Skip to content

Commit

Permalink
platform: init aws-ftp-transfer-user tf module
Browse files Browse the repository at this point in the history 
kiwicom-source-id: fbed842b3bfbcf67f7150ee5c7681aea5677f1e2
  • Loading branch information
@Johnee
Johnee authored and kiwicom-github-bot committed Aug 26, 2019
0 parents commit a2cd7e0
Show file tree
Hide file tree
Showing 4 changed files with 142 additions and 0 deletions.
83 changes: 83 additions & 0 deletions iam.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# ---------------------------------------------------------------------------------------------------------------------
# CREATE IAM POLICY RULES FOR SFTP BUCKET
# ---------------------------------------------------------------------------------------------------------------------

locals {
s3_actions = {
"rw" = [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
]
"ro" = [
"s3:GetObject",
"s3:GetObjectVersion",
]
}
}

data "aws_iam_policy_document" "transfer_server_assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]

principals {
type = "Service"
identifiers = ["transfer.amazonaws.com"]
}
}
}

data "aws_iam_policy_document" "transfer_server_assume_policy" {
statement {
effect = "Allow"

actions = [
"s3:ListBucket",
]

resources = [
data.aws_s3_bucket.bucket.arn,
]

condition {
test = "StringLike"
variable = "s3:prefix"

values = [
var.s3_bucket_folder == "" ? "*" : "${var.s3_bucket_folder}/*",
]
}
}

statement {
effect = "Allow"

actions = local.s3_actions[var.access_type]

resources = [
var.s3_bucket_folder == "" ? "${data.aws_s3_bucket.bucket.arn}/*" : "${data.aws_s3_bucket.bucket.arn}/${var.s3_bucket_folder}/*",
var.s3_bucket_folder == "" ? data.aws_s3_bucket.bucket.arn : "${data.aws_s3_bucket.bucket.arn}/${var.s3_bucket_folder}",
]
}
}

# ---------------------------------------------------------------------------------------------------------------------
# CREATE IAM POLICY AND ROLE FROM DEFINED RULES
# ---------------------------------------------------------------------------------------------------------------------

# resource "random_string" "iam_id" {
# length = 8
# special = false
# }

resource "aws_iam_role" "transfer_server_assume_role" {
name = "transfer-${var.transfer_server_id}-${var.username}"
assume_role_policy = data.aws_iam_policy_document.transfer_server_assume_role.json
}

resource "aws_iam_role_policy" "transfer_server_policy" {
name = "transfer-${var.transfer_server_id}-${var.username}"
role = aws_iam_role.transfer_server_assume_role.name
policy = data.aws_iam_policy_document.transfer_server_assume_policy.json
}
25 changes: 25 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# ---------------------------------------------------------------------------------------------------------------------
# GET EXISTING S3 BUCKET
# ---------------------------------------------------------------------------------------------------------------------

data "aws_s3_bucket" "bucket" {
bucket = var.s3_bucket_name
}

# ---------------------------------------------------------------------------------------------------------------------
# CREATE AN USER WITH A SSH KEY FOR THE SHARED TRANSFER SERVER
# ---------------------------------------------------------------------------------------------------------------------

resource "aws_transfer_user" "transfer_user" {
server_id = var.transfer_server_id
role = aws_iam_role.transfer_server_assume_role.arn
home_directory = "/${data.aws_s3_bucket.bucket.id}/${var.s3_bucket_folder}"
user_name = var.username
}

resource "aws_transfer_ssh_key" "transfer_ssh_key" {
count = length(var.ssh_public_keys)
server_id = var.transfer_server_id
user_name = aws_transfer_user.transfer_user.user_name
body = var.ssh_public_keys[count.index]
}
30 changes: 30 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
variable "username" {
type = string
description = "Name of the user that will be created in shared sftp."
}

variable "ssh_public_keys" {
type = list(string)
description = "List of raw SSH public keys."
}

variable "transfer_server_id" {
type = string
description = "ID of the transfer server to use."
}

variable "s3_bucket_name" {
type = string
description = "Name of the AWS S3 Bucket where sftp user should have access to."
}

variable "s3_bucket_folder" {
type = string
default = ""
description = "If provided, user will have access only to given folder instead of entire bucket."
}

variable "access_type" {
type = string
description = "Which permissions user should have on sftp"
}
4 changes: 4 additions & 0 deletions versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

0 comments on commit a2cd7e0

Please sign in to comment.