Create two S3 buckets - the first will be used for logfiles - the second will hold client uploads - any requests to the client uploads bucket will result in logs being generated to the log storage bucket.
resource "aws_s3_bucket" "pbdhosts-logging" {
bucket = "pbdhosts-logging"
acl = "private"
}
resource "aws_s3_bucket" "pbdhosts-client-uploads" {
bucket = "pbdhosts-client-uploads"
acl = "private"
logging {
target_bucket = "${aws_s3_bucket.pbdhosts-logging.id}"
target_prefix = "client-uploads/"
}
}
resource "aws_iam_role" "all-cloudfront-role" {
name = "all-cloudfront-role"
path = "/"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_transfer_server" "s-14b03f6eea184e378" {
identity_provider_type = "SERVICE_MANAGED"
logging_role = "arn:aws:iam::786169211061:role/all-cloudfront-role"
endpoint_type = "PUBLIC"
tag {
key = "aws:transfer:route53HostedZoneId"
value = "/hostedzone/ZDYJAWOOAYZVP"
}
tag {
key = "aws:transfer:customHostname"
value = "client-ftp.pbdhosts.com"
}
}
Define the role that allows each user to call S3 (with policy restrictions) on behalf of transfer service
resource "aws_iam_role" "Transfer-call-AWS-services" {
name = "Transfer-call-AWS-services"
path = "/"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_transfer_user" "s-14b03f6eea184e378_admin" {
server_id = "s-14b03f6eea184e378"
user_name = "admin"
role = "arn:aws:iam::786169211061:role/Transfer-call-AWS-services"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::pbdhosts-client-uploads"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::pbdhosts-client-uploads/*"
}
]
}
POLICY
}
SSH key for admin user
resource "aws_transfer_ssh_key" "s-14b03f6eea184e378_admin" {
server_id = "s-14b03f6eea184e378"
user_name = "admin"
body = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3mNfZJiGeH4svhy5nss7Jy8ZlmqWaiv2Vd2bl9g30Tp6FpMCdjFuyVWoWWgyla1fDd9wcDyw1od/zUqlIdLIREFNX2619brWuLbXaS6LqTFFUAeE0AbTjHUhz2GK93mVBYMEOKd/BBCJhcMcZnhIZMnBFsNUrWqxq5B5WrqB1zwflOE4JOZx+NsmeiGynXj+McVBrm89QXhF/hXrs3cpA8Qw11/AxyEsdPRIxZ4s7Hy4ZbUZcYgO1qNnzrj0xwTxcwkxhlDD4FKz60aA5wH3zR0S0SwERXYb7IHqajHQC5OI4EexNZJfx6gKd3MMm4DhqIE11dA+12pQqTV9Wb44V b@nenavizhu.local"
}
Second transfer user - this one will be locked down to his own home directory
resource "aws_transfer_user" "s-14b03f6eea184e378_grigory" {
server_id = "s-14b03f6eea184e378"
user_name = "grigory"
role = "arn:aws:iam::786169211061:role/Transfer-call-AWS-services"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}
POLICY
}
SSH key for second user (grigory)
resource "aws_transfer_ssh_key" "s-14b03f6eea184e378_grigory" {
server_id = "s-14b03f6eea184e378"
user_name = "grigory"
body = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChhjA4mnQDevQFMm2+jIra+nwRrVOP3/mFC1xXrUmnkx24b/ArTsqGQTWZcTglm1HWumxZV9LLtj0zbrTysyUqdIX9JVA3XcZkAldk8N6jRKAklwQywbqGEouvdSa3IN/Mld1d9VPGWw+vJmujmIi/UeREI5ImfSA2IalqVmQlZ60RLhl/SXuw9cs0XHKvOigUYh1Gg89UdgLvc6AzYAnFxQKH99FK4Kz6HyhybMHzy7t6nuH/lIy6uW0wfZqu+eziC32FxpJ1iDsUGSH+4IBNx8QJp+VUxWeSff2HvZuIi7uZW8L0QWS7X8eWIFaOCqre9cDPSEQLmvUYdOINPo2Zn4NsV8qa18Z/S8iOb+OUY96Q3uNOtv6aFi5mjndPimvsVc1OgYbabyajM4dMbHihBOUrCa8Jmb5hyxC6BxCrBwpLszMAceeNLKEnX0YTDRAnSvje19uzaQSXAc74ZOvb8LaBRhwjrIn2ggFJwcEhR3NbSnPd/bIjk9NeMFwUli2FPLaj+dD0PRqnNhZv2+Dhb8OoOOohrwfTI0mxg69iok9CVFPTvBUEBP70+JOE2zAuTNi02oFojxJyCjcyrvCYjF6jqr/FmRUiMv0axw2Qhu8GFxvlvKrh1EiJ6sXAzAs+/gbzTfsuPVo6UeB8EeI91J5QCVGkR4OgDsWA3BnylQ==
grigory"
}