AWS Transfer Family Access
This page shows how to write Terraform and CloudFormation for AWS Transfer Family Access and write them securely.
aws_transfer_access (Terraform)
The Access in AWS Transfer Family can be configured in Terraform with the resource name aws_transfer_access
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
external_id
- (Required) The SID of a group in the directory connected to the Transfer Server (e.g.,S-1-1-12-1234567890-123456789-1234567890-1234
)server_id
- (Required) The Server ID of the Transfer Server (e.g.,s-12345678
)home_directory
- (Optional) The landing directory (folder) for a user when they log in to the server using their SFTP client. It should begin with a/
. The first item in the path is the name of the home bucket (accessible as${Transfer:HomeBucket}
in the policy) and the rest is the home directory (accessible as${Transfer:HomeDirectory}
in the policy). For example,/example-bucket-1234/username
would set the home bucket toexample-bucket-1234
and the home directory tousername
.home_directory_mappings
- (Optional) Logical directory mappings that specify what S3 paths and keys should be visible to your user and how you want to make them visible. See Home Directory Mappings below.home_directory_type
- (Optional) The type of landing directory (folder) you mapped for your users' home directory. Valid values arePATH
andLOGICAL
.policy
- (Optional) An IAM JSON policy document that scopes down user access to portions of their Amazon S3 bucket. IAM variables you can use inside this policy include${Transfer:UserName}
,${Transfer:HomeDirectory}
, and${Transfer:HomeBucket}
. Since the IAM variable syntax matches Terraform's interpolation syntax, they must be escaped inside Terraform configuration strings ($${Transfer:UserName}
). These are evaluated on-the-fly when navigating the bucket.posix_profile
- (Optional) Specifies the full POSIX identity, including user ID (Uid), group ID (Gid), and any secondary groups IDs (SecondaryGids), that controls your users' access to your Amazon EFS file systems. See Posix Profile below.role
- (Required) Amazon Resource Name (ARN) of an IAM role that allows the service to controls your user’s access to your Amazon S3 bucket.
Home Directory Mappings
entry
- (Required) Represents an entry and a target.target
- (Required) Represents the map target.
Posix Profile
gid
- (Required) The POSIX group ID used for all EFS operations by this user.uid
- (Required) The POSIX user ID used for all EFS operations by this user.secondary_gids
- (Optional) The secondary POSIX group IDs used for all EFS operations by this user.
In addition to all arguments above, the following attributes are exported:
id
- The ID of the resource
Explanation in Terraform Registry
Provides a AWS Transfer Access resource.
AWS::Transfer::User (CloudFormation)
The User in Transfer can be configured in CloudFormation with the resource name AWS::Transfer::User
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Transfer::User
Properties:
UserName: !Ref UserName
HomeDirectory: '/s3-iepro/amanda'
Role: !GetAtt SftpAccessRole.Arn
ServerId: !GetAtt SftpServer.ServerId
Type: AWS::Transfer::User
Properties:
ServerId: !Ref SFTPServerId
UserName: !Ref 'SFTPUserName'
HomeDirectory: !Ref 'HomeDirectory'
Policy: >
Type: AWS::Transfer::User
Properties:
Role: !GetAtt UserRole.Arn
ServerId: !GetAtt Server.ServerId
UserName: dummyuser
SshPublicKeys:
Type: AWS::Transfer::User
Properties:
HomeDirectory: /sftp-realblocks
Role: !Sub "arn:aws:iam::${AWS::AccountId}:role/Transfer-S3"
ServerId: !GetAtt SftpServer.ServerId
SshPublicKeys:
Type: AWS::Transfer::User
Properties:
UserName: !Ref UserName
HomeDirectory: !Ref HomeDirectory
Role: !Ref Role
ServerId: !Ref ServerId
"Type": "AWS::Transfer::User",
"Properties": {
"HomeDirectoryType": "LOGICAL",
"HomeDirectoryMappings": [
{
"Entry": "/",
"AWS::Transfer::User.HomeDirectoryMapEntry": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-user-homedirectorymapentry.html",
"Properties": {
"Entry": {
"Required": true,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-user-homedirectorymapentry.html#cfn-transfer-user-homedirectorymapentry-entry",
"AWS::Transfer::User": {
"Type": "AWS::Transfer::User",
"Properties": {}
},
"AWS::EventSchemas::Schema": {
"Type": "AWS::EventSchemas::Schema",
"Type": "AWS::Transfer::User",
"Properties": {
"HomeDirectoryMappings": [
{
"Entry": {
"Ref": "SftepServerEntryFiles"
"Type": "AWS::Transfer::User",
"Properties": {
"HomeDirectory": {
"Fn::Sub": "/${SftpBucket}/${RemoteUserName}"
},
"Role": {
Parameters
-
Policy
optional - String -
Role
required - String -
HomeDirectory
optional - String -
HomeDirectoryType
optional - String -
ServerId
required - String -
UserName
required - String -
HomeDirectoryMappings
optional - List of HomeDirectoryMapEntry -
PosixProfile
optional - PosixProfile -
SshPublicKeys
optional - List of SshPublicKey -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
The
AWS::Transfer::User
resource creates a user and associates them with an existing server. You can only create and associate users with servers that have theIdentityProviderType
set toSERVICE_MANAGED
. Using parameters forCreateUser
, you can specify the user name, set the home directory, store the user's public key, and assign the user's AWS Identity and Access Management (IAM) role. You can also optionally add a session policy, and assign metadata with tags that can be used to group and search for users.
Frequently asked questions
What is AWS Transfer Family Access?
AWS Transfer Family Access is a resource for Transfer Family of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Transfer Family Access?
For CloudFormation, the mandalvesq/iac, pavantocemca40/DevOps and agibalov/aws-experiment source code examples are useful. See the CloudFormation Example section for further details.