AWS Transfer Server: Attach VPC security groups at creation

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

You can now attach multiple security groups to a server in a VPC.

New or Affected Resource(s)

• aws_transfer_server

Potential Terraform Configuration

resource "aws_transfer_server" "example" {
  endpoint_details {
    security_group_ids = [aws_security_group.example_1.id, aws_security_group.example_2.id]
  }
}

References

User Guide.

Requires AWS SDK v1.35.8:

• Update module aws/aws-sdk-go to v1.35.9 #15500

Related:

• Transfer Server VPC Endpoint Type and User Home Directory Type / Mapping #12599
• New resource aws_vpc_endpoint_security_group_association #13737

Note:

You can edit the SecurityGroupIds property in the UpdateServer API only if you are changing the EndpointType from PUBLIC or VPC_ENDPOINT to VPC. To change security groups associated with your server's VPC endpoint after creation, use the Amazon EC2 ModifyVpcEndpoint API.

[rodrigdav]

Any update on when this will be available?

[amadureira]

Hi @rodrigdav,

I have open a PR 17496.

[rodrigdav]

Thank you . I will keep an eye out for it.

…

On Fri, Feb 5, 2021, 8:57 PM amadureira ***@***.***> wrote: Hi @rodrigdav <https://github.com/rodrigdav>, I have open a PR 17496 <#17496>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#15788 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOKMJH7HTZU2NSTA2HVAUDS5SOXPANCNFSM4S3GH3ZQ> .

[amadureira]

Hi @rodrigdav and @Zordrak,

I check my PR and I found some problems. I will fix it. You could use my provider, see this configuration bellow:

source = "amadureira/aws"
version = "3.26.18"

[amadureira]

Hi  @ewbankkit , could you help-me?

I closed PR 17496 because the branch's name is wrong.  As mentioned on this doc, technical debt should start with tb- prefix.  I fixed others mistakes at this new PR 17539 but anyone saw it.  I don't know if I did something wrong.

Thanks for your help. 

[redspeedy83]

Any news?

[GryshchenkoAndrii]

Really interested in this functionality. AWS cloudformation supports it, would love support from terraform side as well.

[amadureira]

Hi Guys,

I've applied the @ewbankkit recommendations.

I forgot to mark that is done. I do it now!

[rodrigdav]

I am starting to have some bandwidth. I can test it out here in the next few days. Let me know how?

…

On Wed, Mar 10, 2021, 7:21 PM amadureira ***@***.***> wrote: Hi Guys, I've applied the @ewbankkit <https://github.com/ewbankkit> recommendations. I forgot to mark that is done. I do it now! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#15788 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOKMJDHVO74RUB63TUXEQ3TDAEJJANCNFSM4S3GH3ZQ> .

[sandeep3866]

any update on this, i don't see this feature is yet supported, looking for some response thanks

[ashish30jain]

Can we have this released sooner? Its tweaky to update security group on endpoint without this.

[pspot2]

How should security groups be assigned in the meanwhile? After server creation (with the default SG), get to the VPC endpoint that was created and update the SGs there?

[MBarendregt]

Yep, that is how i do it.. i invoke a custom python script in tf to do that for me so it feels somewhat automated still :)

[armanbaghajyan]

When this will be available.

[jipumarino]

@MBarendregt how do you do that? When I try creating a VPC-hosted Transfer server Terraform just hangs. TF_LOG=debug shows these errors:

Transfer/CreateServer failed, attempt 3/25, error InternalServiceError: Error calling CreateVpcEndpoint: An internal error has occurred

This is the config I'm trying it with:

resource "aws_transfer_server" "test_vpc" {
  endpoint_type = "VPC"
  endpoint_details {
    subnet_ids = [...]
    vpc_id     = ...
  }
}

Edit: actually, never mind. I think I have this figured out, it has to do with our VPC config.

[quentin9696]

Hi,

I'm also bocked by this feature. With this, impossible to create transfer server using shared VPC

In an aws account without vpc sharing, I create a vpc endpoint, then I use VPC_ENDPOINT and attached my transfer.server endpoint

[rodrigdav]

So I did this using the null_resource and calling out to the AWS CLI to add the security groups.

resource "null_resource" "update-vpc-endpoint-security-group" {
  provisioner "local-exec" {
    command = "aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${join("",aws_transfer_server.transfer_server_vpc.endpoint_details.*.vpc_endpoint_id)} --add-security-group-ids '${data.terraform_remote_state.VPC.outputs.Baseline_SG_ID}'"
  }
}

Hope that helps somebody.

[redspeedy83]

Thanks , @rodrigdav

we can use this workaorund but it would be interesting if resource "aws_transfer_server" could include this feature.

Any news about this?

Regards.

[massettim]

Any news about it?

[ewbankkit]

This issue is on the current quarter's roadmap.

[ewbankkit]

This has been addressed via #17539 (thanks to @amadureira for getting the solution started) and should be available in v3.49.0 of the Terraform AWS Provider next week.
Note that the solution requires use of the EC2 DescribeVpcEndpoints and ModifyVpcEndpoint APIs for the Transfer Server VPC endpoint type, so IAM permissions should be modified appropriately - this is mentioned in the resource documentation.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.