl
.terraform.lock.hcl
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
provider.tf
provider.tf
 
 
terraform.tfvars
terraform.tfvars
 
 
variables.tf
variables.tf
 
 

README.md

Scenario3: Owned EFS and Owned EFS Access Point

This example assumes following resources are already provisioned:

  • EFS file system does not exist. It is owned by the SFTP server.
  • EFS access point does not exist. It is owned by the SFTP server.
  • EFS mount points do not exist. It will be created along with the EFS.
  • EFS Security Group does not exist. It will be created along with the EFS.
  • The target VPC and Subnets exists and tagged for identification.

Prerequisites

  • Terraform backend provider and state locking providers are identified and bootstrapped.
    • A bootstrap module/example is provided that provisions Amazon S3 for Terraform state storage and Amazon DynamoDB for Terraform state locking.
  • The target VPC along with the target Subnets exist and identified via Tags.
    • A vpc example is provided that provisions VPC, Subnets and related resources with example tagging.
    • The example uses the following tags to identify the target VPC and Subnets. 
      "transfer/sftp/efs" = "1"
"Env"               = "DEV"
  • Create a ssh key-pair for each SFTP client authentication. Or obtain the public key from the SFTP client.
    • Copy the public key(s) in the users folder e.g. users/test.pub
  • Modify terraform.tfvars to match your requirements. Check the values for the following variables.
    • efs_id --> null, EFS will be created.
    • efs_ap_id --> null, EFA Access Point will be created.
    • efs_sg_tags --> null, EFS Security Group will be created.
    • efs_kms_alias --> "", EFS KMS CMK will be created, if required.
    • sftp_users --> list of users along with unique POSIX profile and ssh public key.
    • sftp_user_automation_subscribers --> list of email addresses.
    • sftp_daily_report_subscribers --> list of email addresses.

Execution

  • cd to examples/sftp/scenario3 folder.
  • Modify backend "S3" section in the provider.tf with correct values for region, bucket, dynamodb_table, and key.
    • Use provided values as guidance.
  • Modify terraform.tfvars to your requirements.
    • Use provided values as guidance.
  • Make sure you are using the correct AWS Profile that has permission to provision the target resources.
    • aws sts get-caller-identity
  • Execute terraform init to initialize Terraform.
  • Execute terraform plan and verify the changes.
  • Execute terraform apply and approve the changes to provision the resources.
  • The email subscribers must confirm the subscription to receive the status and the activity emails.

Use SFTP client of your choice to test the SFTP server.

Requirements

Name Version
terraform >= v1.1.9
aws >= 4.13.0

Providers

No providers.

Modules

Name Source Version
sftp ../../../modules/aws/transfer n/a

Resources

No resources.

Inputs

Name Description Type Default Required
env_name Environment name e.g. dev, prod string n/a yes
project Project name (prefix/suffix) to be used on all the resources identification string n/a yes
region The AWS Region e.g. us-east-1 for the environment string n/a yes
server_name DNS compliant name, unique, SFTP Server Name string n/a yes
sftp_users List of SFTP Users with POSIX profile and ssh key file 
list(object({
    name         = string # unique name
    uid          = string # e.g. 3001
    gid          = string # e.g. 4000
    ssh_key_file = string # e.g. ./users/test.pub
  }))
 n/a yes
subnet_tags Tags to discover target subnets in the VPC, these tags should identify one or more subnets map(string) n/a yes
tags Common and mandatory tags for the resources map(string) n/a yes
vpc_tags Tags to discover target VPC, these tags should uniquely identify a VPC map(string) n/a yes
create_common_logs Create the common CW log groups bool false no
efs_ap_id EFS File System Access Point Id, if not provided a new EFA Access Point will be created string null no
efs_id EFS File System Id, if not provided a new EFS will be created string null no
efs_kms_alias KMS Alias to discover KMS for EFS encryption, if not provided a new CMK will be created. If efs_id is provided for the encrypted EFS, this must also be provided. string "" no
efs_sg_tags Tags used to discover EFS Security Group, if not provided new EFS security group will be created. If efs_id is provided, this must also be provided. map(string) null no
lambda_role Lambda Execution Role, if not provided a new IAM role will be created string null no
logging_role SFTP Logging Role, if not provided a new IAM role will be created string null no
r53_zone_name Route 53 Zone Name. Optional, if provided, a DNS record will be created for the SFTP server string "" no
sftp_daily_report_subscribers List of email address to which daily activity reports will be sent list(string) [] no
sftp_encryptions Encryption specs for the SFTP server 
object({
    encrypt_logs     = bool   # default false
    logs_kms_alias   = string # new CMK will be created, if needed
    encrypt_lambda   = bool   # default false
    lambda_kms_alias = string # new CMK will be created, if needed
    encrypt_sns      = bool   # default false
    sns_kms_alias    = string # new CMK will be created, if needed
  })
 null no
sftp_user_automation_subscribers List of email address to user automation information will be sent list(string) [] no
user_role SFTP User Role, if not provided a new IAM role will be created string null no

Outputs

Name Description
daily_report_subscribers Daily Report Subscribers
sftp_efs_ap Elastic File System ids
sftp_iam_role IAM Roles used by SFTP
sftp_kms KMS Keys created by SFTP
sftp_security_group Security Group used by SFTP Server
sftp_server Route 53 FQDN for SFTP Server
sftp_users SFTP Users
user_automation_subscribers User Automation Event Subscribers