This repository contains Terraform code which creates resources required to run a Transfer Family Server within AWS.
This module creates and configures AWS Transfer Family resources with the following features:
- Transfer Server: SFTP server setup with protocol and security policies
- Transfer Connectors: Automated file transfer to/from external SFTP servers
- Transfer Users: User management with S3 bucket permissions and KMS access
- Custom hostname support through AWS Route53 or other DNS providers (Optional)
- CloudWatch logging configuration with a customizable retention
module "transfer_sftp" {
source = "aws-ia/transfer-family/aws//modules/transfer-server"
identity_provider = "SERVICE_MANAGED"
protocols = ["SFTP"]
domain = "S3"
tags = {
Environment = "Dev"
Project = "File Transfer"
}
}
Figure 1: High-level architecture of AWS Transfer Family deployment using this Terraform module
Figure 2: Architecture using VPC endpoints of the AWS Transfer Family deployment using this Terraform module
- Automated file transfer to/from external SFTP servers
- Support for scheduled file retrieval using EventBridge Scheduler
- Secure credential management via AWS Secrets Manager
- SSH host key validation and auto-discovery
- Static IP addresses for outbound connections
- Integration with S3 for file storage and KMS for encryption
- Deploy SFTP server endpoints with public endpoint type
- Server name customization (default: "transfer-server")
- S3 domain support
- SFTP protocol support
- Service-managed identity provider
- Support for custom hostnames and DNS configurations
- Integration with CloudWatch for logging and monitoring
This module supports custom DNS configurations for your Transfer Family server using Route 53 or other DNS providers.
dns_provider = "route53"
custom_hostname = "sftp.example.com"
route53_hosted_zone_name = "example.com."For Other DNS Providers:
dns_provider = "other"
custom_hostname = "sftp.example.com"Route 53 configurations are complete when selected
Custom hostname is provided when a DNS provider is specified
- Optional CloudWatch logging
- Configurable log retention period (default: 30 days)
- Automated IAM role and policy configuration for logging
- AWS managed logging policy attachment
Supports multiple AWS Transfer security policies including:
- Standard policies (2018-11 through 2024-01)
- FIPS-compliant policies
- PQ-SSH Experimental policies
- Restricted security policies
The module includes several built-in checks to ensure proper configuration:
- Route53 configuration validation
- Custom hostname verification
- DNS provider configuration checks
- Domain name compatibility verification
- Security policy name validation
- Mandatory Elastic IP address allocation and association checks for Internet-facing VPC deployments
- Enable CloudWatch logging for audit and monitoring purposes (optional, configurable via enable_logging variable)
- Use the latest security policies (default is TransferSecurityPolicy-2024-01, configurable with validation)
- Configure proper DNS settings when using custom hostnames (validated through check blocks)
- Utilize built-in validation checks for DNS provider and custom hostname configurations
- Use proper tagging for resources (supported via tags variable)
This project utilizes multiple modules to create a complete AWS Transfer Family SFTP solution:
- Purpose: Creates and configures the AWS Transfer Server
- Key features:
- SFTP protocol support
- Hosting Server using Public or VPC configuration
- CloudWatch logging setup
- Service-managed authentication
- Custom hostname support (optional)
- Purpose: Manages SFTP user access and permissions
- Key features:
- CSV-based user configuration support
- Optional test user creation
- IAM role and policy management
- Integration with S3 bucket permissions
- KMS encryption key access management
- Multiple SSH keys per user support
- Purpose: Creates SFTP connectors for automated file transfers
- Key features:
- External SFTP server connectivity
- EventBridge Scheduler integration for automated retrieval
- Secrets Manager integration for credential management
- SSH host key auto-discovery and validation
- Static IP address support for outbound connections
To use these modules in your Terraform configuration:
- Reference the modules in your Terraform code:
module "transfer_server" {
source = "aws-ia/transfer-family/aws//modules/transfer-server"
# Module parameters
# ...
}
module "transfer_connectors" {
source = "aws-ia/transfer-family/aws//modules/transfer-connectors"
# Required parameters
url = "sftp://external-server.com"
access_role = "arn:aws:iam::123456789012:role/transfer-connector-role"
# Optional parameters
sftp_username = "sftp-user"
sftp_private_key = file("~/.ssh/id_rsa")
trusted_host_keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAA..."]
# ...
}- Initialize your Terraform workspace:
terraform init- Review the planned changes:
terraform plan- Apply the configuration:
terraform applymodule "transfer_server" {
source = "aws-ia/transfer-family/aws//modules/transfer-server"
# Basic server configuration
server_name = "demo-transfer-server"
domain = "S3"
protocols = ["SFTP"]
endpoint_type = "PUBLIC"
identity_provider = "SERVICE_MANAGED"
# Enable logging
enable_logging = true
log_retention_days = 14
tags = {
Environment = "Demo"
Project = "SFTP"
}
}module "transfer-connectors" {
source = "aws-ia/transfer-family/aws//modules/transfer-connectors"
# Required parameters
url = "sftp://external-server.com"
access_role = "arn:aws:iam::123456789012:role/transfer-connector-role"
# Authentication
sftp_username = "sftp-user"
sftp_private_key = file("~/.ssh/id_rsa")
# Security - SSH host keys for validation
trusted_host_keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAA..."
]
# Optional features
test_connector_post_deployment = true
tags = {
Environment = "Demo"
Project = "File Transfer"
}
}This example demonstrates an internet-facing VPC endpoint configuration:
module "transfer_server" {
# Other configurations go here
endpoint_type = "VPC"
endpoint_details = {
address_allocation_ids = aws_eip.sftp[*].allocation_id # Internet-facing
security_group_ids = [aws_security_group.sftp.id]
subnet_ids = local.public_subnets
vpc_id = local.vpc_id
}
}Key points about VPC endpoint types:
- Internet-facing endpoint: Created when
address_allocation_idsare specified (as shown in this example) - Internet-facing endpoints require Elastic IPs and public subnets
- Internal endpoint: Created when
address_allocation_idsare omitted - Internal endpoints are only accessible from within the VPC or connected networks
This example demonstrates a simple public endpoint configuration:
module "transfer_server" {
source = "aws-ia/transfer-family/aws"
domain = "S3"
protocols = ["SFTP"]
endpoint_type = "PUBLIC"
server_name = "transfer-server-${random_pet.name.id}"
dns_provider = var.dns_provider
custom_hostname = var.custom_hostname
route53_hosted_zone_name = var.route53_hosted_zone_name
identity_provider = "SERVICE_MANAGED"
security_policy_name = "TransferSecurityPolicy-2024-01"
enable_logging = true
log_retention_days = 30
log_group_kms_key_id = aws_kms_key.transfer_family_key.arn
logging_role = var.logging_role
workflow_details = var.workflow_details
}Key points about public endpoint types:
- Public endpoint: Simpler configuration with AWS-managed IP addresses
- Direct internet access without VPC configuration
- Suitable for basic SFTP server deployments
- Example location:
examples/sftp-public-endpoint-service-managed-S3
The Transfer Users module supports multiple SSH keys per user for enhanced security and access management.
module "sftp_users" {
source = "aws-ia/transfer-family/aws//modules/transfer-users"
users = local.users
create_test_user = true # Test user is for demo purposes....
server_id = module.transfer_server.server_id
s3_bucket_name = module.s3_bucket.s3_bucket_id
s3_bucket_arn = module.s3_bucket.s3_bucket_arn
kms_key_id = aws_kms_key.transfer_family_key.arn
}users_config_file = "users.csv"Create a users.csv file (available in examples/sftp-public-endpoint-service-managed-S3 and examples/sftp-internet-facing-vpc-endpoint-service-managed-S3) with the following format:
username,home_dir,public_key,role_arn
user1,/user1,"key1",
user2,/user2,"key2, key3, key4",
- user1: Single SSH key example
- user2: Multiple SSH keys example
- Multiple keys per user: Separate multiple SSH keys with commas in a single string, wrapped in quotes
When using Transfer Connectors, pay attention to these critical attributes:
url: SFTP server endpoint (required) - automatically addssftp://prefix if not providedaccess_role: IAM role ARN for connector permissions (required, user-provided)trusted_host_keys: SSH host keys for server validation - leave empty for auto-discoverysftp_usernameandsftp_private_key: Authentication credentialsuser_secret_id: Alternative to providing credentials directly - use existing Secrets Manager secretsecurity_policy_name: Must use connector-specific policies (default:TransferSFTPConnectorSecurityPolicy-2024-03)test_connector_post_deployment: Enable to validate connectivity after deployment - requires AWS CLI installation and checks for specific version compatibility. Will warn but not fail deployment if conditions aren't met.
The AWS Transfer Family module for Terraform is maintained by AWS Solution Architects. It is not part of an AWS service and support is provided best-effort by the AWS Storage community.
To post feedback, submit feature ideas, or report bugs, please use the Issues section of this GitHub repo.
If you are interested in contributing to the Storage Gateway module, see the Contribution guide.
| Name | Version |
|---|---|
| terraform | >= 1.5 |
| aws | >= 5.95.0 |
| Name | Version |
|---|---|
| aws | >= 5.95.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.transfer | resource |
| aws_route53_record.sftp | resource |
| aws_transfer_server.transfer_server | resource |
| aws_transfer_tag.with_custom_domain_name | resource |
| aws_transfer_tag.with_custom_domain_route53_zone_id | resource |
| aws_route53_zone.selected | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| custom_hostname | The custom hostname for the Transfer Family server | string |
null |
no |
| dns_provider | The DNS provider for the custom hostname. Use 'none' for no custom hostname | string |
null |
no |
| domain | The domain of the storage system that is used for file transfers | string |
"S3" |
no |
| enable_logging | Enable CloudWatch logging for the transfer server | bool |
false |
no |
| endpoint_details | VPC endpoint configuration block for the Transfer Server | object({ |
null |
no |
| endpoint_type | The type of endpoint that you want your transfer server to use | string |
"PUBLIC" |
no |
| identity_provider | Identity provider configuration | string |
"SERVICE_MANAGED" |
no |
| log_group_kms_key_id | encryption key for cloudwatch log group | string |
null |
no |
| log_retention_days | Number of days to retain logs for | number |
30 |
no |
| logging_role | IAM role ARN that the Transfer Server assumes to write logs to CloudWatch Logs | string |
null |
no |
| protocols | Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint | list(string) |
[ |
no |
| route53_hosted_zone_name | The name of the Route53 hosted zone to use (must end with a period, e.g., 'example.com.') | string |
null |
no |
| security_policy_name | Specifies the name of the security policy that is attached to the server. If not provided, the default security policy will be used. | string |
"TransferSecurityPolicy-2024-01" |
no |
| server_name | The name of the Transfer Family server | string |
"transfer-server" |
no |
| tags | A map of tags to assign to the resource | map(string) |
{} |
no |
| workflow_details | Workflow details to attach to the transfer server | object({ |
null |
no |
| Name | Description |
|---|---|
| server_endpoint | The endpoint of the created Transfer Family server |
| server_id | The ID of the transfer server |