Automating Secure SFTP Setup with Terraform on AWS ??

Automating Secure SFTP Setup with Terraform on AWS ??

Manthan Gadhiya Manthan Gadhiya

Manthan Gadhiya

2x AWS Certified | Kubernetes & Jenkins Expert | AWS & Azure DevOps Engineer | Terraform | CISSP | Linux & Windows Server Specialist | Cloud Architect (AWS & Azure)

发布日期: 2025年1月10日
+ 关注


I recently worked on creating a secure, scalable, and automated SFTP server setup using Terraform and AWS. Here's an overview of the key resources involved:


?? S3 Bucket: A dedicated bucket for storage with controlled permissions.

?? Security Groups: Configured to allow secure SFTP access over port 22.

?? IAM Roles: Ensuring EC2 instances have scoped permissions to interact with S3.

??? EC2 Instance: Hosting the SFTP server with elastic IP allocation.

??? Automation: The setup includes automated configurations for SSH, SFTP, and S3 bucket mounting using user data scripts.

This setup is an excellent example of how infrastructure as code (IaC) enables consistent, reusable, and scalable deployments.

领英推荐


?? Key Features:

  1. Security: Leveraging security groups and IAM roles for access control.
  2. Scalability: S3 bucket as the central storage solution.
  3. Automation: Bootstrapped server configuration with Terraform scripts.


# Script created by Manthan Gadhiya

provider "aws" {
  region = "us-east-1"
}

# Create the S3 bucket without ACLs
resource "aws_s3_bucket" "manthan_sftp_bucket" {
  bucket        = "manthantestenvsftp"
  force_destroy = true 
}

# Fetch the VPC ID of the subnet
data "aws_subnet" "selected_subnet" {
  id = "subnet-06cbf5e85abad2430"
}

# Create a new security group in the same VPC as the subnet
resource "aws_security_group" "sftp_sg" {
  vpc_id      = data.aws_subnet.selected_subnet.vpc_id
  name        = "manthan_testenvsftp_sg"
  description = "Allow SFTP access"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# Create the IAM role to allow EC2 to access S3
resource "aws_iam_role" "ec2_s3_access_role" {
  name = "ec2_s3_access_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      }
    ]
  })
}

# Create the IAM instance profile and attach the IAM role
resource "aws_iam_instance_profile" "ec2_s3_access_profile" {
  name = "ec2_s3_access_profile"
  role = aws_iam_role.ec2_s3_access_role.name
}

# Attach the policy to allow only specific actions on the S3 bucket
resource "aws_iam_role_policy" "s3_specific_bucket_access_policy" {
  name   = "ec2_s3_specific_bucket_access_policy"
  role   = aws_iam_role.ec2_s3_access_role.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:ListBucket",  
          "s3:GetObject",   
          "s3:PutObject",   
          "s3:DeleteObject" 
        ]
        Effect   = "Allow"
        Resource = [
          "arn:aws:s3:::manthantestenvsftp",         
          "arn:aws:s3:::manthantestenvsftp/*"        
        ]
      }
    ]
  })
}

# Create the EC2 instance for the SFTP server
resource "aws_instance" "manthan_sftp_server" {
  ami                      = "ami-0e2c8caa4b6378d8c" 
  instance_type            = "t2.micro"
  key_name                 = "manthantestsftpkeypair" 
  subnet_id                = data.aws_subnet.selected_subnet.id
  vpc_security_group_ids   = [aws_security_group.sftp_sg.id]
  associate_public_ip_address = false 
  iam_instance_profile     = aws_iam_instance_profile.ec2_s3_access_profile.name

  tags = {
    Name = "manthantestenvsftpserver"
  }

  user_data = <<-EOF
    #!/bin/bash
    sudo apt-get update -y
    sudo apt-get install -y openssh-server s3fs

    # Add SFTP user and group
    sudo groupadd manthan_test_sftp_user_group
    sudo useradd -m -G manthan_test_sftp_user_group -s /usr/sbin/nologin manthan_test_sftp_user
    sudo echo "manthan_test_sftp_user:Manthan#$%^&*m" | sudo chpasswd

    # Set up SSH config for password authentication
    sudo sed -i '/#PermitEmptyPasswords no/a PasswordAuthentication yes\nChallengeResponseAuthentication yes' /etc/ssh/sshd_config
    sudo bash -c 'echo -e "Match Group manthan_test_sftp_user_group\nChrootDirectory %h\nForceCommand internal-sftp\nAllowTcpForwarding no\nX11Forwarding no" >> /etc/ssh/sshd_config'

    # Set up SFTP user home directory and permissions
    sudo systemctl restart ssh
    sudo systemctl start ssh
    sudo systemctl enable ssh
    sudo chown root:root /home/manthan_test_sftp_user/
    sudo chmod 755 /home/manthan_test_sftp_user/
    sudo mkdir /home/manthan_test_sftp_user/uploads
    sudo chown manthan_test_sftp_user:manthan_test_sftp_user_group /home/manthan_test_sftp_user/uploads/

    # Mount S3 bucket to the server
    sudo echo "manthantestenvsftp:/ /home/manthan_test_sftp_user/uploads fuse.s3fs _netdev,allow_other,iam_role=auto,nonempty 0 0" | sudo tee -a /etc/fstab
    sudo mount -a
  EOF
}

# Allocate Elastic IP
resource "aws_eip" "manthan_sftp_eip" {
  instance = aws_instance.manthan_sftp_server.id
}

output "instance_public_ip" {
  value = aws_eip.manthan_sftp_eip.public_ip
}

?? Interested in the full script or looking for guidance on similar setups? Feel free to connect or drop a message! Let's share knowledge and grow together. ??

#Terraform #AWS #CloudComputing #DevOps #IaC #SFTP #InfrastructureManagement

要查看或添加评论,请登录

Manthan Gadhiya的更多文章

社区洞察

其他会员也浏览了