# SFTP Users Module - Comprehensive Sample Configuration
#
# Provisions AWS Transfer Family SFTP users with SSH public key
# authentication, scoped S3 bucket access, and home directory mappings.
#
# This config exercises every non-excluded property at full depth:
#   - serverId (required): Transfer Family server reference
#   - publicKeys (required): SSH public key definitions
#   - buckets (required): S3 bucket + KMS key pairs
#   - users (required): per-user bucket, directory, keys, and optional role

# Transfer Family server ID to associate users with. Accepts server
# IDs or SSM parameter references.
# Often created by the SFTP Server module.
# Example SSM: ssm:/{{org}}/{{domain}}/<sftp_server_module_name>/server/id
serverId: ssm:/path/to/ssm/server/id

# Map of key names to SSH public key configurations. Referenced by
# users in the publicKeys array for authentication.
publicKeys:
  test-key1:
    publicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCr1nEXAMPLEPubKey==
  test-key2:
    publicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAsyyGZsEXAMPLEPubKey==

# Map of bucket names to S3 bucket configurations with KMS
# encryption. Referenced by users in the bucket field for home
# directory storage.
buckets:
  home-bucket1:
    # S3 bucket name or SSM parameter reference.
    # Often created by the Data Lake module.
    # Example SSM: ssm:/{{org}}/{{domain}}/<datalake_module_name>/bucket/<zone_name>/name
    bucketName: ssm:/path/to/ssm/param/bucket/name
    # KMS key ARN or SSM parameter reference for bucket encryption.
    # Often created by the Data Lake module.
    # Example SSM: ssm:/{{org}}/{{domain}}/<datalake_module_name>/kms/arn
    kmsKeyArn: ssm:/path/to/ssm/param/kms/arn

  home-bucket2:
    # Often created by the Data Lake module.
    # Example SSM: ssm:/{{org}}/{{domain}}/<datalake_module_name>/bucket/<zone_name>/name
    bucketName: some-home-bucket-name
    # Often created by the Data Lake module.
    # Example SSM: ssm:/{{org}}/{{domain}}/<datalake_module_name>/kms/arn
    kmsKeyArn: arn:{{partition}}:kms:{{region}}:{{account}}:key/1234abcd-12ab-34cd-56ef-1234567890ab

# Map of user names to SFTP user configurations. Each user
# references entries from publicKeys and buckets sections.
users:
  test-user-1:
    # Bucket name from the buckets section.
    bucket: home-bucket1
    # Home directory path within the bucket.
    homeDirectory: /incoming
    # (Optional) Existing IAM role ARN or SSM parameter for bucket
    # and KMS key access. If not specified, a minimally scoped role
    # will be created.
    accessRoleArn: ssm:/path/to/ssm/param/role/arn
    # Public key names from the publicKeys section.
    # Multiple keys supported for key rotation and multi-device access.
    publicKeys:
      - test-key1
      - test-key2

  test-user-2:
    bucket: home-bucket2
    homeDirectory: /incoming
    publicKeys:
      - test-key2

  test-user-3:
    bucket: home-bucket2
    homeDirectory: /incoming
    publicKeys:
      - test-key2