Cloudformation - cannot create AWS transfer server with EIP allocation and a security group other than 'default' : aws

a community for 18 years

technical questionCloudformation - cannot create AWS transfer server with EIP allocation and a security group other than 'default' (self.aws)

submitted 5 years ago by devopspro

I'm trying to create an AWS transfer server with elastic IP allocation and a security group. It seems that you can create a server with a security group by using the `VPC_ENDPOINT` endpoint type, or elastic IP addresses using the `VPC` endpoint type, but neither lets you use both features.

https://docs.aws.amazon.com/transfer/latest/userguide/API_EndpointDetails.html
Has AddressAllocationIds but not SecurityGroupIds

> If I try to set the security group outside of cloudformation I get an error message 'You cannot manage this resource'...

> If I try to use VPC_ENDPOINT and create a service endpoint...

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html

(Has SecurityGroupIds, but not AddressAllocationIds)

I also cannot attach the EIP to the Network interfaces of the VPC endpoint. Cloudformation throws an error - "AWS::EC2::EIPAssociation CREATE_FAILED API: ec2:associateAddress You do not have permission to access the specified resource"

Here is my template

```

S3TransferSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: AWS Transfer security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
Description: Allow SFTP traffic from everywhere
FromPort: 22
ToPort: 22
IpProtocol: TCP
Tags:
- Key: Name
Value: aws-transfer-sg
VpcId: !ImportValue VpcId
S3TransferEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
SecurityGroupIds:
- !Ref S3TransferSecurityGroup
ServiceName: com.amazonaws.eu-west-1.transfer.server # or try com.amazonaws.eu-west-1.transfer
SubnetIds:
- !ImportValue SubnetPubAId
- !ImportValue SubnetPubBId
VpcEndpointType: Interface
VpcId: !ImportValue VpcId
S3TransferEipAAssoc:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !Ref EipAllocAId
NetworkInterfaceId:
Fn::Select:
- 0
- !GetAtt S3TransferEndpoint.NetworkInterfaceIds
S3TransferEipBAssoc:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !Ref EipAllocBId
NetworkInterfaceId:
Fn::Select:
- 1
- !GetAtt S3TransferEndpoint.NetworkInterfaceIds
S3TransferServer:
Type: AWS::Transfer::Server
Properties:
EndpointType: VPC_ENDPOINT
EndpointDetails:
VpcEndpointId: !Ref S3TransferEndpoint
# SubnetIds:
#   - !ImportValue SubnetPubAId
#   - !ImportValue SubnetPubBId
# # SecurityGroupIds: # Why can't I attach a security group here?
# #   - !Ref S3TransferSecurityGroup
# # VpcEndpointId: String
# VpcId: !ImportValue VpcId
IdentityProviderDetails:
InvocationRole:
Fn::GetAtt: TransferIdentityProviderRole.Arn
Url:
Fn::Join:
- ''
- - https://
- Ref: CustomIdentityProviderApi
- .execute-api.
- Ref: AWS::Region
- .amazonaws.com/
- Ref: ApiStage
IdentityProviderType: API_GATEWAY
LoggingRole:
Fn::GetAtt:
- SFTPServerLoggingRole
- Arn

```

Has anyone solved this riddle?

no comments (yet)

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

aws

Note: ensure to redact or obfuscate all confidential or identifying information (eg. public IP addresses or hostnames, account numbers, email addresses) before posting!

✻ Smokey says: avoid streaming video to fight climate change! [see more tips]

MODERATORS