scenario1

Scenario1: Shared EFS and Shared EFS Access Point

This example assumes following resources are already provisioned:

• EFS file system exists and optionally encrypted using KMS.
• EFS access point exists.
• EFS mount points exist in the target VPC Subnets.
• EFS Security Group exists and attached to the EFS mount points.

Use examples/efs/scenario1 to setup this scenario, if needed.

Prerequisites

• Terraform backend provider and state locking providers are identified and bootstrapped.
  • A bootstrap module/example is provided that provisions Amazon S3 for Terraform state storage and Amazon DynamoDB for Terraform state locking.
• The target VPC along with the target Subnets exist and identified via Tags.
  • A vpc example is provided that provisions VPC, Subnets and related resources with example tagging.
  • The example uses the following tags to identify the target VPC and Subnets.

    "transfer/sftp/efs" = "1"
    "Env"               = "DEV"
    

• Create a ssh key-pair for each SFTP client authentication. Or obtain the public key from the SFTP client.
  • Copy the public key(s) in the users folder e.g. users/test.pub
• Modify terraform.tfvars to match your requirements. Check the values for the following variables.
  • r53_zone_name --> Route 53 Zone Name. Optional, if left blank (e.g. "" or null), a zone will be created.
  • efs_id --> File System ID of the EFS file system.
  • efs_ap_id --> Access Point ID of the EFS access point.
  • efs_sg_tags --> Tags to identify the EFS Security Group.
  • efs_kms_alias --> KMS key alias that is used to encrypt the EFS, if any.
  • sftp_users --> list of users along with unique POSIX profile and ssh public key.
  • sftp_user_automation_subscribers --> list of email addresses.
  • sftp_daily_report_subscribers --> list of email addresses.

Execution

• cd to examples/sftp/scenario1 folder.
• Modify backend "S3" section in the provider.tf with correct values for region, bucket, dynamodb_table, and key.
  • Use provided values as guidance.
• Modify terraform.tfvars to your requirements.
  • Use provided values as guidance.
• Make sure you are using the correct AWS Profile that has permission to provision the target resources.
  • aws sts get-caller-identity
• Execute terraform init to initialize Terraform.
• Execute terraform plan and verify the changes.
• Execute terraform apply and approve the changes to provision the resources.
• The email subscribers must confirm the subscription to receive the status and the activity emails.

Use SFTP client of your choice to test the SFTP server.

Requirements

Name	Version
terraform	>= v1.1.9
aws	>= 4.13.0

Providers

No providers.

Modules

Name	Source	Version
sftp	../../../modules/aws/transfer	n/a

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
env_name	Environment name e.g. dev, prod	string	n/a	yes
project	Project name (prefix/suffix) to be used on all the resources identification	string	n/a	yes
region	The AWS Region e.g. us-east-1 for the environment	string	n/a	yes
server_name	DNS compliant name, unique, SFTP Server Name	string	n/a	yes
sftp_users	List of SFTP Users with POSIX profile and ssh key file	list(object({ name = string # unique name uid = string # e.g. 3001 gid = string # e.g. 4000 ssh_key_file = string # e.g. ./users/test.pub }))	n/a	yes
subnet_tags	Tags to discover target subnets in the VPC, these tags should identify one or more subnets	map(string)	n/a	yes
tags	Common and mandatory tags for the resources	map(string)	n/a	yes
vpc_tags	Tags to discover target VPC, these tags should uniquely identify a VPC	map(string)	n/a	yes
create_common_logs	Create the common CW log groups	bool	false	no
efs_ap_id	EFS File System Access Point Id, if not provided a new EFA Access Point will be created	string	null	no
efs_id	EFS File System Id, if not provided a new EFS will be created	string	null	no
efs_kms_alias	KMS Alias to discover KMS for EFS encryption, if not provided a new CMK will be created. If efs_id is provided for the encrypted EFS, this must also be provided.	string	""	no
efs_sg_tags	Tags used to discover EFS Security Group, if not provided new EFS security group will be created. If efs_id is provided, this must also be provided.	map(string)	null	no
lambda_role	Lambda Execution Role, if not provided a new IAM role will be created	string	null	no
logging_role	SFTP Logging Role, if not provided a new IAM role will be created	string	null	no
r53_zone_name	Route 53 Zone Name. Optional, if provided, a DNS record will be created for the SFTP server	string	""	no
sftp_daily_report_subscribers	List of email address to which daily activity reports will be sent	list(string)	[]	no
sftp_encryptions	Encryption specs for the SFTP server	object({ encrypt_logs = bool # default false logs_kms_alias = string # new CMK will be created, if needed encrypt_lambda = bool # default false lambda_kms_alias = string # new CMK will be created, if needed encrypt_sns = bool # default false sns_kms_alias = string # new CMK will be created, if needed })	null	no
sftp_user_automation_subscribers	List of email address to user automation information will be sent	list(string)	[]	no
user_role	SFTP User Role, if not provided a new IAM role will be created	string	null	no

Outputs

Name	Description
daily_report_subscribers	Daily Report Subscribers
sftp_efs_ap	Elastic File System ids
sftp_iam_role	IAM Roles used by SFTP
sftp_kms	KMS Keys created by SFTP
sftp_security_group	Security Group used by SFTP Server
sftp_server	Route 53 FQDN for SFTP Server
sftp_users	SFTP Users
user_automation_subscribers	User Automation Event Subscribers