Initial commit

.gitignore

@@ -0,0 +1,14 @@
+.terraform
+
+# use a backend!
+*.tfstate*
+
+sftp-idp.zip
+
+# not using lockfiles for the moment
+.terraform.lock.hcl
+
+.vscode/
+.idea/
+*/plan.out
+.DS_Store

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Bubo.AI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,72 @@
+# SFTP Server with custom domain on AWS
+
+This terraform module creates an SFTP server with a custom subdomain and multiple users. Each user has its own directory under the same bucket created upon deployment. You can deploy this module several times in the same account using different prefixes. Each deployment creates an S3 bucket to keep users data but different users can not see each others files.
+
+This module creates a public AWS Transfer Service configured to use a lambda as an identity provider to authenticate one or more users against stored credentials in the AWS Secrets.
+
+> After deploying this service, go to the secret manager and replace the secret key `Password` for each user with a bcrypt hash. Default value for password is `REPLACE_ME` (as plain text). To generate a bcrypt hash, use the command below and replace `PASSWORDHERE` with your own password.
+> ```python
+> python -c 'import bcrypt; print(bcrypt.hashpw("PASSWORDHERE".encode("utf-8"), bcrypt.gensalt()))'
+> ```
+
+## Requirements
+
+This module assumes you have a DNS Zone in AWS. An alias (CNAME) record will be created for every member of `subdomains` variable.
+
+> **This module is only available in \*nix environment where python3 is available.**
+>
+> In order to deploy the lambda script with `bcrypt` dependency, you need to have `python` available in the `PATH`. `bcrypt` and its dependencies will be installed via `python -m pip` command. This module install dependencies to match with lambda runtime which is Python 3.9. For more information, please refer to [python packager module](https://github.com/Bubo-AI/terraform-python-packager).
+
+
+## Usage
+
+    $ terraform init
+    $ terraform plan
+    $ terraform apply
+
+## Example User Configuration
+
+Once the service has been deployed, a sample user will be created in the secret manager with the following configuration:
+
+Secret Name: `prefix`-SFTP/user1
+
+
+| UserId | HomeDirectoryDetails | Role | Password | _AcceptedIpNetwork*_ |
+|--------|----------------------|------|----------|-------------------|
+| user1 | `[{\"Entry\": \"/\", \"Target\": \"/s3_bucket/user1\"}]` | arn:aws:iam::`ACCOUNT_ID`:role/`prefix`-transfer-user-iam-role-user1 | `BCRPYT_HASH` | `192.168.1.0/24` |
+
+**user1** is chroot'd to the **/s3_bucket/user1** directory in S3.
+
+\* **_AcceptedIpNetwork_** is an optional CIDR for the allowed client source IP address range. You can specify multiple CIDR by separating with comma, e.g.: `192.0.0.0/24, 224.0.0.0/16`. Please note that ignored bits in the CIDR should be zero. For instance, 192.168.1.1/24 is an invalid CIDR as 24th bith onwards should be zero. Therefore the correct version is `192.168.1.0/24`.
+
+
+## Example Usage
+
+```hcl
+module "sftp_server" {
+  source         = "github.com/Bubo-AI/terraform-aws-transfer-s3-route53?ref=v0.1.0"
+  usernames      = ["sftp_user_1", "sftp_user_2"]
+  prefix         = "acme"
+  subdomains     = ["sftp"]
+  r53_zone       = "acme.com"
+  logging_bucket = "acme-sftp-access-logs"
+}
+
+```
+
+Fully working example can be found in [`examples`](examples/).
+
+
+## Outputs
+
+| Name                 | Description                                          |
+|----------------------|------------------------------------------------------|
+| usernames            | List of usernames created                            |
+| roles                | The roles created for each user                      |
+| user_secrets         | The secret manager keys created for each user        |
+| bucket_id            | The bucket where AWS Transfer is connected to        |
+| bucket_kms_key       | KMS key used to encrypt S3 bucket                    |
+| secret_kms_key       | KMS key used to encrypt Secret Manager secretts      |
+| transfer_endpoint    | The endpoint of the AWS Transfer service             |
+| route53_endpoint     | Subdomains created as an alias to transfer_endpoint  |
+

bucket.tf

@@ -0,0 +1,77 @@
+data "aws_s3_bucket" "logging" {
+  bucket = var.logging_bucket
+}
+
+# enable logging to logging_bucket
+data "aws_iam_policy_document" "allow_logging_to_logging_bucket" {
+  statement {
+    sid = "S3PolicyLoggingAccessStmt"
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    actions   = ["s3:PutObject"]
+    resources = ["${data.aws_s3_bucket.logging.arn}/*"]
+  }
+}
+
+# attach logging policy to logging_bucket
+resource "aws_s3_bucket_policy" "allow_logging_to_logging_bucket" {
+  bucket = data.aws_s3_bucket.logging.id
+  policy = data.aws_iam_policy_document.allow_logging_to_logging_bucket.json
+}
+
+# rotating KMS key for S3
+resource "aws_kms_key" "s3_key" {
+  description             = "This key is used to encrypt bucket objects"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+}
+
+# Data bucket for SFTP server, tfsec warnings supressed as aws provider > 4 has not been supported yet
+# tfsec:ignore:aws-s3-enable-bucket-logging
+# tfsec:ignore:aws-s3-enable-versioning
+# tfsec:ignore:aws-s3-enable-bucket-encryption
+# tfsec:ignore:aws-s3-encryption-customer-key
+# tfsec:ignore:aws-s3-enable-default-server-side-encryption
+resource "aws_s3_bucket" "sftp" {
+  bucket_prefix = "${local.prefix_kebab}sftpbucket"
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  bucket = aws_s3_bucket.sftp.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.sftp.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+  bucket = aws_s3_bucket.sftp.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3_key.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_logging" "this" {
+  bucket        = aws_s3_bucket.sftp.id
+  target_bucket = data.aws_s3_bucket.logging.id
+  target_prefix = var.prefix
+}
+
+# block all public access to data bucket
+resource "aws_s3_bucket_public_access_block" "sftp" {
+  bucket                  = aws_s3_bucket.sftp.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}

example/main.tf

@@ -0,0 +1,8 @@
+module "sftp_server" {
+  source         = "../"
+  usernames      = ["sftp_user_1", "sftp_user_2"]
+  prefix         = "acme"
+  subdomains     = ["sftp"]
+  r53_zone       = "acme.com"
+  logging_bucket = "acme-sftp-access-logs"
+}

example/output.tf

@@ -0,0 +1,32 @@
+output "usernames" {
+  value = module.sftp_server.usernames
+}
+
+output "roles" {
+  value = module.sftp_server.roles
+}
+
+output "user_secrets" {
+  value = module.sftp_server.user_secrets
+}
+
+output "bucket_id" {
+  value = module.sftp_server.bucket_id
+}
+
+output "bucket_kms_key" {
+  value = module.sftp_server.bucket_kms_key
+}
+
+output "secret_kms_key" {
+  value = module.sftp_server.secret_kms_key
+}
+
+output "transfer_endpoint" {
+  value = module.sftp_server.transfer_endpoint
+}
+
+output "route53_endpoint" {
+  value = module.sftp_server.route53_endpoint
+}
+

iam.tf

@@ -0,0 +1,80 @@
+resource "aws_iam_role" "transfer" {
+  for_each = toset(var.usernames)
+  name     = "${local.prefix_kebab}transfer-user-iam-role-${each.key}"
+
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "transfer.amazonaws.com"
+        },
+        "Action": "sts:AssumeRole"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "transfer" {
+  for_each = toset(var.usernames)
+
+  name = "${local.prefix_kebab}transfer-user-iam-policy-${each.key}"
+  role = aws_iam_role.transfer[each.key].id
+
+  policy = <<-POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Sid": "AllowListingOfUserFolder",
+          "Action": [
+              "s3:ListBucket",
+              "s3:GetBucketLocation"
+          ],
+          "Effect": "Allow",
+          "Resource": [
+              "${aws_s3_bucket.sftp.arn}"
+          ],
+          "Condition": {
+              "StringLike": {
+                  "s3:prefix": [
+                      "${each.key}/*",
+                      "${each.key}"
+                  ]
+              }
+          }
+      },
+      {
+          "Sid": "HomeDirObjectAccess",
+          "Effect": "Allow",
+          "Action": [
+              "s3:PutObject",
+              "s3:GetObject",
+              "s3:DeleteObjectVersion",
+              "s3:DeleteObject",
+              "s3:GetObjectVersion"
+          ],
+          "Resource": [
+              "${aws_s3_bucket.sftp.arn}/${each.key}",
+              "${aws_s3_bucket.sftp.arn}/${each.key}/*"
+          ]
+       },
+       {
+           "Sid": "EncryptionKeyAccess",
+            "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:GenerateDataKey",
+                "kms:DescribeKey",
+                "kms:ReEncrypt"
+            ],
+            "Effect": "Allow",
+            "Resource": "${aws_kms_key.s3_key.arn}"
+       }
+  ]
+}
+  POLICY
+}

locals.tf

@@ -0,0 +1,4 @@
+locals {
+  prefix_kebab = var.prefix == "" ? var.prefix : "${var.prefix}-" # for kebab case resource names
+  prefix_snake = var.prefix == "" ? var.prefix : "${var.prefix}_" # for snake case resource names
+}

output.tf

@@ -0,0 +1,38 @@
+output "usernames" {
+  value = var.usernames
+}
+
+output "roles" {
+  value = {
+    for k, v in aws_iam_role.transfer : k => v.name
+  }
+}
+
+output "user_secrets" {
+  value = {
+    for k, v in aws_secretsmanager_secret.user : k => v.name
+  }
+}
+
+output "bucket_id" {
+  value = aws_s3_bucket.sftp.id
+}
+
+output "bucket_kms_key" {
+  value = aws_kms_key.s3_key.arn
+}
+
+output "secret_kms_key" {
+  value = aws_kms_key.secret_key.arn
+}
+
+output "transfer_endpoint" {
+  value = aws_transfer_server.sftp.endpoint
+}
+
+output "route53_endpoint" {
+  value = [
+    for k, v in aws_route53_record.this : "${v.name}.${data.aws_route53_zone.this.name}"
+  ]
+}
+

route53.tf

@@ -0,0 +1,28 @@
+data "aws_route53_zone" "this" {
+  name         = var.r53_zone
+  private_zone = false
+}
+
+# if more than one subdomain names specified, create a new record set for each
+resource "aws_route53_record" "this" {
+  for_each = toset(var.subdomains)
+  type     = "CNAME"
+  name     = each.key
+  ttl      = 600
+  records  = [aws_transfer_server.sftp.endpoint]
+  zone_id  = data.aws_route53_zone.this.zone_id
+}
+
+# associate the first subdomain with the sftp server endpoint
+resource "null_resource" "associate_custom_hostname" {
+  provisioner "local-exec" {
+    command = <<EOF
+aws transfer tag-resource \
+  --arn '${aws_transfer_server.sftp.arn}' \
+  --tags \
+    'Key=aws:transfer:customHostname,Value=${var.subdomains[0]}.${data.aws_route53_zone.this.name}' \
+    'Key=aws:transfer:route53HostedZoneId,Value=/hostedzone/${data.aws_route53_zone.this.zone_id}'
+EOF
+  }
+  depends_on = [aws_transfer_server.sftp, data.aws_route53_zone.this, aws_route53_record.this]
+}