AWS Transfer Family Security Group Association using Terraform

Problem

When using versions of the Terraform AWS provider older than 3.49.0, it was not possible to directly associate a security group with an AWS Transfer Family server during its creation using the aws_transfer_server resource. This limitation, tracked in GitHub issue #15788, required users to implement workarounds to manage security group associations post-deployment.

Solution

This issue is resolved in version 3.49.0 and later of the Terraform AWS provider, as detailed in the v3.49.0 changelog and the corresponding pull request #17539. The recommended solution is to upgrade your AWS provider to the latest version.

Note that this fix requires the use of the EC2 DescribeVpcEndpoints and ModifyVpcEndpoint APIs for the Transfer Server VPC endpoint type. You must update your IAM permissions accordingly.

Legacy Workarounds for Older Provider Versions

If you are unable to upgrade the AWS provider, the following workarounds can be used to associate a security group with an AWS Transfer Family server.

Workaround 1: Use the Default Security Group

When a security group is not specified during the creation of an AWS Transfer Server endpoint, AWS automatically attaches the default security group of your VPC. You can manage this default security group using the aws_security_group resource. If the security group is not already in your Terraform configuration, you can import it and then modify its rules as needed.

Workaround 2: Use the local-exec Provisioner

For workflows running Terraform CLI locally, you can use a local-exec provisioner within a null_resource to run an AWS CLI command that modifies the VPC endpoint.

This example demonstrates how to add a security group to the server's endpoint after creation.

resource "null_resource" "update-vpc-endpoint-security-group" {
  provisioner "local-exec" {
    command = "aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${join("",aws_transfer_server.myTransferServer.endpoint_details.*.vpc_endpoint_id)} --add-security-group-ids '${aws_security_group.myTransferServer_sg.id}' --region ${data.aws_region.current.name}"
  }
}

Workaround 3: Use the remote-exec Provisioner

For remote workflows, such as in HCP Terraform, you can use a remote-exec provisioner. This approach requires a resource, such as an EC2 instance, that can execute the AWS CLI command remotely.

This example shows the provisioner block within an aws_instance resource.

resource "aws_instance" "web" {
  # ... additional configuration for the instance

  provisioner "remote-exec" {
    inline = ["aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${join("",aws_transfer_server.myTransferServer.endpoint_details.*.vpc_endpoint_id)} --add-security-group-ids '${aws_security_group.myTransferServer_sg.id}' --region ${data.aws_region.current.name}"]
  }
}

To create a new security group for your AWS Transfer Server, use the aws_security_group resource and reference its id in your chosen workaround.

Additional Information

• For the complete history of this feature, refer to the original GitHub issue: GH-15788.
• To review provider updates, see the Terraform AWS provider CHANGELOG.
• For current documentation on the resource, visit the aws_transfer_server resource page in the Terraform Registry.