UPDATE (10/05/2022)
This issue has been fixed in v3.49.0 of the aws provider here.
Please NOTE that this fix requires use of the EC2 DescribeVpcEndpoints and ModifyVpcEndpoint APIs for the Transfer Server VPC endpoint type, so IAM permissions should be modified appropriately.
Introduction
This article addresses workarounds you can implement to attach a security group (SG) to an AWS Transfer Family Server during creation, while our Engineering team (& contributors) work on supporting the feature (GH-15788).
Workarounds
1. Using your default security group
When a security group is not specified in the creation of the AWS Transfer Server endpoint, AWS attaches the default SG of your account to it. Since there isn’t support yet for specifying SGs through the aws_transfer_server resource, this will be the behavior.
You can then import (if it doesn’t exist in your tf config yet) and edit the default security group using the aws_security_group resource.
2. Using the local-exec Provisioner (CLI-based workflow)
For users using terraform CLI locally on their machine or servers, you can take advantage of the local-exec provisioner by passing AWS CLI commands to it to add the SG ids you want. Here’s an example of how to do that via the null resource:
resource "null_resource" "update-vpc-endpoint-security-group" {
provisioner "local-exec" {
command = "aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${join("",aws_transfer_server.myTransferServer.endpoint_details.*.vpc_endpoint_id)} --add-security-group-ids '${aws_security_group.myTransferServer_sg.id}' --region ${data.aws_region.current.name}"
}
}3. Using the remote-exec Provisioner (remote/UI/VCS workflow)
This would involve creating an EC2 instance, configuring it for use with the AWS CLI, and passing the commands to add the SG ids you want - through the remote-exec Provisioner. Here’s an example of how it could look like:
resource "aws_instance" "web" {
# Additional config
provisioner "remote-exec" {
inline = ["aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${join("",aws_transfer_server.myTransferServer.endpoint_details.*.vpc_endpoint_id)} --add-security-group-ids '${aws_security_group.myTransferServer_sg.id}' --region ${data.aws_region.current.name}"]
}
} # End of aws_instance.web resourceNOTE: If you’d like to create new security groups for use with your AWS Transfer Server, you can just use the aws_security_group resource and point its id as shown in the workaraounds above.
I hope that helps. For updates on our support for Security Group (SG) association during the creation of the AWS Transfer Server, please continue to check the GitHub issue page for this feature (GH-15788), our AWS provider CHANGELOG, or the aws_transfer_server resource registry page.
Thank you.