» Resource: aws_transfer_server

Provides a AWS Transfer Server resource.

resource "aws_iam_role" "foo" {
  name = "tf-test-transfer-server-iam-role"

  assume_role_policy = <<EOF
    "Version": "2012-10-17",
    "Statement": [
        "Effect": "Allow",
        "Principal": {
            "Service": "transfer.amazonaws.com"
        "Action": "sts:AssumeRole"

resource "aws_iam_role_policy" "foo" {
  name = "tf-test-transfer-server-iam-policy-%s"
  role = "${aws_iam_role.foo.id}"

  policy = <<POLICY
    "Version": "2012-10-17",
    "Statement": [
        "Sid": "AllowFullAccesstoCloudWatchLogs",
        "Effect": "Allow",
        "Action": [
        "Resource": "*"

resource "aws_transfer_server" "foo" {
  identity_provider_type = "SERVICE_MANAGED"
  logging_role           = "${aws_iam_role.foo.arn}"

  tags = {
    NAME = "tf-acc-test-transfer-server"
    ENV  = "test"

» Argument Reference

The following arguments are supported:

  • endpoint_details - (Optional) The virtual private cloud (VPC) endpoint settings that you want to configure for your SFTP server. Fields documented below.
  • endpoint_type - (Optional) The type of endpoint that you want your SFTP server connect to. If you connect to a VPC_ENDPOINT, your SFTP server isn't accessible over the public internet. If you want to connect your SFTP server via public internet, set PUBLIC. Defaults to PUBLIC.
  • invocation_role - (Optional) Amazon Resource Name (ARN) of the IAM role used to authenticate the user account with an identity_provider_type of API_GATEWAY.
  • host_key - (Optional) RSA private key (e.g. as generated by the ssh-keygen -N "" -f my-new-server-key command).
  • url - (Optional) - URL of the service endpoint used to authenticate users with an identity_provider_type of API_GATEWAY.
  • identity_provider_type - (Optional) The mode of authentication enabled for this service. The default value is SERVICE_MANAGED, which allows you to store and access SFTP user credentials within the service. API_GATEWAY indicates that user authentication requires a call to an API Gateway endpoint URL provided by you to integrate an identity provider of your choice.
  • logging_role - (Optional) Amazon Resource Name (ARN) of an IAM role that allows the service to write your SFTP users’ activity to your Amazon CloudWatch logs for monitoring and auditing purposes.
  • force_destroy - (Optional) A boolean that indicates all users associated with the server should be deleted so that the Server can be destroyed without error. The default value is false.
  • tags - (Optional) A map of tags to assign to the resource.

endpoint_details requires the following:

» Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - Amazon Resource Name (ARN) of Transfer Server
  • id - The Server ID of the Transfer Server (e.g. s-12345678)
  • endpoint - The endpoint of the Transfer Server (e.g. s-12345678.server.transfer.REGION.amazonaws.com)
  • host_key_fingerprint - This value contains the message-digest algorithm (MD5) hash of the server's host key. This value is equivalent to the output of the ssh-keygen -l -E md5 -f my-new-server-key command.

» Import

Transfer Servers can be imported using the server id, e.g.

$ terraform import aws_transfer_server.bar s-12345678

Certain resource arguments, such as host_key, cannot be read via the API and imported into Terraform. Terraform will display a difference for these arguments the first run after import if declared in the Terraform configuration for an imported resource.