aws_transfer_server: allow security group

[ecerulm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The AWS console when you create a AWS Transfer Server and select:

• SFTP
• Endpoint type: VPC Hosted (access controlled using security groups)
• Access: internal
• VPC:xxx
• AZ subnet

You are presented with a box to the security groups

But that is is not possible with resource "aws_transfer_server https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/transfer_server#endpoint_details
as far as I know. When you use endpoint_type = "VPC" there is no way to specify the security group

So that is very unfortunate because there is not good way to add the security group afterwards to the actual vpc endpoint that is created (under the hood) via the aws_transfer_server resource.

The current alternative / workaround is to:

• Create the aws_transfer_server
• Look up in the AWS console / aws cli / api the vpc endpoint that was created / associated with the aws transfer server
• Add security group to that vpc endpoint
• manually via aws console / aws cli/ etc
• create / import a aws_vpc_endpoint resource and add the security group there.

Also in a related note, the aws_transfer_server will NOT expose the aws_vpc_endpoint's id or service name as an attribute either (having it expose at least would it make it easier to get the reference to the vpc endpoint in a terraform output)

New or Affected Resource(s)

• aws_transfer_server

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

resource "aws_transfer_server" "example" {
  tags = {
    Name = "example"
  }
  security_policy_name = "TransferSecurityPolicy-2020-06"
  endpoint_details {
    subnet_ids = data.terraform_remote_state.networking.outputs.shared_services_private_subnets
    vpc_id = data.terraform_remote_state.networking.outputs.shared_services_vpc_id
    security_groups=[xxxx,yyy] ## This DOES NOT EXIST YET 
  }

  protocols = ["SFTP"]
  domain = "S3"
  endpoint_type = "VPC"
  identity_provider_type = "SERVICE_MANAGED"
  logging_role = module.iam-role-cw-logging.iam_role_arn
}

References

• https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#create-server-endpoint-in-vpc

[ewbankkit]

@ecerulm Thanks for raising this issue.
It has already been noticed in #15788. I'm going to close this one as a duplicate so that we can concentrate discussion in the linked issue.
Please add any additional comments there.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.