Assign aws_transfer_server with VPC endpoint_type to network load balancer

Steffen911 · March 31, 2021, 6:58am

In our current setup we use a aws_transfer_server with endpoint_type VPC_ENDPOINT . The VPC endpoint is connected to a NLB. This looks like this:

resource "aws_vpc_endpoint" "vpc_endpoint" {
  vpc_id              = var.vpc_id
  vpc_endpoint_type   = "Interface"
  service_name        = "com.amazonaws.${var.region}.transfer.server"
  subnet_ids          = var.subnet_ids
  security_group_ids  = [aws_security_group.vpc_endpoint.id]
}

resource "aws_transfer_server" "sftp-server" {
  identity_provider_type = "SERVICE_MANAGED"
  endpoint_type          = "VPC_ENDPOINT"

 endpoint_details {
   vpc_endpoint_id = aws_vpc_endpoint.vpc_endpoint.id
 }
}

data "aws_network_interface" "endpoint_nic_0" {
  count = length(var.subnet_ids) > 0 ? 1 : 0
  id    = reverse(sort(aws_vpc_endpoint.vpc_endpoint.network_interface_ids))[0]
}

resource "aws_alb_target_group_attachment" "target_group_attachment_0" {
  count            = length(var.subnet_ids) > 0 ? 1 : 0
  target_group_arn = aws_lb_target_group.nlb_target_group[0].arn
  target_id        = data.aws_network_interface.endpoint_nic_0[0].private_ip
}

The target group is connected to the NLB.

Now I would like to move the aws_transfer_server to an endpoint_type VPC as recommended by AWS. For existing setups we would like to retain the NLB as the single point of access, though, because there is an IP whitelisting in place. I update the existing transfer_server as described below and make the vpc_endpoint creation conditional on the provided endpoint_type.

resource "aws_transfer_server" "sftp-server" {
  identity_provider_type = "SERVICE_MANAGED"
  logging_role           = aws_iam_role.logger.arn
  endpoint_type          = var.endpoint_type

  dynamic "endpoint_details" {
    for_each = var.endpoint_type == "VPC_ENDPOINT" ? [1] : []
    content {
      vpc_endpoint_id = aws_vpc_endpoint.vpc_endpoint[0].id
    }
  }

  dynamic "endpoint_details" {
    for_each = var.endpoint_type == "VPC" ? [1] : []
    content {
      subnet_ids = var.subnet_ids
      vpc_id = var.vpc_id
    }
  }
}

Is there any way I can either provide the intended private IP addresses to the aws_transfer_server by keeping the VPC endpoint or extract the private IP addresses of the aws_transfer_server after its creation to attach it to my target group? I considered the address_allocation_ids parameter in the endpoint_details , but did not find any examples or additional documentation on how to use them.

My goal is that the aws_transfer_server registers the private IP addresses at the target group that is used by my NLB.

brbva · March 3, 2023, 11:17am

Hi @Steffen911 , have you found the solution for this? I’m facing the same issue

ipc-zpg · March 30, 2023, 1:31pm

I’ve also just hit this issue!

Did either of you manage to find a solution?

macmiranda · March 31, 2023, 3:03pm

Wouldn’t aws_transfer_server.endpoint work?

Topic		Replies	Views
Get private IPs from ENIs of NLB? AWS	4	6255	August 27, 2021
Aws_transfer_server endpoint_type = VPC does not allow to configure security group AWS	0	391	June 17, 2021
Issue while registering targets for alb target group AWS	3	386	November 16, 2024
AWS Transfer Family \| SFTP service Terraform	2	3146	October 28, 2020
Aws network firewall vpc endpoint AWS	0	387	September 8, 2022

Assign aws_transfer_server with VPC endpoint_type to network load balancer

Related topics