By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cloudformation - Log group option in sftp template

0

Hello Team,

I ran the cloudformation template to create sftp server via AWS transfer family. But the log group did not get created. I cannot find any paramter in the AWS Cloudformation base template to create the log group. Could you please help me with what needs to be added in the template so that the log group also gets created. The current template is as below:

AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation Template for SFTP Server
Parameters:
  Domain:
    Description: AWS Storage Service to store and access your data over the selected protocols
    Type: String
    AllowedValues:
          - EFS
          - S3
    Default: S3
  EndpointType:
    Description: Select whether the endpoint will be publicly accessible or hosted inside your VPC
    Type: String
    AllowedValues:
          - PUBLIC
          - VPC
          - VPC_ENDPOINT
    Default: PUBLIC
  IdentityProviderType:
    Description: An identity provider manages user access for authentication and authorization
    Type: String
    AllowedValues:
          - API_GATEWAY
          - AWS_DIRECTORY_SERVICE
          - AWS_LAMBDA
          - SERVICE_MANAGED
    Default: SERVICE_MANAGED
  Protocols:
    Description: file transfer protocols over which clients can connect to your server's endpoint
    Type: String
    AllowedValues:
          - SFTP
          - FTPS
          - FTP
          - AS2
    Default: SFTP
  ServerName:
    Description: Name of sftp server
    Type: String
  CustomeHostNameType:
    Description: custom alias for server endpoint
    Type: String
    AllowedValues:
          - transfer:route53HostedZoneId
          - transfer:customHostname
          - CustomHostName
    Default: CustomHostName
  CustomHostName:
    Description: custom host name
    Type: String
    Default: None
  IAMRoleName:
    Description: Name of IAM Role
    Type: String
    Default: sftp-service-role
  PolicyName:
    Description: Name of IAM Policy
    Type: String
    Default: sftp-s3-bucketpolicy-<bucket name>
  BucketName:
    Description: Name of S3 Bucket
    Type: String
Resources:
   MySFTPServer:
     Type: AWS::Transfer::Server
     Properties:
      Domain: !Ref 'Domain'
      EndpointType: !Ref 'EndpointType'
      IdentityProviderType: !Ref 'IdentityProviderType'
      Protocols:
       - !Ref 'Protocols'
      Tags:
       - Key: Name
         Value: !Ref 'ServerName'
       - Key: CustomeHostNameType
         Value: !Ref 'CustomHostName'
   MyIAMRole:
    Type: AWS::IAM::Role
    DependsOn: MyS3Bucket
    Properties:
        AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - transfer.amazonaws.com
                Action:
                  - sts:AssumeRole
        Description: IAM role
        RoleName: !Ref 'IAMRoleName'
        Policies:
           - PolicyName: !Ref 'PolicyName'
             PolicyDocument:
               Version: '2012-10-17'
               Statement:
                  - Effect: Allow
                    Action:
                     - s3:ListBucket
                    Resource:
                     - arn:aws:s3:::<bucket name>
                  - Effect: Allow
                    Action:
                     - s3:PutObject
                     - s3:GetObject
                     - s3:DeleteObject
                    Resource:
                     - arn:aws:s3:::<bucket name>/*
   MyS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
       BucketName: !Ref 'BucketName'
       PublicAccessBlockConfiguration:
           BlockPublicAcls: True
           BlockPublicPolicy: True
           IgnorePublicAcls: True
           RestrictPublicBuckets: True
       VersioningConfiguration:
           Status: Enabled
Topics
Migration & ModernizationManagement & Governance
Tags
AWS Transfer for SFTPAWS CloudFormation
Language
English
Tausif
asked 6 months ago636 views
2 Answers
0

Hello.

Maybe you need to specify "LoggingRole"?
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-server.html#cfn-transfer-server-loggingrole

The required IAM policies are described in the following documents.
https://docs.aws.amazon.com/transfer/latest/userguide/monitoring.html#monitoring-enabling

I think CloudFormation would be as follows.

Resources:
   SFTPIAMRole:
    Type: AWS::IAM::Role
    Properties:
        AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - transfer.amazonaws.com
                Action:
                  - sts:AssumeRole
        Description: IAM role
        RoleName: Transfer-log-role
        Policies:
           - PolicyName: !Ref 'PolicyName'
             PolicyDocument:
               Version: '2012-10-17'
               Statement:
                  - Effect: Allow
                    Action:
                     - logs:CreateLogDelivery
                     - logs:GetLogDelivery
                     - logs:UpdateLogDelivery
                     - logs:DeleteLogDelivery
                     - logs:ListLogDeliveries
                     - logs:PutResourcePolicy
                     - logs:DescribeResourcePolicies
                     - logs:DescribeLogGroups
                    Resource:
                     - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/transfer/*

   MySFTPServer:
     Type: AWS::Transfer::Server
     Properties:
      Domain: !Ref 'Domain'
      EndpointType: !Ref 'EndpointType'
      LoggingRole: !GetAtt SFTPIAMRole.Arn
      IdentityProviderType: !Ref 'IdentityProviderType'
      Protocols:
       - !Ref 'Protocols'
      Tags:
       - Key: Name
         Value: !Ref 'ServerName'
       - Key: CustomeHostNameType
         Value: !Ref 'CustomHostName'
profile picture
EXPERT
Riku_Kobayashi
answered 6 months ago
  • Tausif
    6 months ago

    I tried above CFN but still log group is not visible. I can only see the logging role, not sure how to attach the log group to it. Manually, we can select the option for creating new log but but for cloudformation that option does not seems to be available.

0

I tried above CFN but still log group is not visible. I can only see the logging role, not sure how to attach the log group to it. Manually, we can select the option for creating new log but but for cloudformation that option does not seems to be available.

Tausif
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content