Updating endpoint type and terraform fmt

README.md

@@ -23,13 +23,20 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | account\_name | The account or environment name | `string` | n/a | yes |
+| address\_allocation\_ids | List of Elastic IPs Allocation IDs to attach to VPC Endpoint. | `list(string)` | n/a | yes |
+| aws\_account\_id | AWS Account ID | `string` | n/a | yes |
+| aws\_role | IAM Role | `string` | n/a | yes |
 | domain\_host | The name of the Route 53 record | `string` | n/a | yes |
 | domain\_zone | Hosted Zone name of the desired Hosted Zone | `string` | n/a | yes |
+| endpoint\_type | PUBLIC or VPC | `string` | `"PUBLIC"` | no |
+| ip\_allowlist | List of IPs to allow on WAF and IAM Policies | `any` | n/a | yes |
+| public\_subnet\_ids | List of public subnet IDs for VPC Endpoint. | `list(any)` | `[]` | no |
 | s3\_bucket\_name | The bucket name | `string` | n/a | yes |
 | s3\_bucket\_versioning | Enable bucket versioning | `bool` | n/a | yes |
 | security\_policy\_name | Specifies the name of the security policy that is attached to the server. Possible values are TransferSecurityPolicy-2018-11, TransferSecurityPolicy-2020-06, and TransferSecurityPolicy-FIPS-2020-06. Default value is: TransferSecurityPolicy-2018-11. | `string` | `"TransferSecurityPolicy-2018-11"` | no |
 | server\_name | Specifies the name of the SFTP server | `string` | n/a | yes |
-| sftp\_users | List of SFTP usernames | `list` | `[]` | no |
+| sftp\_users | List of SFTP usernames | `list(any)` | `[]` | no |
+| vpc\_id | VPC ID to deploy the SFTP cluster. | `any` | n/a | yes |
 
 ## Outputs
 

_data.tf

@@ -1,3 +1,7 @@
 data "aws_s3_bucket" "landing" {
   bucket = aws_s3_bucket.sftp.id
-}
+}
+
+
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}

_variables.tf

@@ -1,40 +1,75 @@
 variable "s3_bucket_name" {
-  type = string
-  description = "The bucket name"  
+  type        = string
+  description = "The bucket name"
 }
 
 variable "s3_bucket_versioning" {
-  type = bool
+  type        = bool
   description = "Enable bucket versioning"
 }
 
 variable "server_name" {
-  type = string
+  type        = string
   description = "Specifies the name of the SFTP server"
 }
 
+variable "vpc_id" {
+  description = "VPC ID to deploy the SFTP cluster."
+}
+
 variable "security_policy_name" {
   type        = string
   description = "Specifies the name of the security policy that is attached to the server. Possible values are TransferSecurityPolicy-2018-11, TransferSecurityPolicy-2020-06, and TransferSecurityPolicy-FIPS-2020-06. Default value is: TransferSecurityPolicy-2018-11."
   default     = "TransferSecurityPolicy-2018-11"
 }
 
 variable "sftp_users" {
-  type = list
+  type        = list(any)
   default     = []
   description = "List of SFTP usernames"
 }
+
+variable "address_allocation_ids" {
+  type        = list(string)
+  description = "List of Elastic IPs Allocation IDs to attach to VPC Endpoint."
+}
+
+variable "ip_allowlist" {
+  #type        = list(string)
+  description = "List of IPs to allow on WAF and IAM Policies"
+}
+
+variable "endpoint_type" {
+  default     = "PUBLIC"
+  description = "PUBLIC or VPC"
+}
+
+variable "aws_account_id" {
+  type        = string
+  description = "AWS Account ID"
+}
+
+variable "aws_role" {
+  type        = string
+  description = "IAM Role"
+}
+
+variable "public_subnet_ids" {
+  type        = list(any)
+  default     = []
+  description = "List of public subnet IDs for VPC Endpoint."
+}
 variable "domain_zone" {
   type        = string
   description = "Hosted Zone name of the desired Hosted Zone"
 }
 
 variable "domain_host" {
-  type = string
+  type        = string
   description = "The name of the Route 53 record"
 }
 
 variable "account_name" {
-  type = string
+  type        = string
   description = "The account or environment name"
 }

iam.tf

@@ -1,5 +1,5 @@
 resource "aws_iam_policy" "logging" {
-  name   =  "transfer-family-logging-${var.server_name}"
+  name   = "transfer-family-logging-${var.server_name}"
   policy = join("", data.aws_iam_policy_document.logging[*].json)
 }
 
@@ -21,7 +21,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
 }
 
 data "aws_iam_policy_document" "s3_access_for_sftp_users" {
-  for_each  = { for user in var.sftp_users : user.username => user }
+  for_each = { for user in var.sftp_users : user.username => user }
 
   statement {
     sid    = "AllowListingOfUserFolder"
@@ -73,9 +73,9 @@ data "aws_iam_policy_document" "logging" {
 }
 
 resource "aws_iam_policy" "s3_access_for_sftp_users" {
-  for_each  = { for user in var.sftp_users : user.username => user }
-  name      = "${each.value.username}-s3-access-for-sftp"
-  policy    = data.aws_iam_policy_document.s3_access_for_sftp_users[each.value.username].json
+  for_each = { for user in var.sftp_users : user.username => user }
+  name     = "${each.value.username}-s3-access-for-sftp"
+  policy   = data.aws_iam_policy_document.s3_access_for_sftp_users[each.value.username].json
 }
 
 resource "aws_iam_role" "s3_access_for_sftp_users" {

route53.tf

@@ -1,5 +1,5 @@
 data "aws_route53_zone" "selected" {
-  name  = var.domain_zone
+  name = var.domain_zone
 }
 
 resource "aws_route53_record" "transfer-family" {

s3.tf

@@ -1,7 +1,7 @@
 resource "aws_s3_bucket" "sftp" {
-  bucket_prefix   = var.s3_bucket_name
+  bucket_prefix = var.s3_bucket_name
   versioning {
-    enabled       = try(var.s3_bucket_versioning, true)
+    enabled = try(var.s3_bucket_versioning, true)
   }
   server_side_encryption_configuration {
     rule {

transfer-family.tf

@@ -1,11 +1,21 @@
 resource "aws_transfer_server" "default" {
   identity_provider_type    = "SERVICE_MANAGED"
   protocols                 = ["SFTP"]
-  endpoint_type             = "PUBLIC"
+  endpoint_type             = var.endpoint_type
   force_destroy             = true
   security_policy_name      = var.security_policy_name
   logging_role              = join("", aws_iam_role.logging[*].arn)
 
+  dynamic "endpoint_details" {
+  for_each = var.endpoint_type == "VPC" ? [1] : []
+  content {
+    address_allocation_ids = var.address_allocation_ids
+    subnet_ids             = var.public_subnet_ids
+    vpc_id                 = var.vpc_id
+    security_group_ids = [aws_security_group.sftp_sg[0].id]
+  }
+  }
+
   tags = {
     Name = var.server_name
   }
@@ -40,4 +50,37 @@ resource "aws_transfer_ssh_key" "default" {
   depends_on = [
     aws_transfer_user.default
   ]
-}
+}
+
+resource "aws_security_group" "sftp_sg" {
+  count       = var.endpoint_type == "VPC" ? 1 : 0
+  name        = "sftp-${var.server_name}-sg"
+  description = "SG for SFTP Server"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "ftp-${var.server_name}-sg"
+  }
+}
+
+resource "aws_security_group_rule" "ip_allowlist" {
+  count       = var.endpoint_type == "VPC" ? 1 : 0
+  description       = "IP Allow List"
+  type              = "ingress"
+  protocol          = "TCP"
+  to_port           = 22
+  from_port         = 22
+  cidr_blocks       = split(",", var.ip_allowlist)
+  security_group_id = aws_security_group.sftp_sg[0].id
+}
+
+resource "aws_security_group_rule" "egress" {
+  count       = var.endpoint_type == "VPC" ? 1 : 0
+  description       = "Traffic to internet"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.sftp_sg[0].id
+  cidr_blocks       = ["0.0.0.0/0"]
+}