Skip to content

Resource: awsTransferServer

Provides a AWS Transfer Server resource.

\~> NOTE on AWS IAM permissions: If the endpointType is set to vpc, the ec2:describeVpcEndpoints and ec2:modifyVpcEndpoint actions are used.

\~> NOTE: Use the awsTransferTag resource to manage the system tags used for custom hostnames.

Example Usage

Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.transferServer.TransferServer(this, "example", {
  tags: {
    Name: "Example",
  },
});

Security Policy Name

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.transferServer.TransferServer(this, "example", {
  securityPolicyName: "TransferSecurityPolicy-2020-06",
});

VPC Endpoint

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.transferServer.TransferServer(this, "example", {
  endpointDetails: {
    addressAllocationIds: ["${aws_eip.example.id}"],
    subnetIds: ["${aws_subnet.example.id}"],
    vpcId: "${aws_vpc.example.id}",
  },
  endpointType: "VPC",
});

AWS Directory authentication

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.transferServer.TransferServer(this, "example", {
  directoryId: "${aws_directory_service_directory.example.id}",
  identityProviderType: "AWS_DIRECTORY_SERVICE",
});

AWS Lambda authentication

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.transferServer.TransferServer(this, "example", {
  function: "${aws_lambda_identity_provider.example.arn}",
  identityProviderType: "AWS_LAMBDA",
});

Protocols

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.transferServer.TransferServer(this, "example", {
  certificate: "${aws_acm_certificate.example.arn}",
  endpointDetails: {
    subnetIds: ["${aws_subnet.example.id}"],
    vpcId: "${aws_vpc.example.id}",
  },
  endpointType: "VPC",
  identityProviderType: "API_GATEWAY",
  protocols: ["FTP", "FTPS"],
  url: "${aws_api_gateway_deployment.example.invoke_url}${aws_api_gateway_resource.example.path}",
});

Argument Reference

The following arguments are supported:

  • certificate - (Optional) The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. This is required when protocols is set to ftps
  • domain - (Optional) The domain of the storage system that is used for file transfers. Valid values are: s3 and efs. The default value is s3.
  • protocols - (Optional) Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint. This defaults to sftp . The available protocols are:
  • as2: File transfer over Applicability Statement 2
  • sftp: File transfer over SSH
  • ftps: File transfer with TLS encryption
  • ftp: Unencrypted file transfer
  • endpointDetails - (Optional) The virtual private cloud (VPC) endpoint settings that you want to configure for your SFTP server. Fields documented below.
  • endpointType - (Optional) The type of endpoint that you want your SFTP server connect to. If you connect to a vpc (or VPC_ENDPOINT), your SFTP server isn't accessible over the public internet. If you want to connect your SFTP server via public internet, set public. Defaults to public.
  • invocationRole - (Optional) Amazon Resource Name (ARN) of the IAM role used to authenticate the user account with an identityProviderType of API_GATEWAY.
  • hostKey - (Optional) RSA, ECDSA, or ED25519 private key (e.g., as generated by the sshKeygenTRsaB2048N ""MPemFMyNewServerKey, sshKeygenTEcdsaB256N ""MPemFMyNewServerKey or sshKeygenTEd25519N ""FMyNewServerKey commands).
  • url - (Optional) - URL of the service endpoint used to authenticate users with an identityProviderType of API_GATEWAY.
  • identityProviderType - (Optional) The mode of authentication enabled for this service. The default value is SERVICE_MANAGED, which allows you to store and access SFTP user credentials within the service. API_GATEWAY indicates that user authentication requires a call to an API Gateway endpoint URL provided by you to integrate an identity provider of your choice. Using AWS_DIRECTORY_SERVICE will allow for authentication against AWS Managed Active Directory or Microsoft Active Directory in your on-premises environment, or in AWS using AD Connectors. Use the AWS_LAMBDA value to directly use a Lambda function as your identity provider. If you choose this value, you must specify the ARN for the lambda function in the function argument.
  • directoryId - (Optional) The directory service ID of the directory service you want to connect to with an identityProviderType of AWS_DIRECTORY_SERVICE.
  • function - (Optional) The ARN for a lambda function to use for the Identity provider.
  • loggingRole - (Optional) Amazon Resource Name (ARN) of an IAM role that allows the service to write your SFTP users’ activity to your Amazon CloudWatch logs for monitoring and auditing purposes.
  • forceDestroy - (Optional) A boolean that indicates all users associated with the server should be deleted so that the Server can be destroyed without error. The default value is false. This option only applies to servers configured with a SERVICE_MANAGED identityProviderType.
  • postAuthenticationLoginBanner- (Optional) Specify a string to display when users connect to a server. This string is displayed after the user authenticates. The SFTP protocol does not support post-authentication display banners.
  • preAuthenticationLoginBanner- (Optional) Specify a string to display when users connect to a server. This string is displayed before the user authenticates.
  • protocolDetails- (Optional) The protocol settings that are configured for your server.
  • securityPolicyName - (Optional) Specifies the name of the security policy that is attached to the server. Possible values are transferSecurityPolicy201811, transferSecurityPolicy202006, transferSecurityPolicyFips202006 and transferSecurityPolicy202203. Default value is: transferSecurityPolicy201811.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • workflowDetails - (Optional) Specifies the workflow details. See Workflow Details below.

Endpoint Details

  • addressAllocationIds - (Optional) A list of address allocation IDs that are required to attach an Elastic IP address to your SFTP server's endpoint. This property can only be used when endpointType is set to vpc.
  • securityGroupIds - (Optional) A list of security groups IDs that are available to attach to your server's endpoint. If no security groups are specified, the VPC's default security groups are automatically assigned to your endpoint. This property can only be used when endpointType is set to vpc.
  • subnetIds - (Optional) A list of subnet IDs that are required to host your SFTP server endpoint in your VPC. This property can only be used when endpointType is set to vpc.
  • vpcEndpointId - (Optional) The ID of the VPC endpoint. This property can only be used when endpointType is set to VPC_ENDPOINT
  • vpcId - (Optional) The VPC ID of the virtual private cloud in which the SFTP server's endpoint will be hosted. This property can only be used when endpointType is set to vpc.

Protocol Details

  • as2Transports - (Optional) Indicates the transport method for the AS2 messages. Currently, only http is supported.
  • passiveIp - (Optional) Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer.
  • setStatOption - (Optional) Use to ignore the error that is generated when the client attempts to use setstat on a file you are uploading to an S3 bucket. Valid values: default, ENABLE_NO_OP.
  • tlsSessionResumptionMode - (Optional) A property used with Transfer Family servers that use the FTPS protocol. Provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. Valid values: disabled, enabled, enforced.

Workflow Details

  • onUpload - (Optional) A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See Workflow Detail below.
  • onPartialUpload - (Optional) A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below.

Workflow Detail

  • executionRole - (Required) Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources.
  • workflowId - (Required) A unique identifier for the workflow.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - Amazon Resource Name (ARN) of Transfer Server
  • id - The Server ID of the Transfer Server (e.g., s12345678)
  • endpoint - The endpoint of the Transfer Server (e.g., s12345678ServerTransferRegionAmazonawsCom)
  • hostKeyFingerprint - This value contains the message-digest algorithm (MD5) hash of the server's host key. This value is equivalent to the output of the sshKeygenLEMd5FMyNewServerKey command.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

Transfer Servers can be imported using the serverId, e.g.,

$ terraform import aws_transfer_server.example s-12345678

Certain resource arguments, such as hostKey, cannot be read via the API and imported into Terraform. Terraform will display a difference for these arguments the first run after import if declared in the Terraform configuration for an imported resource.