Cloudformation - Log group option in sftp template

Question

Hello Team,

I ran the cloudformation template to create sftp server via AWS transfer family. But the log group did not get created. I cannot find any paramter in the AWS Cloudformation base template to create the log group. Could you please help me with what needs to be added in the template so that the log group also gets created. The current template is as below:

```
AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation Template for SFTP Server
Parameters:
  Domain:
    Description: AWS Storage Service to store and access your data over the selected protocols
    Type: String
    AllowedValues:
          - EFS
          - S3
    Default: S3
  EndpointType:
    Description: Select whether the endpoint will be publicly accessible or hosted inside your VPC
    Type: String
    AllowedValues:
          - PUBLIC
          - VPC
          - VPC_ENDPOINT
    Default: PUBLIC
  IdentityProviderType:
    Description: An identity provider manages user access for authentication and authorization
    Type: String
    AllowedValues:
          - API_GATEWAY
          - AWS_DIRECTORY_SERVICE
          - AWS_LAMBDA
          - SERVICE_MANAGED
    Default: SERVICE_MANAGED
  Protocols:
    Description: file transfer protocols over which clients can connect to your server's endpoint
    Type: String
    AllowedValues:
          - SFTP
          - FTPS
          - FTP
          - AS2
    Default: SFTP
  ServerName:
    Description: Name of sftp server
    Type: String
  CustomeHostNameType:
    Description: custom alias for server endpoint
    Type: String
    AllowedValues:
          - transfer:route53HostedZoneId
          - transfer:customHostname
          - CustomHostName
    Default: CustomHostName
  CustomHostName:
    Description: custom host name
    Type: String
    Default: None
  IAMRoleName:
    Description: Name of IAM Role
    Type: String
    Default: sftp-service-role
  PolicyName:
    Description: Name of IAM Policy
    Type: String
    Default: sftp-s3-bucketpolicy-
  BucketName:
    Description: Name of S3 Bucket
    Type: String
Resources:
   MySFTPServer:
     Type: AWS::Transfer::Server
     Properties:
      Domain: !Ref 'Domain'
      EndpointType: !Ref 'EndpointType'
      IdentityProviderType: !Ref 'IdentityProviderType'
      Protocols:
       - !Ref 'Protocols'
      Tags:
       - Key: Name
         Value: !Ref 'ServerName'
       - Key: CustomeHostNameType
         Value: !Ref 'CustomHostName'
   MyIAMRole:
    Type: AWS::IAM::Role
    DependsOn: MyS3Bucket
    Properties:
        AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - transfer.amazonaws.com
                Action:
                  - sts:AssumeRole
        Description: IAM role
        RoleName: !Ref 'IAMRoleName'
        Policies:
           - PolicyName: !Ref 'PolicyName'
             PolicyDocument:
               Version: '2012-10-17'
               Statement:
                  - Effect: Allow
                    Action:
                     - s3:ListBucket
                    Resource:
                     - arn:aws:s3:::
                  - Effect: Allow
                    Action:
                     - s3:PutObject
                     - s3:GetObject
                     - s3:DeleteObject
                    Resource:
                     - arn:aws:s3:::/*
   MyS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
       BucketName: !Ref 'BucketName'
       PublicAccessBlockConfiguration:
           BlockPublicAcls: True
           BlockPublicPolicy: True
           IgnorePublicAcls: True
           RestrictPublicBuckets: True
       VersioningConfiguration:
           Status: Enabled
```

Answer

Hello.

Maybe you need to specify "LoggingRole"?  
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-server.html#cfn-transfer-server-loggingrole

The required IAM policies are described in the following documents.  
https://docs.aws.amazon.com/transfer/latest/userguide/monitoring.html#monitoring-enabling

I think CloudFormation would be as follows.  
```
Resources:
   SFTPIAMRole:
    Type: AWS::IAM::Role
    Properties:
        AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - transfer.amazonaws.com
                Action:
                  - sts:AssumeRole
        Description: IAM role
        RoleName: Transfer-log-role
        Policies:
           - PolicyName: !Ref 'PolicyName'
             PolicyDocument:
               Version: '2012-10-17'
               Statement:
                  - Effect: Allow
                    Action:
                     - logs:CreateLogDelivery
                     - logs:GetLogDelivery
                     - logs:UpdateLogDelivery
                     - logs:DeleteLogDelivery
                     - logs:ListLogDeliveries
                     - logs:PutResourcePolicy
                     - logs:DescribeResourcePolicies
                     - logs:DescribeLogGroups
                    Resource:
                     - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/transfer/*

MySFTPServer:
     Type: AWS::Transfer::Server
     Properties:
      Domain: !Ref 'Domain'
      EndpointType: !Ref 'EndpointType'
      LoggingRole: !GetAtt SFTPIAMRole.Arn
      IdentityProviderType: !Ref 'IdentityProviderType'
      Protocols:
       - !Ref 'Protocols'
      Tags:
       - Key: Name
         Value: !Ref 'ServerName'
       - Key: CustomeHostNameType
         Value: !Ref 'CustomHostName'
```

Answer

I tried above CFN but still log group is not visible. I can only see the logging role, not sure how to attach the log group to it. Manually, we can select the option for creating new log but but for cloudformation that option does not seems to be available.

Cloudformation - Log group option in sftp template

관련 콘텐츠