aws-ia
diff --git a/‎.header.md‎
Lines changed: 34 additions & 0 deletions b/‎.header.md‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 34 additions & 0 deletions b/‎README.md‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎examples/sample-web-app/.header.md‎
Lines changed: 159 additions & 0 deletions b/‎examples/sample-web-app/.header.md‎
Lines changed: 159 additions & 0 deletions
@@ -9,11 +9,16 @@ This module creates and configures AWS Transfer Family resources with the follow
 - **Transfer Server**: SFTP server setup with protocol and security policies
 - **Transfer Connectors**: Automated file transfer to/from external SFTP servers
 - **Transfer Users**: User management with S3 bucket permissions and KMS access
+- **Transfer Web App**: Browser-based interface with IAM Identity Center authentication and S3 Access Grants
 - **Malware Protection**: GuardDuty integration for automatic file scanning,
   smart routing, and thread notification
 - Custom hostname support through AWS Route53 or other DNS providers (Optional)
 - CloudWatch logging configuration with a customizable retention
 
+**Note**: These modules have been tested only in the `aws` partition (commercial regions).
+For more information about AWS partitions, see the
+[AWS Fault Isolation Boundaries whitepaper](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/partitions.html).
+
 ## Quick Start
 
 ```hcl
@@ -177,6 +182,19 @@ This project utilizes multiple modules to create a complete AWS Transfer Family
 For more detailed configuration, see the
 [Transfer Malware Protection Module documentation](https://github.com/aws-ia/terraform-aws-transfer-family/blob/main/modules/transfer-malware-protection/README.md).
 
+### Transfer Web App Module
+
+- Purpose: Creates browser-based file transfer interface with Identity Center authentication
+- Key features:
+  - AWS IAM Identity Center integration for authentication
+  - S3 Access Grants for fine-grained permissions
+  - Custom branding with logo, favicon, and title
+  - CORS configuration support
+  - Built-in validation for proper configuration
+
+For more detailed configuration, see the
+[Transfer Web App documentation](https://github.com/aws-ia/terraform-aws-transfer-family/blob/main/modules/transfer-web-app/README.md).
+
 ## Installation
 
 To use these modules in your Terraform configuration:
@@ -393,6 +411,22 @@ Key features:
 - Configurable destination buckets for clean, infected, and error files
 - Optional file cleanup from ingestion bucket
 
+## Example for Sample Web App
+
+This example demonstrates a complete browser-based file transfer portal with Identity Center authentication and S3 Access Grants.
+
+**Example location**: `examples/sample-web-app`
+
+Key features:
+
+- Browser-based interface for secure file access
+- AWS IAM Identity Center integration for authentication
+- S3 Access Grants for fine-grained user and group permissions
+- CloudTrail audit logging with KMS encryption and SNS notifications
+- Custom branding with logo, favicon, and title customization
+- Flexible user/group management (create new or import existing)
+- Required S3 CORS configuration for secure web app access
+
 ## Key Connector Configuration
 
 When using Transfer Connectors, pay attention to these critical attributes:
 
@@ -10,11 +10,16 @@ This module creates and configures AWS Transfer Family resources with the follow
 - **Transfer Server**: SFTP server setup with protocol and security policies
 - **Transfer Connectors**: Automated file transfer to/from external SFTP servers
 - **Transfer Users**: User management with S3 bucket permissions and KMS access
+- **Transfer Web App**: Browser-based interface with IAM Identity Center authentication and S3 Access Grants
 - **Malware Protection**: GuardDuty integration for automatic file scanning,
   smart routing, and thread notification
 - Custom hostname support through AWS Route53 or other DNS providers (Optional)
 - CloudWatch logging configuration with a customizable retention
 
+**Note**: These modules have been tested only in the `aws` partition (commercial regions).
+For more information about AWS partitions, see the
+[AWS Fault Isolation Boundaries whitepaper](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/partitions.html).
+
 ## Quick Start
 
 ```hcl
@@ -178,6 +183,19 @@ This project utilizes multiple modules to create a complete AWS Transfer Family
 For more detailed configuration, see the
 [Transfer Malware Protection Module documentation](https://github.com/aws-ia/terraform-aws-transfer-family/blob/main/modules/transfer-malware-protection/README.md).
 
+### Transfer Web App Module
+
+- Purpose: Creates browser-based file transfer interface with Identity Center authentication
+- Key features:
+  - AWS IAM Identity Center integration for authentication
+  - S3 Access Grants for fine-grained permissions
+  - Custom branding with logo, favicon, and title
+  - CORS configuration support
+  - Built-in validation for proper configuration
+
+For more detailed configuration, see the
+[Transfer Web App documentation](https://github.com/aws-ia/terraform-aws-transfer-family/blob/main/modules/transfer-web-app/README.md).
+
 ## Installation
 
 To use these modules in your Terraform configuration:
@@ -394,6 +412,22 @@ Key features:
 - Configurable destination buckets for clean, infected, and error files
 - Optional file cleanup from ingestion bucket
 
+## Example for Sample Web App
+
+This example demonstrates a complete browser-based file transfer portal with Identity Center authentication and S3 Access Grants.
+
+**Example location**: `examples/sample-web-app`
+
+Key features:
+
+- Browser-based interface for secure file access
+- AWS IAM Identity Center integration for authentication
+- S3 Access Grants for fine-grained user and group permissions
+- CloudTrail audit logging with KMS encryption and SNS notifications
+- Custom branding with logo, favicon, and title customization
+- Flexible user/group management (create new or import existing)
+- Required S3 CORS configuration for secure web app access
+
 ## Key Connector Configuration
 
 When using Transfer Connectors, pay attention to these critical attributes:
 
@@ -0,0 +1,159 @@
+# Sample Web App Example
+
+This example demonstrates a complete deployment of AWS Transfer Family Web App with IAM Identity Center authentication, S3 Access Grants, CloudTrail audit logging, and CORS configuration.
+
+## What This Example Demonstrates
+
+- **Complete end-to-end setup** from IAM Identity Center users/groups to web-app deployment
+- **CloudTrail integration** with KMS encryption and SNS notifications for audit logging
+- **CORS configuration** restricted to the web app endpoint for security
+- **Flexible user/group management** supporting both test user and/or creation and imported existing users/groups
+- **Automatic path prefixing** demonstrating how to construct full S3 paths from bucket names
+- **Custom branding** with logo and favicon support
+
+## What Gets Deployed
+
+### Identity Center Resources (Optional)
+
+- Users and groups (when `create_test_users_and_groups = true`)
+- Group creation and group memberships for created users
+- OR references to existing Identity Center users/groups (default mode)
+
+### Transfer Web App
+
+- Web app with Identity Center authentication and custom branding
+- S3 Access Grants instance with default location scope ("s3://")
+- Access grants for configured users and/or groups
+
+### Storage and Audit
+
+- S3 bucket with encryption, versioning, and public access blocking
+- CORS configuration restricted to web app endpoint
+- CloudTrail with KMS encryption and SNS notifications
+- Dedicated S3 bucket for CloudTrail logs
+
+## Usage
+
+1. **Configure users/groups**: Choose between creating test users and/or groups or configuring existing ones
+2. **Email addresses**: If creating new users, provide real email addresses for user activation
+3. **Deploy**: Run `terraform apply`
+4. **User Activation**: If creating new users, they receive activation emails to set up accounts
+5. **Access**: Log in through the web app endpoint URL
+
+## User and Group Management Options
+
+This example supports two approaches for managing users and groups:
+
+### Option 1: Create Test Users and Groups (Default: Disabled)
+
+Set `create_test_users_and_groups = true` to have Terraform create new Identity Center users and groups:
+
+- Creates users with email activation required
+- Creates groups with specified descriptions and member assignments
+- Automatically handles group memberships
+- Ideal for demo environments or new Identity Center setups
+- **Note**: When enabled, any configurations in `imported-users.tf` and `imported-groups.tf` will be ignored
+
+### Option 2: Import Existing Users and Groups (Default: Enabled)
+
+Configure existing Identity Center users/groups via `imported-users.tf` and `imported-groups.tf`:
+
+- **imported-users.tf**: Reference existing users by username and assign individual access grants
+- **imported-groups.tf**: Reference existing groups by name and assign group-level access grants
+- Users and groups must already exist in Identity Center before deployment
+- Ideal for production environments with established Identity Center configurations
+
+S3 paths are automatically prefixed with the bucket name:
+
+```hcl
+s3_path = "/*"  # Becomes "bucket-name/*" in the module call
+```
+
+To switch modes, modify the `create_test_users_and_groups` variable and update the respective configuration files.
+
+## Configuration Variables
+
+### Required Variables
+
+None - all variables have defaults
+
+### Optional Variables with Defaults
+
+#### AWS Configuration
+
+- `aws_region` (default: `"us-east-1"`) - AWS region for deployment
+- `identity_center_instance_arn` (default: `null`) - ARN of Identity Center instance (required if create_identity_center_instance is false)
+- `identity_store_id` (default: `null`) - ID of Identity Center identity store (required if create_identity_center_instance is false)
+- `create_identity_center_instance` (default: `false`) - Whether to create a new Identity Center instance (required if identity_center_instance_arn and identity_store_id are null)
+- `s3_access_grants_instance_id` (default: `null`) - ID of existing S3 Access Grants instance, creates new if not specified
+
+#### User and Group Configuration
+
+- `create_test_users_and_groups` (default: `false`) - Whether to create new users/groups or use existing ones
+- `test_users` (default: admin and analyst users) - Map of users to create when `create_test_users_and_groups = true`
+- `test_groups` (default: admins and analysts groups) - Map of groups to create when `create_test_users_and_groups = true`
+
+#### Web App Customization
+
+- `logo_file` (default: `"anycompany-logo-small.png"`) - Path to logo file for web app branding
+- `favicon_file` (default: `"favicon.png"`) - Path to favicon file for web app
+- `custom_title` (default: `"AnyCompany Financial Solutions"`) - Custom title for the web app
+
+#### Resource Tagging
+
+- `tags` (default: Name="Demo Web App File Transfer Portal", Environment="Demo", Project="Web App File Transfer Portal") - Tags to organize, search, and filter your web apps.
+
+### Example Test User Configuration
+
+```hcl
+test_users = {
+  "admin" = {
+    display_name = "Admin User"
+    user_name    = "admin"
+    first_name   = "Admin"
+    last_name    = "User"
+    email        = "admin@example.com"
+  }
+}
+# Note: Only used when create_test_users_and_groups = true
+```
+
+### Example Test Group Configuration
+
+```hcl
+test_groups = {
+  "admins" = {
+    group_name  = "Admins"
+    description = "Read and write access to files"
+    members     = ["admin"]
+    access_grants = [{
+      s3_path    = "/*"         # Auto-prefixed with bucket name
+      permission = "READWRITE"
+    }]
+  }
+}
+# Note: Only used when create_test_users_and_groups = true
+```
+
+## S3 Path Examples
+
+Supported path patterns (auto-prefixed with bucket name in this example):
+
+- `/*` - All objects in the bucket
+- `/reports*` - Prefix within bucket
+- `/data/logs*` - Prefix within prefix
+- `/data/file.txt` - Specific object
+
+## Important Notes
+
+- **Email Addresses**: Must be real for user activation when creating new users
+- **Identity Center**: Requires existing instance in your account with `identity_center_instance_arn` and `identity_store_id` provided, or set `create_identity_center_instance = true` to create a new one
+- **User/Group Management**: Choose between creating test users or importing existing ones via configuration files
+- **CloudTrail**: Logs all S3 data events on the web app bucket
+- **CORS**: Restricted to web app endpoint only (no wildcards)
+- **Custom Branding**: Logo and favicon files should be placed in the example directory
+- **Production Warning**: This example uses `force_destroy = true` on the CloudTrail logging S3 bucket for easy cleanup.
+  This is NOT suitable for production as it will delete all audit logs when running `terraform destroy`.
+  Remove this setting for production deployments.
+- **Costs**: Creates billable AWS resources
+- **Cleanup**: Run `terraform destroy` to remove all resources