AWS Transfer Family SFTP Server Module
Deploy an AWS Transfer Family SFTP server for secure file exchange with S3 backend storage.
What You'll Build
- Transfer Family SFTP server
- S3 storage backend
- SFTP user accounts with SSH key authentication
- CloudWatch logging for access/activity
- Optional VPC endpoint for private connectivity
How to Use
module "sftp_server" {
source = "github.com/nnthanh101/terraform-aws/modules/sftp"
identifier = "app-sftp"
protocol = "SFTP"
endpoint_type = "PUBLIC"
# or "VPC" with vpc_endpoint_subnet_ids = [...]
logging_role = aws_iam_role.transfer_logging.arn
users = {
data_provider = {
user_name = "data-provider"
home_directory = "/data-uploads"
ssh_public_key_body = file("${path.module}/keys/data-provider.pub")
restricted_home = true
s3_bucket = aws_s3_bucket.sftp_data.id
s3_prefix = "/uploads/"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = ["s3:GetObject", "s3:PutObject"]
Resource = "${aws_s3_bucket.sftp_data.arn}/*"
}
]
})
}
}
tags = {
Environment = "prod"
Service = "file-exchange"
}
}
Key Variables
| Variable | Type | Purpose |
|---|---|---|
identifier | string | Unique server identifier |
protocol | string | "SFTP", "FTP", or "FTPS" |
endpoint_type | string | "PUBLIC" or "VPC" |
users | map(object) | SFTP user configurations |
logging_role | string | IAM role ARN for CloudWatch logs |
vpc_endpoint_subnet_ids | list(string) | Subnets for VPC endpoint (if VPC mode) |
security_group_ids | list(string) | Security groups for VPC endpoint |
Outputs
| Output | Use Case |
|---|---|
server_id | Unique Transfer Family server ID |
arn | ARN for IAM policy references |
endpoint | SFTP connection endpoint (sftp.region.transfer.amazonaws.com) |
users | Map of created user resource IDs |
Integration
- S3: Backend storage for SFTP uploads/downloads
- IAM: User policies control S3 bucket access
- CloudWatch: Logging captures all SFTP activity
- Secrets Manager: Store SSH private keys for automated access
- Route53: Optional CNAME alias for branded SFTP hostname
Source Reference
Module: terraform-aws/modules/sftp