[Enhancement]: resource aws_transfer_server allow more than one host_key

[mmadrono]

Description

since September 2022 AWS allows by console to add more than one key to the transfer server and with terraform only supports one key, it is necessary that this operation can be done with terraform to keep everything under IAC.

Requested Resource(s) and/or Data Source(s)

aws_transfer_server

Potential Terraform Configuration

No response

References

https://aws.amazon.com/es/about-aws/whats-new/2022/09/aws-transfer-family-multiple-host-keys-types-server/

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[javier-torres]

Related with this: https://github.com/hashicorp/terraform-provider-aws/issues/30789

[justinretzolk]

Similar #33527

[baldpope]

it's common enough use case where a single user may have multiple public keys loaded, for example if a user has multiple source locations, and uinique private/public key pairs for each location. or if a user primary/backup sites use different keys or even multiple users using a common sftp account.

another example is for a user who needs to retire keys that are in use, but wants to add new before removing the old.

implementation should/could following the example I use with cluster parameter groups

main.tf:

resource "aws_rds_cluster_parameter_group" "param_group" {
  name        = var.param_group_name
  family      = var.aurora_family
  description = var.description

  dynamic "parameter" {
    for_each = var.param_list
    content {
      name = parameter.value.name
      value = parameter.value.value
      apply_method = parameter.value.apply_method
    }

  }
}

variables.tf:

variable "param_list" {
    type = list
    default = [
        {
            name = "character_set_server",
            value = "utf8",
            apply_method = "immediate"
        },
        {
            name = "character_set_client",
            value = "utf8",
            apply_method = "immediate"
        }
    ]
}

a proposed solution might look like this

main.tf:

resource "aws_transfer_ssh_key" "user_keys" {
    server_id = var.server_id
    user_name = var.username

    dynamic "body" {
        for_each = var.ssh_key_list
        content {
            body = trimspace(body.value.key)
        }
    }
}

variables.tf:

variable "ssh_key_list" {
    type = list
    description = "a list of user provided public keys rsa or eliptic curve keys are accepted"
    default = [
        {key = ""}
    ]
}

As an additional aside, the aws_transfer_ssh_key resource should have an output of 'SshPublicKeyId' as made available by the AWS API, so that it could be used for removing referenced keys later (not sure exactly how a remove would be implemented, but something to consider).