# Scenario3: Owned EFS and Owned EFS Access Point This example assumes following resources are already provisioned: - EFS file system does not exist. It is owned by the SFTP server. - EFS access point does not exist. It is owned by the SFTP server. - EFS mount points do not exist. It will be created along with the EFS. - EFS Security Group does not exist. It will be created along with the EFS. - The target VPC and Subnets exists and tagged for identification.

## Prerequisites - Terraform backend provider and state locking providers are identified and bootstrapped. - A [bootstrap](../../../bootstrap) module/example is provided that provisions Amazon S3 for Terraform state storage and Amazon DynamoDB for Terraform state locking. - The target VPC along with the target Subnets exist and identified via Tags. - A [vpc](../../../vpc) example is provided that provisions VPC, Subnets and related resources with example tagging. - The example uses the following tags to identify the target VPC and Subnets. ```text "transfer/sftp/efs" = "1" "Env" = "DEV" ``` - Create a [ssh key-pair](https://www.ssh.com/academy/ssh/keygen) for each SFTP client authentication. Or obtain the public key from the SFTP client. - Copy the public key(s) in the `users` folder e.g. `users/test.pub` - Modify `terraform.tfvars` to match your requirements. Check the values for the following variables. - efs_id --> null, EFS will be created. - efs_ap_id --> null, EFA Access Point will be created. - efs_sg_tags --> null, EFS Security Group will be created. - efs_kms_alias --> "", EFS KMS CMK will be created, if required. - sftp_users --> list of users along with unique POSIX profile and `ssh` public key. - sftp_user_automation_subscribers --> list of email addresses. - sftp_daily_report_subscribers --> list of email addresses. ## Execution - cd to `examples/sftp/scenario3` folder. - Modify `backend "S3"` section in the `provider.tf` with correct values for `region`, `bucket`, `dynamodb_table`, and `key`. - Use provided values as guidance. - Modify `terraform.tfvars` to your requirements. - Use provided values as guidance. - Make sure you are using the correct AWS Profile that has permission to provision the target resources. - `aws sts get-caller-identity` - Execute `terraform init` to initialize Terraform. - Execute `terraform plan` and verify the changes. - Execute `terraform apply` and approve the changes to provision the resources. - The email subscribers must confirm the subscription to receive the status and the activity emails. Use SFTP client of your choice to test the SFTP server. ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= v1.1.9 | | [aws](#requirement\_aws) | >= 4.13.0 | ## Providers No providers. ## Modules | Name | Source | Version | |------|--------|---------| | [sftp](#module\_sftp) | ../../../modules/aws/transfer | n/a | ## Resources No resources. ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [env\_name](#input\_env\_name) | Environment name e.g. dev, prod | `string` | n/a | yes | | [project](#input\_project) | Project name (prefix/suffix) to be used on all the resources identification | `string` | n/a | yes | | [region](#input\_region) | The AWS Region e.g. us-east-1 for the environment | `string` | n/a | yes | | [server\_name](#input\_server\_name) | DNS compliant name, unique, SFTP Server Name | `string` | n/a | yes | | [sftp\_users](#input\_sftp\_users) | List of SFTP Users with POSIX profile and ssh key file | 
list(object({
    name         = string # unique name
    uid          = string # e.g. 3001
    gid          = string # e.g. 4000
    ssh_key_file = string # e.g. ./users/test.pub
  }))
| n/a | yes | | [subnet\_tags](#input\_subnet\_tags) | Tags to discover target subnets in the VPC, these tags should identify one or more subnets | `map(string)` | n/a | yes | | [tags](#input\_tags) | Common and mandatory tags for the resources | `map(string)` | n/a | yes | | [vpc\_tags](#input\_vpc\_tags) | Tags to discover target VPC, these tags should uniquely identify a VPC | `map(string)` | n/a | yes | | [create\_common\_logs](#input\_create\_common\_logs) | Create the common CW log groups | `bool` | `false` | no | | [efs\_ap\_id](#input\_efs\_ap\_id) | EFS File System Access Point Id, if not provided a new EFA Access Point will be created | `string` | `null` | no | | [efs\_id](#input\_efs\_id) | EFS File System Id, if not provided a new EFS will be created | `string` | `null` | no | | [efs\_kms\_alias](#input\_efs\_kms\_alias) | KMS Alias to discover KMS for EFS encryption, if not provided a new CMK will be created. If efs\_id is provided for the encrypted EFS, this must also be provided. | `string` | `""` | no | | [efs\_sg\_tags](#input\_efs\_sg\_tags) | Tags used to discover EFS Security Group, if not provided new EFS security group will be created. If efs\_id is provided, this must also be provided. | `map(string)` | `null` | no | | [lambda\_role](#input\_lambda\_role) | Lambda Execution Role, if not provided a new IAM role will be created | `string` | `null` | no | | [logging\_role](#input\_logging\_role) | SFTP Logging Role, if not provided a new IAM role will be created | `string` | `null` | no | | [r53\_zone\_name](#input\_r53\_zone\_name) | Route 53 Zone Name. Optional, if provided, a DNS record will be created for the SFTP server | `string` | `""` | no | | [sftp\_daily\_report\_subscribers](#input\_sftp\_daily\_report\_subscribers) | List of email address to which daily activity reports will be sent | `list(string)` | `[]` | no | | [sftp\_encryptions](#input\_sftp\_encryptions) | Encryption specs for the SFTP server | 
object({
    encrypt_logs     = bool   # default false
    logs_kms_alias   = string # new CMK will be created, if needed
    encrypt_lambda   = bool   # default false
    lambda_kms_alias = string # new CMK will be created, if needed
    encrypt_sns      = bool   # default false
    sns_kms_alias    = string # new CMK will be created, if needed
  })
| `null` | no | | [sftp\_user\_automation\_subscribers](#input\_sftp\_user\_automation\_subscribers) | List of email address to user automation information will be sent | `list(string)` | `[]` | no | | [user\_role](#input\_user\_role) | SFTP User Role, if not provided a new IAM role will be created | `string` | `null` | no | ## Outputs | Name | Description | |------|-------------| | [daily\_report\_subscribers](#output\_daily\_report\_subscribers) | Daily Report Subscribers | | [sftp\_efs\_ap](#output\_sftp\_efs\_ap) | Elastic File System ids | | [sftp\_iam\_role](#output\_sftp\_iam\_role) | IAM Roles used by SFTP | | [sftp\_kms](#output\_sftp\_kms) | KMS Keys created by SFTP | | [sftp\_security\_group](#output\_sftp\_security\_group) | Security Group used by SFTP Server | | [sftp\_server](#output\_sftp\_server) | Route 53 FQDN for SFTP Server | | [sftp\_users](#output\_sftp\_users) | SFTP Users | | [user\_automation\_subscribers](#output\_user\_automation\_subscribers) | User Automation Event Subscribers |