Using aws transfer with infra
TypeScriptAWS Transfer Family is a fully managed service that enables the transfer of files over SFTP, FTPS, and FTP directly into and out of Amazon S3 or Amazon EFS. When you want to integrate AWS Transfer Family services into your cloud infrastructure with Pulumi, you can use the AWS provider which contains resources for setting up and configuring various aspects of AWS Transfer Family.
Here’s how you would go about creating a simple SFTP server using AWS Transfer Family with Pulumi:
-
AWS Transfer Server: This resource sets up the SFTP server. You provide it with a domain, the type of endpoint, and the identity provider details to manage user authentication.
-
AWS Transfer User: This resource represents a user for your server. You define properties like the user's role, policy, server ID, and home directory among others to manage user access and permissions.
-
IAM Role: Typically, Transfer users need associated IAM roles that outline their permissions when interacting with S3 bucket(s).
-
S3 Bucket: You need an S3 bucket where the transferred files will be stored.
Below is a TypeScript program in Pulumi to set up a basic SFTP server with an SFTP user. The comments will explain what each part of the code is doing:
import * as pulumi from '@pulumi/pulumi'; import * as aws from '@pulumi/aws'; // Create an S3 bucket for storing the files. const bucket = new aws.s3.Bucket("sftp-bucket"); // Create an IAM role that the AWS Transfer Family service can assume to interact // with the S3 bucket. This role allows access to the S3 bucket. const s3AccessRole = new aws.iam.Role("s3-access-role", { assumeRolePolicy: { Version: "2012-10-17", Statement: [{ Action: "sts:AssumeRole", Effect: "Allow", Principal: { Service: "transfer.amazonaws.com", }, }], }, }); // Attach a policy to the IAM role that grants the necessary permissions for the SFTP user // to put and get objects from the S3 bucket. const s3AccessPolicy = new aws.iam.Policy("s3-access-policy", { policy: bucket.arn.apply(arn => JSON.stringify({ Version: "2012-10-17", Statement: [{ Effect: "Allow", Action: ["s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:DeleteObject"], Resource: [arn, `${arn}/*`], }], })), }); new aws.iam.RolePolicyAttachment("s3-access-role-policy-attachment", { role: s3AccessRole, policyArn: s3AccessPolicy.arn, }); // Create an AWS Transfer Server using SFTP protocol. const sftpServer = new aws.transfer.Server("sftp-server", { protocols: ["SFTP"], identityProviderType: "SERVICE_MANAGED", endpointType: "PUBLIC", }); // Create an AWS Transfer User associated with the SFTP server and S3 bucket. const sftpUser = new aws.transfer.User("sftp-user", { serverId: sftpServer.id, userName: "test-user", role: s3AccessRole.arn, homeDirectory: pulumi.interpolate`${bucket.arn}/home/test-user`, }); // Export the server endpoint and the user name to connect to the SFTP server. export const endpoint = sftpServer.endpoint; export const userName = sftpUser.userName;
This program does the following:
- It sets up an S3 bucket to store your files.
- It creates an IAM role which the AWS Transfer Family service can assume, plus an access policy that allows SFTP users to interact with the S3 bucket.
- It creates an SFTP server that's publicly accessible, using the
aws.transfer.Server
resource. - It creates a user for the SFTP server with the
aws.transfer.User
resource, mapping them to the S3 bucket for file storage. - It exports the SFTP server's endpoint and the username for later use.
Please refer to the AWS Transfer Server documentation and AWS Transfer User documentation for more detailed information about the resource properties you can use to further customize your server and users.
To run the above Pulumi program:
- Install Pulumi and configure AWS credentials on your machine.
- Create a new directory and create
index.ts
inside it with the above content. - Run
npm init
andnpm install @pulumi/pulumi @pulumi/aws
to initialize a new Node.js project and install the needed Pulumi packages. - Finally, execute
pulumi up
within the directory to create the resources in your AWS account.
-