AWS | Cloud | Uncategorized
Deploying secrets with AWS CloudFormation 
Mark van Holsteijn 22 Sep, 2017
Share 
The AWS Transfer Server provides a SFTP as a service. If you want to migrate from an existing SFTP server, you can add your own host keys. Unfortunately, host keys are not supported with Cloudformation. This custom provider add host keys and allows you to define the set of active keys of the server.
Add transfer server host key
To add a Transfer Server host key in your AWS CloudFormation template, use the following syntax:
TransferServerHostKey:
Type: Custom::TransferServerHostKey
Properties:
ServerId: !GetAtt Server.ServerId
HostKeyParameterName: !GetAtt HostKey.ParameterName
Description: Generated by CloudFormation
Version: !GetAtt HostKey.Hash
ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-transfer-server-host-key-provider'
This reads the key from the parameter /private-keys/sftp-server and adds it as a host key to the specified server. See Custom::TransferServerHostKey for details. You can generate a host key using the Custom::RSAKey. Alternatively, you can encrypt an existing key and add it into the parameter store using the Custom::Secret as EncryptedContent.
Define active transfer server host key set
When you add new host keys to a transfer server, they are not automatically active. If multiple keys are present, the Transfer Server uses the oldest key available. You explicitly need to activate the new key, by deleting the old key of the same type.
To define the set of active host keys, use the Custom::TransferServerActiveHostKeys as follows:
TransferServerActiveHostKeys:
Type: Custom::TransferServerActiveHostKeys
Properties:
ServerId: !GetAtt Server.ServerId
Fingerprints:
- !GetAtt TransferServerHostKey.Fingerprint
ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-transfer-server-host-key-provider'
This ensures the server’s active host key set consists of the keys with the specified fingerprints. It deletes all other host keys associated with the server Make sure that you specify the fingerprints of all the keys you want to keep.
Installation
To install this custom resource provider, type:
aws cloudformation create-stack
--capabilities CAPABILITY_IAM
--stack-name cfn-transfer-server-host-key-provider
--template-url s3://binxio-public-eu-central.s3.amazonaws.com/lambdas/cfn-transfer-server-host-key-provider-0.1.1.yaml
or use 
Demo
To install the simple demo of the Custom TransferServerHostKey and TransferServerActiveHostKeys, type:
git clone https://github.com/binxio/cfn-transfer-server-host-key-provider.git
cd cfn-transfer-server-host-key-provider
aws cloudformation deploy
--capabilities CAPABILITY_NAMED_IAM
--stack-name cfn-transfer-server-host-key-provider-demo
--template-file file://cloudformation/demo.yaml
--parameter-overrides SecretProviderPresent=no
This assumes that the custom secret provider is not installed. To check the result, type:
$ SERVER_ID=$(aws cloudformation describe-stacks --stack-name cfn-transfer-server-host-key-provider-demo --query 'Stacks[0].Outputs[?OutputKey==<code>ServerId].OutputValue' --output text) $ SERVER_REGION=$(aws configure get region) $ SERVER_HOST=$SERVER_ID.server.transfer.$SERVER_REGION.amazonaws.com $ FINGERPRINT=$(aws cloudformation describe-stacks --stack-name cfn-transfer-server-host-key-provider-demo --query 'Stacks[0].Outputs[?OutputKey==Fingerprint].OutputValue' --output text) $ echo "expect: $FINGERPRINT" $ ssh-keyscan $SERVER_HOST 2>&1 | ssh-keygen -lf -
Conclusion
With these two custom resources, you can use AWS CloudFormation to manage the host keys of your AWS SFTP transfer servers.
Image by Gerd Altmann from Pixabay
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.