diff --git a/README.md b/README.md
index a9abcf3..4e590d5 100644
--- a/README.md
+++ b/README.md
@@ -149,6 +149,7 @@ Available targets:
|------|--------|---------|
| [iam\_label](#module\_iam\_label) | cloudposse/label/null | 0.24.1 |
| [logging\_label](#module\_logging\_label) | cloudposse/label/null | 0.24.1 |
+| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 0.3.1 |
| [this](#module\_this) | cloudposse/label/null | 0.24.1 |
## Resources
@@ -192,6 +193,10 @@ Available targets:
| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [s3\_bucket\_name](#input\_s3\_bucket\_name) | This is the bucket that the SFTP users will use when managing files | `string` | n/a | yes |
+| [security\_group\_description](#input\_security\_group\_description) | The Security Group description. | `string` | `"AWS Transfer Server Security Group"` | no |
+| [security\_group\_enabled](#input\_security\_group\_enabled) | Whether to create default Security Group for AWS Transfer Server. | `bool` | `true` | no |
+| [security\_group\_rules](#input\_security\_group\_rules) | A list of maps of Security Group rules.
The values of map is fully complated with `aws_security_group_rule` resource.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` |
[| no | +| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Whether to create a default Security Group with unique name beginning with the normalized prefix. | `bool` | `false` | no | | [security\_policy\_name](#input\_security\_policy\_name) | Specifies the name of the security policy that is attached to the server. Possible values are TransferSecurityPolicy-2018-11, TransferSecurityPolicy-2020-06, and TransferSecurityPolicy-FIPS-2020-06. Default value is: TransferSecurityPolicy-2018-11. | `string` | `"TransferSecurityPolicy-2018-11"` | no | | [sftp\_users](#input\_sftp\_users) | List of SFTP usernames and public keys |
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "Allow inbound traffic",
"from_port": 22,
"protocol": "tcp",
"to_port": 22,
"type": "ingress"
}
]
map(object({| `{}` | no | | [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index c997186..f636afd 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -19,6 +19,7 @@ |------|--------|---------| | [iam\_label](#module\_iam\_label) | cloudposse/label/null | 0.24.1 | | [logging\_label](#module\_logging\_label) | cloudposse/label/null | 0.24.1 | +| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 0.3.1 | | [this](#module\_this) | cloudposse/label/null | 0.24.1 | ## Resources @@ -62,6 +63,10 @@ | [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
user_name = string,
public_key = string
}))
[| no | +| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Whether to create a default Security Group with unique name beginning with the normalized prefix. | `bool` | `false` | no | | [security\_policy\_name](#input\_security\_policy\_name) | Specifies the name of the security policy that is attached to the server. Possible values are TransferSecurityPolicy-2018-11, TransferSecurityPolicy-2020-06, and TransferSecurityPolicy-FIPS-2020-06. Default value is: TransferSecurityPolicy-2018-11. | `string` | `"TransferSecurityPolicy-2018-11"` | no | | [sftp\_users](#input\_sftp\_users) | List of SFTP usernames and public keys |
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "Allow inbound traffic",
"from_port": 22,
"protocol": "tcp",
"to_port": 22,
"type": "ingress"
}
]
map(object({| `{}` | no | | [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | diff --git a/examples/vpc/main.tf b/examples/vpc/main.tf index 9a014e3..c06c6ed 100644 --- a/examples/vpc/main.tf +++ b/examples/vpc/main.tf @@ -23,27 +23,6 @@ module "dynamic_subnets" { context = module.this.context } -module "security_group" { - source = "cloudposse/security-group/aws" - version = "0.3.1" - environment = "test" - id_length_limit = null - label_key_case = "title" - - vpc_id = module.vpc.vpc_id - rules = [ - { - type = "ingress" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - ] - - context = module.this.context -} - module "s3_bucket" { source = "cloudposse/s3-bucket/aws" version = "0.41.0" @@ -59,11 +38,18 @@ module "example" { source = "../.." eip_enabled = true - s3_bucket_name = module.s3_bucket.bucket_id - sftp_users = var.sftp_users - subnet_ids = [module.dynamic_subnets.public_subnet_ids[0]] - vpc_id = module.vpc.vpc_id - vpc_security_group_ids = [module.security_group.id] + security_group_enabled = true + security_group_rules = [{ + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }] + s3_bucket_name = module.s3_bucket.bucket_id + sftp_users = var.sftp_users + subnet_ids = [module.dynamic_subnets.public_subnet_ids[0]] + vpc_id = module.vpc.vpc_id context = module.this.context } diff --git a/main.tf b/main.tf index a9b0baa..309cfe0 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,8 @@ locals { enabled = module.this.enabled - is_vpc = var.vpc_id != null + is_vpc = var.vpc_id != null + security_group_enabled = module.this.enabled && var.security_group_enabled } data "aws_s3_bucket" "landing" { @@ -26,7 +27,7 @@ resource "aws_transfer_server" "default" { content { subnet_ids = var.subnet_ids - security_group_ids = var.vpc_security_group_ids + security_group_ids = local.security_group_enabled ? module.security_group.*.id : var.vpc_security_group_ids vpc_id = var.vpc_id address_allocation_ids = var.eip_enabled ? aws_eip.sftp.*.id : var.address_allocation_ids } @@ -66,6 +67,19 @@ resource "aws_eip" "sftp" { vpc = local.is_vpc } +module "security_group" { + source = "cloudposse/security-group/aws" + version = "0.3.1" + + use_name_prefix = var.security_group_use_name_prefix + rules = var.security_group_rules + description = var.security_group_description + vpc_id = local.is_vpc ? var.vpc_id : null + + enabled = local.security_group_enabled + context = module.this.context +} + # Custom Domain resource "aws_route53_record" "main" { count = local.enabled && length(var.domain_name) > 0 && length(var.zone_id) > 0 ? 1 : 0 diff --git a/variables.tf b/variables.tf index d0366d8..007000c 100644 --- a/variables.tf +++ b/variables.tf @@ -38,6 +38,43 @@ variable "address_allocation_ids" { default = [] } +variable "security_group_enabled" { + type = bool + description = "Whether to create default Security Group for AWS Transfer Server." + default = true +} + +variable "security_group_description" { + type = string + default = "AWS Transfer Server Security Group" + description = "The Security Group description." +} + +variable "security_group_use_name_prefix" { + type = bool + default = false + description = "Whether to create a default Security Group with unique name beginning with the normalized prefix." +} + +variable "security_group_rules" { + type = list(any) + default = [ + { + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow inbound traffic" + } + ] + description = <<-EOT + A list of maps of Security Group rules. + The values of map is fully complated with `aws_security_group_rule` resource. + To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . + EOT +} + variable "vpc_security_group_ids" { type = list(string) description = "A list of security groups IDs that are available to attach to your server's endpoint. If no security groups are specified, the VPC's default security groups are automatically assigned to your endpoint. This property can only be used when endpoint_type is set to VPC."
user_name = string,
public_key = string
}))