From 21a176e215561395737934b41989f5b25c4d0922 Mon Sep 17 00:00:00 2001 From: bradj Date: Thu, 22 Jul 2021 13:58:04 -0500 Subject: [PATCH 1/3] Adds flag and policy to require all buckets requests to be over SSL --- main.tf | 26 ++++++++++++++++++++++++++ variables.tf | 6 ++++++ 2 files changed, 32 insertions(+) diff --git a/main.tf b/main.tf index e6ff24b..ee6d1c9 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,7 @@ locals { enabled = module.this.enabled + bucket_arn = "arn:${data.aws_partition.current.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}" + website_config = { redirect_all = [ { @@ -129,6 +131,28 @@ data "aws_iam_policy_document" "default" { } } + dynamic "statement" { + for_each = var.allow_ssl_requests_only ? [1] : [] + + content { + sid = "ForceSSLOnlyAccess" + effect = "Deny" + actions = ["s3:*"] + resources = [local.bucket_arn, "${local.bucket_arn}/*"] + + principals { + identifiers = ["*"] + type = "*" + } + + condition { + test = "Bool" + values = ["false"] + variable = "aws:SecureTransport" + } + } + } + # Support replication ARNs dynamic "statement" { for_each = flatten(data.aws_iam_policy_document.replication.*.statement) @@ -253,6 +277,8 @@ data "aws_iam_policy_document" "deployment" { } } +data "aws_partition" "current" {} + module "dns" { source = "cloudposse/route53-alias/aws" version = "0.12.0" diff --git a/variables.tf b/variables.tf index b51ae20..5bb0f4b 100644 --- a/variables.tf +++ b/variables.tf @@ -151,4 +151,10 @@ variable "encryption_enabled" { type = bool default = false description = "When set to 'true' the resource will have AES256 encryption enabled by default" +} + +variable "allow_ssl_requests_only" { + type = bool + default = false + description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests" } \ No newline at end of file From 41d651c015df8d56aeb3ddeb1d96b3b207d6dc94 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Thu, 22 Jul 2021 18:59:51 +0000 Subject: [PATCH 2/3] Auto Format --- README.md | 2 ++ docs/terraform.md | 2 ++ main.tf | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ddb0746..e6c1713 100644 --- a/README.md +++ b/README.md @@ -181,12 +181,14 @@ Available targets: | [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `false` | no | | [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | | [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | List of allowed headers | `list(string)` |
[
"*"
]
| no | diff --git a/docs/terraform.md b/docs/terraform.md index 74a4260..b503e93 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -31,12 +31,14 @@ | [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `false` | no | | [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | | [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | List of allowed headers | `list(string)` |
[
"*"
]
| no | diff --git a/main.tf b/main.tf index ee6d1c9..ec349a3 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,7 @@ locals { - enabled = module.this.enabled + enabled = module.this.enabled bucket_arn = "arn:${data.aws_partition.current.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}" - + website_config = { redirect_all = [ { From fb2aefcea1df3df220d314d1da67714e5026f847 Mon Sep 17 00:00:00 2001 From: bradj Date: Thu, 22 Jul 2021 14:07:15 -0500 Subject: [PATCH 3/3] Update policy SID to match feature flag --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ee6d1c9..1ceb754 100644 --- a/main.tf +++ b/main.tf @@ -135,7 +135,7 @@ data "aws_iam_policy_document" "default" { for_each = var.allow_ssl_requests_only ? [1] : [] content { - sid = "ForceSSLOnlyAccess" + sid = "AllowSSLRequestsOnly" effect = "Deny" actions = ["s3:*"] resources = [local.bucket_arn, "${local.bucket_arn}/*"]