AWS::Transfer::Server - AWS CloudFormation

AWS::Transfer::Server

The AWS::Transfer::Server resource instantiates an autoscaling virtual server based on a file transfer protocol in AWS. When you make updates to your server or when you work with users, use the service-generated ServerId property that is assigned to the newly created server.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Transfer::Server", "Properties" : { "Certificate" : String, "EndpointDetails" : EndpointDetails, "EndpointType" : String, "IdentityProviderDetails" : IdentityProviderDetails, "IdentityProviderType" : String, "LoggingRole" : String, "Protocols" : [ Protocol, ... ], "Tags" : [ Tag, ... ] } }

Properties

Certificate

The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. Required when Protocols is set to FTPS.

To request a new public certificate, see Request a public certificate in the AWS Certificate Manager User Guide.

To import an existing certificate into ACM, see Importing certificates into ACM in the AWS Certificate Manager User Guide.

To request a private certificate to use FTPS through private IP addresses, see Creating and managing a Private CA in the AWS Certificate Manager User Guide.

Certificates with the following cryptographic algorithms and key sizes are supported:

  • 2048-bit RSA (RSA_2048)

  • 4096-bit RSA (RSA_4096)

  • Elliptic Prime Curve 256 bit (EC_prime256v1)

  • Elliptic Prime Curve 384 bit (EC_secp384r1)

  • Elliptic Prime Curve 521 bit (EC_secp521r1)

Note

The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.

Required: No

Type: String

Maximum: 1600

Update requires: No interruption

EndpointDetails

The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make it accessible only to resources within your VPC, or you can attach Elastic IPs and make it accessible to clients over the internet. You VPC's default security groups are automatically assigned to your endpoint.

Required: No

Type: EndpointDetails

Update requires: No interruption

EndpointType

The type of VPC endpoint that you want your server to connect to. You can choose to connect to the public internet or a virtual private cloud (VPC) endpoint. With a VPC endpoint, you can restrict access to your server and resources only within your VPC.

Note

It is recommended that you use VPC as the EndpointType. With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with EndpointType set to VPC_ENDPOINT.

Required: Conditional

Type: String

Allowed values: PUBLIC | VPC | VPC_ENDPOINT

Update requires: No interruption

IdentityProviderDetails

Required when IdentityProviderType is set to API_GATEWAY. Accepts an array containing all of the information required to call a customer-supplied authentication API, including the API Gateway URL. Not required when IdentityProviderType is set to SERVICE_MANAGED.

Required: No

Type: IdentityProviderDetails

Update requires: No interruption

IdentityProviderType

Specifies the mode of authentication for a file transfer protocol-enabled server. The default value is SERVICE_MANAGED, which allows you to store and access user credentials within the AWS Transfer Family service. Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an API Gateway endpoint URL to call for authentication using the IdentityProviderDetails parameter.

Required: No

Type: String

Allowed values: API_GATEWAY | SERVICE_MANAGED

Update requires: Replacement

LoggingRole

Allows the service to write your users' activity to your Amazon CloudWatch logs for monitoring and auditing purposes.

Required: No

Type: String

Minimum: 20

Maximum: 2048

Pattern: arn:.*role/.*

Update requires: No interruption

Protocols

Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint.

Required: No

Type: List of Protocol

Maximum: 3

Update requires: No interruption

Tags

Key-value pairs that can be used to group and search for file transfer protocol-enabled servers.

Required: No

Type: List of Tag

Maximum: 50

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ServerId, such as s-01234567890abcdef, and the server ARN, such as arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The Amazon Resource Name associated with the server, in the form arn:aws:transfer:region:account-id:server/server-id/.

An example of a server ARN is: arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.

ServerId

The service-assigned ID of the server that is created.

An example ServerId is s-01234567890abcdef.

Examples

Create a server with VPC endpoint type

The following example creates a new file transfer protocol-enabled server using a VPC endpoint type.

JSON

{ "MyTransferServer": { "Type": "AWS::Transfer::Server", "Properties": { "EndpointDetails": { "AddressAllocationIds": [ { "Ref": "MyTransferServerAddressAllocationId01" }, { "Ref": "MyTransferServerAddressAllocationId02" } ], "SubnetIds": [ { "Ref": "MyTransferServerSubnet01" }, { "Ref": "MyTransferServerSubnet02" } ] }, "EndpointType": "VPC", "IdentityProviderDetails": { "InvocationRole": { "Ref": "MyTransferServerIdentityProviderInvocationRole" }, "Url": { "Ref": "MyTransferServerIdentityProviderUrl" } }, "IdentityProviderType": "API_GATEWAY", "LoggingRole": { "Ref": "MyTransferServerLoggingRole" }, "Tags": [ { "Key": "Name", "Value": "MyTransferServer" } ] } } }

YAML

MyTransferServer: Type : AWS::Transfer::Server Properties : EndpointDetails: AddressAllocationIds: - Ref: MyTransferServerAddressAllocationId01 - Ref: MyTransferServerAddressAllocationId02 SubnetIds: - Ref: MyTransferServerSubnet01 - Ref: MyTransferServerSubnet02 EndpointType: VPC IdentityProviderDetails: InvocationRole: Ref: MyTransferServerIdentityProviderInvocationRole Url: Ref: MyTransferServerIdentityProviderUrl IdentityProviderType: API_GATEWAY LoggingRole: Ref: MyTransferServerLoggingRole Tags: - Key: Name Value: MyTransferServer

See also

CreateServer in the AWS Transfer Family User Guide.