From a2cd7e0fd0a18cc644bc40f8ae02350b72c58273 Mon Sep 17 00:00:00 2001
From: Jan Gorjanc <johnee@gmail.com>
Date: Mon, 26 Aug 2019 08:38:57 +0200
Subject: [PATCH] platform: init aws-ftp-transfer-user tf module

kiwicom-source-id: fbed842b3bfbcf67f7150ee5c7681aea5677f1e2
---
 iam.tf       | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 main.tf      | 25 ++++++++++++++++
 variables.tf | 30 +++++++++++++++++++
 versions.tf  |  4 +++
 4 files changed, 142 insertions(+)
 create mode 100644 iam.tf
 create mode 100644 main.tf
 create mode 100644 variables.tf
 create mode 100644 versions.tf

diff --git a/iam.tf b/iam.tf
new file mode 100644
index 0000000..c10da2b
--- /dev/null
+++ b/iam.tf
@@ -0,0 +1,83 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# CREATE IAM POLICY RULES FOR SFTP BUCKET
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  s3_actions = {
+    "rw" = [
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+    ]
+    "ro" = [
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "transfer_server_assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["transfer.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "transfer_server_assume_policy" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      data.aws_s3_bucket.bucket.arn,
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "s3:prefix"
+
+      values = [
+        var.s3_bucket_folder == "" ? "*" : "${var.s3_bucket_folder}/*",
+      ]
+    }
+  }
+
+  statement {
+    effect = "Allow"
+
+    actions = local.s3_actions[var.access_type]
+
+    resources = [
+      var.s3_bucket_folder == "" ? "${data.aws_s3_bucket.bucket.arn}/*" : "${data.aws_s3_bucket.bucket.arn}/${var.s3_bucket_folder}/*",
+      var.s3_bucket_folder == "" ? data.aws_s3_bucket.bucket.arn : "${data.aws_s3_bucket.bucket.arn}/${var.s3_bucket_folder}",
+    ]
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# CREATE IAM POLICY AND ROLE FROM DEFINED RULES
+# ---------------------------------------------------------------------------------------------------------------------
+
+# resource "random_string" "iam_id" {
+#   length  = 8
+#   special = false
+# }
+
+resource "aws_iam_role" "transfer_server_assume_role" {
+  name               = "transfer-${var.transfer_server_id}-${var.username}"
+  assume_role_policy = data.aws_iam_policy_document.transfer_server_assume_role.json
+}
+
+resource "aws_iam_role_policy" "transfer_server_policy" {
+  name   = "transfer-${var.transfer_server_id}-${var.username}"
+  role   = aws_iam_role.transfer_server_assume_role.name
+  policy = data.aws_iam_policy_document.transfer_server_assume_policy.json
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..8667de3
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,25 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# GET EXISTING S3 BUCKET
+# ---------------------------------------------------------------------------------------------------------------------
+
+data "aws_s3_bucket" "bucket" {
+  bucket = var.s3_bucket_name
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# CREATE AN USER WITH A SSH KEY FOR THE SHARED TRANSFER SERVER
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_transfer_user" "transfer_user" {
+  server_id      = var.transfer_server_id
+  role           = aws_iam_role.transfer_server_assume_role.arn
+  home_directory = "/${data.aws_s3_bucket.bucket.id}/${var.s3_bucket_folder}"
+  user_name      = var.username
+}
+
+resource "aws_transfer_ssh_key" "transfer_ssh_key" {
+  count     = length(var.ssh_public_keys)
+  server_id = var.transfer_server_id
+  user_name = aws_transfer_user.transfer_user.user_name
+  body      = var.ssh_public_keys[count.index]
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..7839215
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,30 @@
+variable "username" {
+  type        = string
+  description = "Name of the user that will be created in shared sftp."
+}
+
+variable "ssh_public_keys" {
+  type        = list(string)
+  description = "List of raw SSH public keys."
+}
+
+variable "transfer_server_id" {
+  type        = string
+  description = "ID of the transfer server to use."
+}
+
+variable "s3_bucket_name" {
+  type        = string
+  description = "Name of the AWS S3 Bucket where sftp user should have access to."
+}
+
+variable "s3_bucket_folder" {
+  type        = string
+  default     = ""
+  description = "If provided, user will have access only to given folder instead of entire bucket."
+}
+
+variable "access_type" {
+  type        = string
+  description = "Which permissions user should have on sftp"
+}
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..ac97c6a
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}