From ba3dc9ffec8b899a8fabdab357240e9a9d80f600 Mon Sep 17 00:00:00 2001
From: Furkan Tektas <furkan.tektas@bubo.ai>
Date: Thu, 3 Mar 2022 13:10:03 +0000
Subject: [PATCH] Initial commit

---
 .gitignore        |  14 ++++++
 LICENSE           |  21 +++++++++
 README.md         |  72 ++++++++++++++++++++++++++++
 bucket.tf         |  77 ++++++++++++++++++++++++++++++
 example/main.tf   |   8 ++++
 example/output.tf |  32 +++++++++++++
 iam.tf            |  80 +++++++++++++++++++++++++++++++
 locals.tf         |   4 ++
 output.tf         |  38 +++++++++++++++
 route53.tf        |  28 +++++++++++
 secret.tf         |  66 ++++++++++++++++++++++++++
 sftp.tf           | 117 ++++++++++++++++++++++++++++++++++++++++++++++
 variables.tf      |  45 ++++++++++++++++++
 versions.tf       |  10 ++++
 14 files changed, 612 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 bucket.tf
 create mode 100644 example/main.tf
 create mode 100644 example/output.tf
 create mode 100644 iam.tf
 create mode 100644 locals.tf
 create mode 100644 output.tf
 create mode 100644 route53.tf
 create mode 100644 secret.tf
 create mode 100644 sftp.tf
 create mode 100644 variables.tf
 create mode 100644 versions.tf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..255667f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,14 @@
+.terraform
+
+# use a backend!
+*.tfstate*
+
+sftp-idp.zip
+
+# not using lockfiles for the moment
+.terraform.lock.hcl
+
+.vscode/
+.idea/
+*/plan.out
+.DS_Store
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..f74ab08
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Bubo.AI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..33c0d4e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,72 @@
+# SFTP Server with custom domain on AWS
+
+This terraform module creates an SFTP server with a custom subdomain and multiple users. Each user has its own directory under the same bucket created upon deployment. You can deploy this module several times in the same account using different prefixes. Each deployment creates an S3 bucket to keep users data but different users can not see each others files.
+
+This module creates a public AWS Transfer Service configured to use a lambda as an identity provider to authenticate one or more users against stored credentials in the AWS Secrets.
+
+> After deploying this service, go to the secret manager and replace the secret key `Password` for each user with a bcrypt hash. Default value for password is `REPLACE_ME` (as plain text). To generate a bcrypt hash, use the command below and replace `PASSWORDHERE` with your own password.
+> ```python
+> python -c 'import bcrypt; print(bcrypt.hashpw("PASSWORDHERE".encode("utf-8"), bcrypt.gensalt()))'
+> ```
+
+## Requirements
+
+This module assumes you have a DNS Zone in AWS. An alias (CNAME) record will be created for every member of `subdomains` variable.
+
+> **This module is only available in \*nix environment where python3 is available.**
+>
+> In order to deploy the lambda script with `bcrypt` dependency, you need to have `python` available in the `PATH`. `bcrypt` and its dependencies will be installed via `python -m pip` command. This module install dependencies to match with lambda runtime which is Python 3.9. For more information, please refer to [python packager module](https://github.com/Bubo-AI/terraform-python-packager).
+
+
+## Usage
+
+    $ terraform init
+    $ terraform plan
+    $ terraform apply
+
+## Example User Configuration
+
+Once the service has been deployed, a sample user will be created in the secret manager with the following configuration:
+
+Secret Name: `prefix`-SFTP/user1
+
+
+| UserId | HomeDirectoryDetails | Role | Password | _AcceptedIpNetwork*_ |
+|--------|----------------------|------|----------|-------------------|
+| user1 | `[{\"Entry\": \"/\", \"Target\": \"/s3_bucket/user1\"}]` | arn:aws:iam::`ACCOUNT_ID`:role/`prefix`-transfer-user-iam-role-user1 | `BCRPYT_HASH` | `192.168.1.0/24` |
+
+**user1** is chroot'd to the **/s3_bucket/user1** directory in S3.
+
+\* **_AcceptedIpNetwork_** is an optional CIDR for the allowed client source IP address range. You can specify multiple CIDR by separating with comma, e.g.: `192.0.0.0/24, 224.0.0.0/16`. Please note that ignored bits in the CIDR should be zero. For instance, 192.168.1.1/24 is an invalid CIDR as 24th bith onwards should be zero. Therefore the correct version is `192.168.1.0/24`.
+
+
+## Example Usage
+
+```hcl
+module "sftp_server" {
+  source         = "github.com/Bubo-AI/terraform-aws-transfer-s3-route53?ref=v0.1.0"
+  usernames      = ["sftp_user_1", "sftp_user_2"]
+  prefix         = "acme"
+  subdomains     = ["sftp"]
+  r53_zone       = "acme.com"
+  logging_bucket = "acme-sftp-access-logs"
+}
+
+```
+
+Fully working example can be found in [`examples`](examples/).
+
+
+## Outputs
+
+| Name                 | Description                                          |
+|----------------------|------------------------------------------------------|
+| usernames            | List of usernames created                            |
+| roles                | The roles created for each user                      |
+| user_secrets         | The secret manager keys created for each user        |
+| bucket_id            | The bucket where AWS Transfer is connected to        |
+| bucket_kms_key       | KMS key used to encrypt S3 bucket                    |
+| secret_kms_key       | KMS key used to encrypt Secret Manager secretts      |
+| transfer_endpoint    | The endpoint of the AWS Transfer service             |
+| route53_endpoint     | Subdomains created as an alias to transfer_endpoint  |
+
diff --git a/bucket.tf b/bucket.tf
new file mode 100644
index 0000000..c65405b
--- /dev/null
+++ b/bucket.tf
@@ -0,0 +1,77 @@
+data "aws_s3_bucket" "logging" {
+  bucket = var.logging_bucket
+}
+
+# enable logging to logging_bucket
+data "aws_iam_policy_document" "allow_logging_to_logging_bucket" {
+  statement {
+    sid = "S3PolicyLoggingAccessStmt"
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    actions   = ["s3:PutObject"]
+    resources = ["${data.aws_s3_bucket.logging.arn}/*"]
+  }
+}
+
+# attach logging policy to logging_bucket
+resource "aws_s3_bucket_policy" "allow_logging_to_logging_bucket" {
+  bucket = data.aws_s3_bucket.logging.id
+  policy = data.aws_iam_policy_document.allow_logging_to_logging_bucket.json
+}
+
+# rotating KMS key for S3
+resource "aws_kms_key" "s3_key" {
+  description             = "This key is used to encrypt bucket objects"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+}
+
+# Data bucket for SFTP server, tfsec warnings supressed as aws provider > 4 has not been supported yet
+# tfsec:ignore:aws-s3-enable-bucket-logging
+# tfsec:ignore:aws-s3-enable-versioning
+# tfsec:ignore:aws-s3-enable-bucket-encryption
+# tfsec:ignore:aws-s3-encryption-customer-key
+# tfsec:ignore:aws-s3-enable-default-server-side-encryption
+resource "aws_s3_bucket" "sftp" {
+  bucket_prefix = "${local.prefix_kebab}sftpbucket"
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  bucket = aws_s3_bucket.sftp.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.sftp.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+  bucket = aws_s3_bucket.sftp.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3_key.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_logging" "this" {
+  bucket        = aws_s3_bucket.sftp.id
+  target_bucket = data.aws_s3_bucket.logging.id
+  target_prefix = var.prefix
+}
+
+# block all public access to data bucket
+resource "aws_s3_bucket_public_access_block" "sftp" {
+  bucket                  = aws_s3_bucket.sftp.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
diff --git a/example/main.tf b/example/main.tf
new file mode 100644
index 0000000..17bf1cc
--- /dev/null
+++ b/example/main.tf
@@ -0,0 +1,8 @@
+module "sftp_server" {
+  source         = "../"
+  usernames      = ["sftp_user_1", "sftp_user_2"]
+  prefix         = "acme"
+  subdomains     = ["sftp"]
+  r53_zone       = "acme.com"
+  logging_bucket = "acme-sftp-access-logs"
+}
diff --git a/example/output.tf b/example/output.tf
new file mode 100644
index 0000000..06d8ff7
--- /dev/null
+++ b/example/output.tf
@@ -0,0 +1,32 @@
+output "usernames" {
+  value = module.sftp_server.usernames
+}
+
+output "roles" {
+  value = module.sftp_server.roles
+}
+
+output "user_secrets" {
+  value = module.sftp_server.user_secrets
+}
+
+output "bucket_id" {
+  value = module.sftp_server.bucket_id
+}
+
+output "bucket_kms_key" {
+  value = module.sftp_server.bucket_kms_key
+}
+
+output "secret_kms_key" {
+  value = module.sftp_server.secret_kms_key
+}
+
+output "transfer_endpoint" {
+  value = module.sftp_server.transfer_endpoint
+}
+
+output "route53_endpoint" {
+  value = module.sftp_server.route53_endpoint
+}
+
diff --git a/iam.tf b/iam.tf
new file mode 100644
index 0000000..00bfd3e
--- /dev/null
+++ b/iam.tf
@@ -0,0 +1,80 @@
+resource "aws_iam_role" "transfer" {
+  for_each = toset(var.usernames)
+  name     = "${local.prefix_kebab}transfer-user-iam-role-${each.key}"
+
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "transfer.amazonaws.com"
+        },
+        "Action": "sts:AssumeRole"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "transfer" {
+  for_each = toset(var.usernames)
+
+  name = "${local.prefix_kebab}transfer-user-iam-policy-${each.key}"
+  role = aws_iam_role.transfer[each.key].id
+
+  policy = <<-POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Sid": "AllowListingOfUserFolder",
+          "Action": [
+              "s3:ListBucket",
+              "s3:GetBucketLocation"
+          ],
+          "Effect": "Allow",
+          "Resource": [
+              "${aws_s3_bucket.sftp.arn}"
+          ],
+          "Condition": {
+              "StringLike": {
+                  "s3:prefix": [
+                      "${each.key}/*",
+                      "${each.key}"
+                  ]
+              }
+          }
+      },
+      {
+          "Sid": "HomeDirObjectAccess",
+          "Effect": "Allow",
+          "Action": [
+              "s3:PutObject",
+              "s3:GetObject",
+              "s3:DeleteObjectVersion",
+              "s3:DeleteObject",
+              "s3:GetObjectVersion"
+          ],
+          "Resource": [
+              "${aws_s3_bucket.sftp.arn}/${each.key}",
+              "${aws_s3_bucket.sftp.arn}/${each.key}/*"
+          ]
+       },
+       {
+           "Sid": "EncryptionKeyAccess",
+            "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:GenerateDataKey",
+                "kms:DescribeKey",
+                "kms:ReEncrypt"
+            ],
+            "Effect": "Allow",
+            "Resource": "${aws_kms_key.s3_key.arn}"
+       }
+  ]
+}
+  POLICY
+}
diff --git a/locals.tf b/locals.tf
new file mode 100644
index 0000000..d31de97
--- /dev/null
+++ b/locals.tf
@@ -0,0 +1,4 @@
+locals {
+  prefix_kebab = var.prefix == "" ? var.prefix : "${var.prefix}-" # for kebab case resource names
+  prefix_snake = var.prefix == "" ? var.prefix : "${var.prefix}_" # for snake case resource names
+}
diff --git a/output.tf b/output.tf
new file mode 100644
index 0000000..5f5f726
--- /dev/null
+++ b/output.tf
@@ -0,0 +1,38 @@
+output "usernames" {
+  value = var.usernames
+}
+
+output "roles" {
+  value = {
+    for k, v in aws_iam_role.transfer : k => v.name
+  }
+}
+
+output "user_secrets" {
+  value = {
+    for k, v in aws_secretsmanager_secret.user : k => v.name
+  }
+}
+
+output "bucket_id" {
+  value = aws_s3_bucket.sftp.id
+}
+
+output "bucket_kms_key" {
+  value = aws_kms_key.s3_key.arn
+}
+
+output "secret_kms_key" {
+  value = aws_kms_key.secret_key.arn
+}
+
+output "transfer_endpoint" {
+  value = aws_transfer_server.sftp.endpoint
+}
+
+output "route53_endpoint" {
+  value = [
+    for k, v in aws_route53_record.this : "${v.name}.${data.aws_route53_zone.this.name}"
+  ]
+}
+
diff --git a/route53.tf b/route53.tf
new file mode 100644
index 0000000..fae3ee9
--- /dev/null
+++ b/route53.tf
@@ -0,0 +1,28 @@
+data "aws_route53_zone" "this" {
+  name         = var.r53_zone
+  private_zone = false
+}
+
+# if more than one subdomain names specified, create a new record set for each
+resource "aws_route53_record" "this" {
+  for_each = toset(var.subdomains)
+  type     = "CNAME"
+  name     = each.key
+  ttl      = 600
+  records  = [aws_transfer_server.sftp.endpoint]
+  zone_id  = data.aws_route53_zone.this.zone_id
+}
+
+# associate the first subdomain with the sftp server endpoint
+resource "null_resource" "associate_custom_hostname" {
+  provisioner "local-exec" {
+    command = <<EOF
+aws transfer tag-resource \
+  --arn '${aws_transfer_server.sftp.arn}' \
+  --tags \
+    'Key=aws:transfer:customHostname,Value=${var.subdomains[0]}.${data.aws_route53_zone.this.name}' \
+    'Key=aws:transfer:route53HostedZoneId,Value=/hostedzone/${data.aws_route53_zone.this.zone_id}'
+EOF
+  }
+  depends_on = [aws_transfer_server.sftp, data.aws_route53_zone.this, aws_route53_record.this]
+}
diff --git a/secret.tf b/secret.tf
new file mode 100644
index 0000000..0533bf3
--- /dev/null
+++ b/secret.tf
@@ -0,0 +1,66 @@
+# rotating KMS key for secret manager
+resource "aws_kms_key" "secret_key" {
+  description             = "This key is used to encrypt secret manager objects"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+}
+
+
+resource "aws_secretsmanager_secret" "user" {
+  for_each    = toset(var.usernames)
+  name        = "${local.prefix_kebab}SFTP/${each.key}"
+  description = "SFTP User - ${each.key} for ${var.prefix}"
+  kms_key_id  = aws_kms_key.secret_key.arn
+
+  tags = {
+    Resource = "SFTP"
+    User     = each.key
+    Prefix   = var.prefix
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "user" {
+  for_each = toset(var.usernames)
+
+  secret_id     = aws_secretsmanager_secret.user[each.key].id
+  secret_string = <<-EOF
+    {
+      "HomeDirectoryDetails": "[{\"Entry\": \"/\", \"Target\": \"/${aws_s3_bucket.sftp.id}/${each.key}\"}]",
+      "Password": "REPLACE_ME",
+      "Role": "${aws_iam_role.transfer[each.key].arn}",
+      "UserId": "${each.key}",
+      "AcceptedIpNetwork": "0.0.0.0/0"
+    }
+  EOF
+}
+
+# allow lambda to access KMS to decrypt secrets
+data "aws_iam_policy_document" "lambda_kms_use" {
+  statement {
+    sid    = "AllowKMSuse"
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncryptFrom",
+      "kms:ReEncryptTo",
+      "kms:GenerateDataKey",
+      "kms:GenerateDataKeyPair",
+      "kms:GenerateDataKeyWithoutPlaintext",
+      "kms:GenerateDataKeyPairWithoutPlaintext",
+      "kms:DescribeKey",
+    ]
+    resources = [aws_kms_key.secret_key.arn]
+  }
+}
+
+resource "aws_iam_policy" "kms_use" {
+  name        = "${local.prefix_kebab}kmsuse"
+  description = "Policy to allow use of KMS Key"
+  policy      = data.aws_iam_policy_document.lambda_kms_use.json
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_kms_role_policy" {
+  role       = module.idp.lambda_iam_role
+  policy_arn = aws_iam_policy.kms_use.arn
+}
diff --git a/sftp.tf b/sftp.tf
new file mode 100644
index 0000000..39fa02c
--- /dev/null
+++ b/sftp.tf
@@ -0,0 +1,117 @@
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+# role for SFTP server
+resource "aws_iam_role" "sftp" {
+  name = "${local.prefix_kebab}sftp-server-iam-role"
+
+  assume_role_policy = <<-POLICY
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "transfer.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+            }
+        ]
+    }
+  POLICY
+}
+
+resource "aws_iam_role" "sftp_log" {
+  # log role for SFTP server
+  name = "${local.prefix_kebab}sftp-server-iam-log-role"
+
+  assume_role_policy = <<-POLICY
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "transfer.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+            }
+        ]
+    }
+  POLICY
+}
+
+resource "aws_iam_role_policy" "sftp" {
+  # policy to allow invocation of IdP API
+  name = "${local.prefix_kebab}sftp-server-iam-policy"
+  role = aws_iam_role.sftp.id
+
+  policy = <<-POLICY
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "InvokeApi",
+          "Effect": "Allow",
+          "Action": [
+            "execute-api:Invoke"
+          ],
+          "Resource": "arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${module.idp.rest_api_id}/${module.idp.rest_api_stage_name}/GET/*"
+        },
+        {
+          "Sid": "ReadApi",
+          "Effect": "Allow",
+          "Action": [
+            "apigateway:GET"
+          ],
+          "Resource": "*"
+        }
+      ]
+    }
+  POLICY
+}
+
+resource "aws_iam_role_policy" "sftp_log" {
+  # policy to allow logging to Cloudwatch
+  name = "${local.prefix_kebab}sftp-server-iam-log-policy"
+  role = aws_iam_role.sftp_log.id
+
+  policy = <<-POLICY
+    {
+      "Version": "2012-10-17",
+      "Statement": [{
+          "Sid": "AmazonAPIGatewayPushToCloudWatchLogs",
+          "Effect": "Allow",
+          "Action": [
+            "logs:CreateLogGroup",
+            "logs:CreateLogStream",
+            "logs:DescribeLogGroups",
+            "logs:DescribeLogStreams",
+            "logs:PutLogEvents",
+            "logs:GetLogEvents",
+            "logs:FilterLogEvents"
+          ],
+          "Resource": "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/transfer/${aws_transfer_server.sftp.id}*"
+        }
+      ]
+    }
+  POLICY
+}
+
+resource "aws_transfer_server" "sftp" {
+  identity_provider_type = "API_GATEWAY"
+  logging_role           = aws_iam_role.sftp_log.arn
+  url                    = module.idp.invoke_url # url from output of the module
+  invocation_role        = aws_iam_role.sftp.arn
+  endpoint_type          = "PUBLIC"
+
+  tags = {
+    NAME = "${local.prefix_kebab}sftp-server"
+  }
+}
+
+module "idp" {
+  source = "github.com/Bubo-AI/terraform-aws-transfer?ref=v0.5.3"
+  prefix = var.prefix
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..42aef5f
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,45 @@
+
+variable "logging_bucket" {
+  description = "S3 bucket to store access logs of the data bucket."
+  default     = ""
+  type        = string
+  validation {
+    condition     = can(regex("[a-z0-9][a-z0-9-]{1,61}[a-z0-9]", var.logging_bucket))
+    error_message = "Invalid s3 bucket name."
+  }
+}
+
+variable "subdomains" {
+  description = "List of subdomain names to redirect AWS transfer endpoint. Mostly same as the prefix."
+  default     = []
+  type        = list(string)
+  validation {
+    condition = length([
+      for s in var.subdomains : s
+      if can(regex("^[a-z0-9-]+$", s))
+    ]) == length(var.subdomains)
+    error_message = "The subdomains must consist of lowercase alphanumeric characters and/or a hyphen."
+  }
+}
+
+variable "prefix" {
+  description = "AWS resource prefix"
+  default     = ""
+  type        = string
+  validation {
+    condition     = can(regex("^[a-z0-9-]+$", var.prefix))
+    error_message = "The prefix must consist of lowercase alphanumeric characters and a hyphen."
+  }
+}
+
+variable "r53_zone" {
+  description = "Route53 Zone Name"
+  type        = string
+}
+
+
+variable "usernames" {
+  description = "SFTP usernames as list"
+  type        = list(string)
+  default     = ["transfer-user"]
+}
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..0bd4b4b
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.3.0"
+    }
+  }
+
+  required_version = ">= 1.0.0"
+}