Last active
February 23, 2024 09:53
-
-
Save glnds/dac9fb18c3cad10ba42a203526b8caf2 to your computer and use it in GitHub Desktop.
CloudFormation template for AWS Transfer for SFTP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: some-sftp-server | |
| Parameters: | |
| HostedZoneIdParam: | |
| Type: String | |
| Description: Hosted Zone ID | |
| SFTPHostnameParam: | |
| Type: String | |
| Description: Hostname for the SFTP Server | |
| Resources: | |
| SFTPServer: | |
| Type: AWS::Transfer::Server | |
| Properties: | |
| EndpointType: PUBLIC | |
| Tags: | |
| - Key: Application | |
| Value: some-sftp-servver | |
| SFTPServerDNSRecord: | |
| Type: AWS::Route53::RecordSet | |
| Properties: | |
| Name: !Ref SFTPHostnameParam | |
| HostedZoneId: !Ref HostedZoneIdParam | |
| Type: CNAME | |
| Comment: SFTP Transfer custom hostname | |
| TTL: 300 | |
| ResourceRecords: | |
| - !Sub ${SFTPServer.ServerId}.server.transfer.${AWS::Region}.amazonaws.com | |
| SFTPServerS3Bucket: | |
| Type: AWS::S3::Bucket | |
| DeletionPolicy: Retain | |
| Properties: | |
| BucketName: some-sftp-bucket | |
| PublicAccessBlockConfiguration: | |
| BlockPublicAcls: true | |
| BlockPublicPolicy: true | |
| IgnorePublicAcls: true | |
| RestrictPublicBuckets: true | |
| Tags: | |
| - Key: Application | |
| Value: some-sftp-servver | |
| SFTPUserRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: | |
| - transfer.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| Path: / | |
| Policies: | |
| - PolicyName: S3FullAccess | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:ListAllMyBuckets | |
| - s3:GetBucketLocation | |
| Resource: "*" | |
| - PolicyName: AllowListingOfUserFolder | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:ListBucket | |
| Resource: !GetAtt SFTPServerS3Bucket.Arn | |
| - PolicyName: HomeDirObjectAccess | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:PutObject | |
| - s3:GetObject | |
| - s3:GetObjectVersion | |
| - s3:DeleteObject | |
| - s3:DeleteObjectVersion | |
| Resource: !Sub "${SFTPServerS3Bucket.Arn}/*" | |
| TestUser: | |
| Type: AWS::Transfer::User | |
| Properties: | |
| ServerId: !GetAtt SFTPServer.ServerId | |
| UserName: john | |
| HomeDirectory: !Sub "/${SFTPServerS3Bucket}/home/john" | |
| Policy: > | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AllowListingOfUserFolder", | |
| "Effect": "Allow", | |
| "Action": "s3:ListBucket", | |
| "Resource": "arn:aws:s3:::${transfer:HomeBucket}", | |
| "Condition": { | |
| "StringLike": { | |
| "s3:prefix": [ | |
| "home/${transfer:UserName}/*", | |
| "home/${transfer:UserName}" | |
| ] | |
| } | |
| } | |
| }, | |
| { | |
| "Sid": "HomeDirObjectAccess", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:PutObject", | |
| "s3:GetObject", | |
| "s3:GetObjectVersion", | |
| "s3:DeleteObject", | |
| "s3:DeleteObjectVersion" | |
| ], | |
| "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" | |
| } | |
| ] | |
| } | |
| Role: !GetAtt SFTPUserRole.Arn | |
| SshPublicKeys: | |
| - ssh-rsa AAAAB3NzaC1********************************cMNTZKrQTDjrpvCJ83w== [email protected] | |
| Tags: | |
| - Key: Application | |
| Value: some-sftp-server |
same question
"How can I inject ssh-key values via AWS SecretManager in this type of configuration?"
If your AWS Secret were a username/password combo and you wanted to access the password in Cloudformation then you could do something like this:
MySecretKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Statement:
- Sid: "Enable IAM User Permissions"
Effect: "Allow"
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: "kms:*"
Resource: "*"
MySecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub "MySecret"
Description: !Sub "MySecret"
KmsKeyId: !Ref MySecretKey
GenerateSecretString:
SecretStringTemplate: !Sub '{"username":"admin"}'
GenerateStringKey: "password"
PasswordLength: 16
ExcludePunctuation: True
You can resolve the password for use elsewhere in your template using the following syntax:
!Sub "{{resolve:secretsmanager:${MySecret}::password}}"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
do you have cloud formation for FTPS server?