Merge pull request #20 from clouddrove/feature/sftp

Feature/sftp : Update the sftp module for the sftp server with vpc endpoint and custom domain

.github/workflows/terraform.yml

@@ -0,0 +1,86 @@
+name: static-checks
+
+on:
+  pull_request:
+
+jobs:
+  versionExtract:
+    name: Get min/max versions
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Terraform min/max versions
+        id: minMax
+        uses: clowdhaus/terraform-min-max@main
+    outputs:
+      minVersion: ${{ steps.minMax.outputs.minVersion }}
+      maxVersion: ${{ steps.minMax.outputs.maxVersion }}
+
+
+  versionEvaluate:
+    name: Evaluate Terraform versions
+    runs-on: ubuntu-latest
+    needs: versionExtract
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+          - ${{ needs.versionExtract.outputs.minVersion }}
+          - ${{ needs.versionExtract.outputs.maxVersion }}
+        directory:
+          - _example/public/
+          - _example/vpc/
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Terraform v${{ matrix.version }}
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: ${{ matrix.version }}
+
+      - name: 'Configure AWS Credentials'
+        uses: clouddrove/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY }}
+          aws-secret-access-key: ${{ secrets.TEST_AWS_ACCESS_SECRET_KEY }}
+          aws-region: us-east-2
+
+      - name: Init & validate v${{ matrix.version }}
+        run: |
+          cd ${{ matrix.directory }}
+          terraform init
+          terraform validate
+          terraform plan -input=false -no-color
+
+      - name: tflint
+        uses: reviewdog/action-tflint@master
+        with:
+          tflint_version: v0.29.0
+          github_token: ${{ secrets.GITHUB }}
+          working_directory: ${{ matrix.directory }}
+          fail_on_error: 'true'
+          filter_mode: 'nofilter'
+          flags: '--module'
+
+  format:
+    name: Check code format
+    runs-on: ubuntu-latest
+    needs: versionExtract
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Install Terraform v${{ needs.versionExtract.outputs.maxVersion }}
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: ${{ needs.versionExtract.outputs.maxVersion }}
+
+      - name: Check Terraform format changes
+        run: terraform fmt --recursive
+

.github/workflows/tf-checks.yml

@@ -8,4 +8,4 @@ jobs:
   example:
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
-      working_directory: './_example/'
+      working_directory: './_example/public'

_example/public/example.tf

@@ -0,0 +1,41 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+################################################################################
+# AWS S3
+################################################################################
+
+module "s3_bucket" {
+  source  = "clouddrove/s3/aws"
+  version = "1.3.0"
+
+  name        = "clouddrove-sftp-bucket01"
+  environment = "test"
+  label_order = ["environment", "name"]
+
+  versioning    = true
+  logging       = true
+  acl           = "private"
+  force_destroy = true
+}
+
+################################################################################
+# AWS SFTP
+################################################################################
+
+module "sftp" {
+  source         = "../.."
+  name           = "sftp"
+  environment    = "test"
+  label_order    = ["environment", "name"]
+  enable_sftp    = true
+  s3_bucket_name = module.s3_bucket.id
+  endpoint_type  = "PUBLIC"
+  workflow_details = {
+    on_upload = {
+      execution_role = "arn:aws:iam::1234567890:role/test-sftp-transfer-role"
+      workflow_id    = "w-12345XXXX6da"
+    }
+  }
+}

_example/public/outputs.tf

@@ -0,0 +1,4 @@
+output "id" {
+  description = "ID of the created example"
+  value       = module.sftp.id
+}

_example/public/variables.tf

@@ -0,0 +1,14 @@
+variable "sftp_users" {
+  type = list(object({
+    username = string
+    password = string
+    home_dir = string
+  }))
+  default = []
+}
+
+variable "eip_enabled" {
+  type        = bool
+  description = "Whether to provision and attach an Elastic IP to be used as the SFTP endpoint. An EIP will be provisioned per subnet."
+  default     = false
+}

_example/vpc/example.tf

@@ -0,0 +1,134 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+################################################################################
+# VPC
+################################################################################
+
+module "vpc" {
+  source                              = "clouddrove/vpc/aws"
+  version                             = "2.0.0"
+  name                                = "vpc"
+  environment                         = "test"
+  cidr_block                          = "10.0.0.0/16"
+  enable_flow_log                     = true # Flow logs will be stored in cloudwatch log group. Variables passed in default.
+  create_flow_log_cloudwatch_iam_role = true
+  additional_cidr_block               = ["172.3.0.0/16", "172.2.0.0/16"]
+  dhcp_options_domain_name            = "service.consul"
+  dhcp_options_domain_name_servers    = ["127.0.0.1", "10.10.0.2"]
+}
+
+################################################################################
+# Subnets
+################################################################################
+
+module "subnets" {
+  source  = "clouddrove/subnet/aws"
+  version = "1.0.1"
+
+  name        = "subnets"
+  environment = "test"
+  label_order = ["environment", "name"]
+  # tags        = local.tags
+  enabled = true
+
+  nat_gateway_enabled = true
+  single_nat_gateway  = true
+  availability_zones  = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  vpc_id              = module.vpc.vpc_id
+  cidr_block          = module.vpc.vpc_cidr_block
+  ipv6_cidr_block     = module.vpc.ipv6_cidr_block
+  type                = "public-private"
+}
+
+################################################################################
+# AWS SFTP SECURITY GROUP
+################################################################################
+
+module "security_group_sftp" {
+  source      = "clouddrove/security-group/aws"
+  version     = "2.0.0"
+  name        = "sftp-sg"
+  environment = "test"
+  label_order = ["environment", "name"]
+  vpc_id      = module.vpc.vpc_id
+  ## INGRESS Rules
+  new_sg_ingress_rules_with_cidr_blocks = [{
+    rule_count  = 1
+    from_port   = 22
+    protocol    = "tcp"
+    to_port     = 22
+    cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
+    description = "Allow ssh traffic."
+    },
+    {
+      rule_count  = 2
+      from_port   = 27017
+      protocol    = "tcp"
+      to_port     = 27017
+      cidr_blocks = ["172.16.0.0/16"]
+      description = "Allow SFTP traffic."
+    }
+  ]
+
+  ## EGRESS Rules
+  new_sg_egress_rules_with_cidr_blocks = [{
+    rule_count  = 1
+    from_port   = 22
+    protocol    = "tcp"
+    to_port     = 22
+    cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
+    description = "Allow ssh outbound traffic."
+    },
+    {
+      rule_count  = 2
+      from_port   = 27017
+      protocol    = "tcp"
+      to_port     = 27017
+      cidr_blocks = ["172.16.0.0/16"]
+      description = "Allow SFTP outbound traffic."
+  }]
+}
+
+################################################################################
+# AWS S3
+################################################################################
+
+module "s3_bucket" {
+  source  = "clouddrove/s3/aws"
+  version = "1.3.0"
+
+  name        = "clouddrove-sftp-bucket"
+  environment = "test"
+  label_order = ["environment", "name"]
+
+  versioning    = true
+  logging       = true
+  acl           = "private"
+  force_destroy = true
+}
+
+################################################################################
+# AWS SFTP
+################################################################################
+
+module "sftp" {
+  source                 = "../.."
+  name                   = "sftp"
+  environment            = "test"
+  label_order            = ["environment", "name"]
+  eip_enabled            = false
+  s3_bucket_name         = module.s3_bucket.id
+  sftp_users             = var.sftp_users
+  subnet_ids             = module.subnets.private_subnet_id
+  vpc_id                 = module.vpc.vpc_id
+  restricted_home        = true
+  vpc_security_group_ids = [module.security_group_sftp.security_group_id]
+  workflow_details = {
+    on_upload = {
+      execution_role = "arn:aws:iam::1234567890:role/test-sftp-transfer-role"
+      workflow_id    = "w-12345XXXX6da"
+    }
+  }
+}

_example/vpc/outputs.tf

@@ -0,0 +1,4 @@
+output "id" {
+  description = "ID of the created example"
+  value       = module.sftp.id
+}

_example/vpc/variables.tf

@@ -0,0 +1,31 @@
+variable "sftp_users" {
+  type = list(object({
+    username = string
+    password = string
+    home_dir = string
+  }))
+  default = []
+}
+
+variable "eip_enabled" {
+  type        = bool
+  description = "Whether to provision and attach an Elastic IP to be used as the SFTP endpoint. An EIP will be provisioned per subnet."
+  default     = false
+}
+
+
+variable "workflow_details" {
+  type = object({
+    on_upload = object({
+      execution_role = string
+      workflow_id    = string
+    })
+  })
+  description = "Workflow details for triggering the execution on file upload."
+  default = {
+    on_upload = {
+      execution_role = null
+      workflow_id    = null
+    }
+  }
+}

_example/vpc/versions.tf

@@ -0,0 +1,11 @@
+# Terraform version
+terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.9.0"
+    }
+  }
+}