Provides a AWS Transfer Server resource.
resource "aws_transfer_server" "example" {
tags = {
Name = "Example"
}
}
resource "aws_transfer_server" "example" {
security_policy_name = "TransferSecurityPolicy-2020-06"
}
resource "aws_transfer_server" "example" {
endpoint_type = "VPC"
endpoint_details {
address_allocation_ids = [aws_eip.example.id]
subnet_ids = [aws_subnet.example.id]
vpc_id = aws_vpc.example.id
}
}
resource "aws_transfer_server" "example" {
identity_provider_type = "AWS_DIRECTORY_SERVICE"
directory_id = aws_directory_service_directory.example.id
}
resource "aws_transfer_server" "example" {
identity_provider_type = "AWS_LAMBDA"
function = aws_lambda_identity_provider.example.arn
}
resource "aws_transfer_server" "example" {
endpoint_type = "VPC"
endpoint_details {
subnet_ids = [aws_subnet.example.id]
vpc_id = aws_vpc.example.id
}
protocols = ["FTP", "FTPS"]
certificate = aws_acm_certificate.example.arn
identity_provider_type = "API_GATEWAY"
url = "${aws_api_gateway_deployment.example.invoke_url}${aws_api_gateway_resource.example.path}"
}
resource "aws_cloudwatch_log_group" "transfer" {
name_prefix = "transfer_test_"
}
data "aws_iam_policy_document" "transfer_assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["transfer.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "iam_for_transfer" {
name_prefix = "iam_for_transfer_"
assume_role_policy = data.aws_iam_policy_document.transfer_assume_role.json
managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSTransferLoggingAccess"]
}
resource "aws_transfer_server" "transfer" {
endpoint_type = "PUBLIC"
logging_role = aws_iam_role.iam_for_transfer.arn
protocols = ["SFTP"]
structured_log_destinations = [
"${aws_cloudwatch_log_group.transfer.arn}:*"
]
}
This resource supports the following arguments:
certificate
- (Optional) The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. This is required when protocols
is set to FTPS
domain
- (Optional) The domain of the storage system that is used for file transfers. Valid values are: S3
and EFS
. The default value is S3
.protocols
- (Optional) Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint. This defaults to SFTP
. The available protocols are:
AS2
: File transfer over Applicability Statement 2SFTP
: File transfer over SSHFTPS
: File transfer with TLS encryptionFTP
: Unencrypted file transferendpoint_details
- (Optional) The virtual private cloud (VPC) endpoint settings that you want to configure for your SFTP server. See endpoint_details
block below for details.endpoint_type
- (Optional) The type of endpoint that you want your SFTP server connect to. If you connect to a VPC
(or VPC_ENDPOINT
), your SFTP server isn't accessible over the public internet. If you want to connect your SFTP server via public internet, set PUBLIC
. Defaults to PUBLIC
.invocation_role
- (Optional) Amazon Resource Name (ARN) of the IAM role used to authenticate the user account with an identity_provider_type
of API_GATEWAY
.host_key
- (Optional) RSA, ECDSA, or ED25519 private key (e.g., as generated by the ssh-keygen -t rsa -b 2048 -N "" -m PEM -f my-new-server-key
, ssh-keygen -t ecdsa -b 256 -N "" -m PEM -f my-new-server-key
or ssh-keygen -t ed25519 -N "" -f my-new-server-key
commands).url
- (Optional) - URL of the service endpoint used to authenticate users with an identity_provider_type
of API_GATEWAY
.identity_provider_type
- (Optional) The mode of authentication enabled for this service. The default value is SERVICE_MANAGED
, which allows you to store and access SFTP user credentials within the service. API_GATEWAY
indicates that user authentication requires a call to an API Gateway endpoint URL provided by you to integrate an identity provider of your choice. Using AWS_DIRECTORY_SERVICE
will allow for authentication against AWS Managed Active Directory or Microsoft Active Directory in your on-premises environment, or in AWS using AD Connectors. Use the AWS_LAMBDA
value to directly use a Lambda function as your identity provider. If you choose this value, you must specify the ARN for the lambda function in the function
argument.directory_id
- (Optional) The directory service ID of the directory service you want to connect to with an identity_provider_type
of AWS_DIRECTORY_SERVICE
.function
- (Optional) The ARN for a lambda function to use for the Identity provider.sftp_authentication_methods
- (Optional) For SFTP-enabled servers, and for custom identity providers only. Valid values are PASSWORD
, PUBLIC_KEY
, PUBLIC_KEY_OR_PASSWORD
and PUBLIC_KEY_AND_PASSWORD
. Default value is: PUBLIC_KEY_OR_PASSWORD
.logging_role
- (Optional) Amazon Resource Name (ARN) of an IAM role that allows the service to write your SFTP users’ activity to your Amazon CloudWatch logs for monitoring and auditing purposes.force_destroy
- (Optional) A boolean that indicates all users associated with the server should be deleted so that the Server can be destroyed without error. The default value is false
. This option only applies to servers configured with a SERVICE_MANAGED
identity_provider_type
.post_authentication_login_banner
- (Optional) Specify a string to display when users connect to a server. This string is displayed after the user authenticates. The SFTP protocol does not support post-authentication display banners.pre_authentication_login_banner
- (Optional) Specify a string to display when users connect to a server. This string is displayed before the user authenticates.protocol_details
- (Optional) The protocol settings that are configured for your server. See protocol_details
block below for details.s3_storage_options
- (Optional) Specifies whether or not performance for your Amazon S3 directories is optimized. This is disabled by default. See s3_storage_options
block below for details.security_policy_name
- (Optional) Specifies the name of the security policy that is attached to the server. Default value is: TransferSecurityPolicy-2018-11
. The available values are:
TransferSecurityPolicy-2024-01
TransferSecurityPolicy-2023-05
TransferSecurityPolicy-2022-03
TransferSecurityPolicy-2020-06
TransferSecurityPolicy-2018-11
TransferSecurityPolicy-FIPS-2024-01
TransferSecurityPolicy-FIPS-2023-05
TransferSecurityPolicy-FIPS-2020-06
TransferSecurityPolicy-PQ-SSH-Experimental-2023-04
TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04
structured_log_destinations
- (Optional) A set of ARNs of destinations that will receive structured logs from the transfer server such as CloudWatch Log Group ARNs. If provided this enables the transfer server to emit structured logs to the specified locations.tags
- (Optional) A map of tags to assign to the resource. If configured with a provider default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.workflow_details
- (Optional) Specifies the workflow details. See workflow_details
block below for details.endpoint_details
blockThe endpoint_details
configuration block supports the following arguments:
address_allocation_ids
- (Optional) A list of address allocation IDs that are required to attach an Elastic IP address to your SFTP server's endpoint. This property can only be used when endpoint_type
is set to VPC
.security_group_ids
- (Optional) A list of security groups IDs that are available to attach to your server's endpoint. If no security groups are specified, the VPC's default security groups are automatically assigned to your endpoint. This property can only be used when endpoint_type
is set to VPC
.subnet_ids
- (Optional) A list of subnet IDs that are required to host your SFTP server endpoint in your VPC. This property can only be used when endpoint_type
is set to VPC
.vpc_endpoint_id
- (Optional) The ID of the VPC endpoint. This property can only be used when endpoint_type
is set to VPC_ENDPOINT
vpc_id
- (Optional) The VPC ID of the virtual private cloud in which the SFTP server's endpoint will be hosted. This property can only be used when endpoint_type
is set to VPC
.protocol_details
blockTHe protocol_details
configuration block supports the following arguments:
as2_transports
- (Optional) Indicates the transport method for the AS2 messages. Currently, only HTTP
is supported.passive_ip
- (Optional) Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer.set_stat_option
- (Optional) Use to ignore the error that is generated when the client attempts to use SETSTAT
on a file you are uploading to an S3 bucket. Valid values: DEFAULT
, ENABLE_NO_OP
.tls_session_resumption_mode
- (Optional) A property used with Transfer Family servers that use the FTPS protocol. Provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. Valid values: DISABLED
, ENABLED
, ENFORCED
.s3_storage_options
blockThe s3_storage_options
configuration block supports the following arguments:
directory_listing_optimization
- (Optional) Specifies whether or not performance for your Amazon S3 directories is optimized. Valid values are DISABLED
, ENABLED
.
By default, home directory mappings have a TYPE
of DIRECTORY
. If you enable this option, you would then need to explicitly set the HomeDirectoryMapEntry
Type to FILE
if you want a mapping to have a file target. See Using logical directories to simplify your Transfer Family directory structures for details.
workflow_details
blockThe workflow_details
configuration block supports the following arguments:
on_upload
- (Optional) A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See on_upload
block below for details.on_partial_upload
- (Optional) A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below. See on_partial_upload
block below for details.on_upload
blockThe on_upload
configuration block supports the following arguments:
execution_role
- (Required) Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources.workflow_id
- (Required) A unique identifier for the workflow.on_partial_upload
blockThe on_partial_upload
configuration block supports the following arguments:
execution_role
- (Required) Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources.workflow_id
- (Required) A unique identifier for the workflow.This resource exports the following attributes in addition to the arguments above:
arn
- Amazon Resource Name (ARN) of Transfer Serverid
- The Server ID of the Transfer Server (e.g., s-12345678
)endpoint
- The endpoint of the Transfer Server (e.g., s-12345678.server.transfer.REGION.amazonaws.com
)host_key_fingerprint
- This value contains the message-digest algorithm (MD5) hash of the server's host key. This value is equivalent to the output of the ssh-keygen -l -E md5 -f my-new-server-key
command.tags_all
- A map of tags assigned to the resource, including those inherited from the provider default_tags
configuration block.In Terraform v1.5.0 and later, use an import
block to import Transfer Servers using the server id
. For example:
import {
to = aws_transfer_server.example
id = "s-12345678"
}
Using terraform import
, import Transfer Servers using the server id
. For example:
% terraform import aws_transfer_server.example s-12345678
Certain resource arguments, such as host_key
, cannot be read via the API and imported into Terraform. Terraform will display a difference for these arguments the first run after import if declared in the Terraform configuration for an imported resource.