feat: support enforcing SSL and encrypted uploads for logs

[oycyc]

Support enforcing SSL and encrypted uploads for the log bucket.

Even though they are not sensitive or critical, there are cases when there are requirements or rules for the sake of rules, for example, SOC2 compliance.

Summary by CodeRabbit

• New Features

  • Added options to enforce SSL-only access and encrypted uploads for the session logging bucket.
  • Support referencing VPC and subnets by name; subnet_ids and vpc_id are now optional.

• Documentation

  • Updated Providers table and Resources to reflect new data sources.
  • Documented new and modified inputs.

• Chores

  • Upgraded logs bucket module to version 4.10.0.

[Gowiem]

Does turning these off fix the log uploading issue? Or is this for client's Vanta requirements?

[oycyc]

@Gowiem
1.) They are false by default already. The upstream CloudPosse S3 bucket module has these false as default. So zero diff for our module consumers as well if they upgrade.
2.) This is for client's Vanta requirement. Planning to use this to set to true in the root module consuming this.

[Gowiem]

Understood!

[coderabbitai]

Walkthrough

The change adds two new boolean inputs to control S3 bucket policies for session logging: allow_ssl_requests_only and allow_encrypted_uploads_only. These variables are defined in variables.tf and passed through to the logs_bucket module in main.tf. README.md is updated to document the new inputs, adjust provider/module versions, replace an S3 bucket data source with VPC/subnet-related data sources, and change several networking inputs from required to optional while adding subnet_names and vpc_name.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: add VPC and subnet name support #54 — Similar pattern of making VPC/subnet IDs optional, adding name-based inputs, and introducing VPC/subnet data lookups and validation.

Suggested reviewers

• Gowiem

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/support-enforcing-ssl-and-encryupted-uploads

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

main.tf (3)

201-206: Heads-up: flags won’t apply when a BYO bucket name is supplied.

Because enabled = local.logs_bucket_enabled is false when var.session_logging_bucket_name is set, these enforcement flags won’t be enforced on an external bucket. Consider documenting this explicitly (and/or adding an optional policy path for BYO buckets in a follow-up).
If you want, I can draft a minimal aws_s3_bucket_policy example conditioned on session_logging_bucket_name != "".

---

201-206: Consider enabling S3 Bucket Keys to reduce KMS costs.

Adding bucket_key_enabled = true typically lowers KMS request costs for SSE-KMS buckets with continuous writes (logs). Apply like this:

   # Encryption / Security
   sse_algorithm                = "aws:kms"
   kms_master_key_arn           = local.session_logging_kms_key_arn
+  bucket_key_enabled           = true
   allow_ssl_requests_only      = var.allow_ssl_requests_only
   allow_encrypted_uploads_only = var.allow_encrypted_uploads_only
   force_destroy                = true

---

201-206: Double-check semantics of “encryption disabled.”

Even if session_logging_encryption_enabled = false, this block still configures SSE-KMS (with AWS-managed key if kms_master_key_arn is empty). If that’s intentional, great—just ensure README language reflects that the S3 bucket is always encrypted at rest. Otherwise, gate sse_algorithm on the variable.

variables.tf (1)

185-196: Optional: clarify scope in descriptions.

To avoid confusion with BYO buckets, append a note like “Only applies when this module creates the logs bucket (when session_logging_bucket_name is empty).”

README.md (1)

141-143: Clarify when these inputs take effect.

Suggest amending both rows to note they only apply when this module creates the S3 bucket (i.e., when session_logging_bucket_name is not set). This prevents surprises for BYO buckets.

-| allow_encrypted_uploads_only | Whether or not to allow encrypted uploads only. If set to `true` this will create a bucket policy that `Deny` if encryption header is missing in the requests. | `bool` | `false` | no |
+| allow_encrypted_uploads_only | Require encrypted uploads to the session logs bucket. If `true`, a bucket policy denies requests missing SSE headers. Note: applies only when this module creates the bucket (when `session_logging_bucket_name` is empty). | `bool` | `false` | no |
-| allow_ssl_requests_only | Whether or not to allow SSL requests only. If set to `true` this will create a bucket policy that `Deny` if SSL is not used in the requests using the `aws:SecureTransport` condition. | `bool` | `false` | no |
+| allow_ssl_requests_only | Require SSL (HTTPS) requests to the session logs bucket. If `true`, a bucket policy denies non-SSL requests via `aws:SecureTransport`. Note: applies only when this module creates the bucket (when `session_logging_bucket_name` is empty). | `bool` | `false` | no |

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1467858 and 115e048.

📒 Files selected for processing (3)

• README.md (4 hunks)
• main.tf (1 hunks)
• variables.tf (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.tf

⚙️ CodeRabbit configuration file

**/*.tf: You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/.
You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions.
As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines.

Files:

• variables.tf
• main.tf

🧠 Learnings (4)

📓 Common learnings

Learnt from: oycyc
PR: masterpointio/terraform-spacelift-events-collector-audit-trail#2
File: s3.tf:2-14
Timestamp: 2025-01-30T16:39:53.021Z
Learning: The CloudPosse S3 bucket module (cloudposse/s3-bucket/aws) comes with secure defaults including versioning, private ACL, blocked public access, and server-side encryption. These don't need to be explicitly specified unless overriding the defaults.

Learnt from: oycyc
PR: masterpointio/terraform-spacelift-events-collector-audit-trail#2
File: s3.tf:2-14
Timestamp: 2025-01-30T16:39:53.021Z
Learning: The CloudPosse S3 bucket module (cloudposse/s3-bucket/aws) comes with secure defaults: versioning is enabled by default (versioning_enabled=true), ACL is private by default (acl="private"), and public access is blocked by default (block_public_acls=true, block_public_policy=true, ignore_public_acls=true). These don't need to be explicitly specified unless overriding the defaults.

📚 Learning: 2025-01-30T16:39:53.021Z

Learnt from: oycyc
PR: masterpointio/terraform-spacelift-events-collector-audit-trail#2
File: s3.tf:2-14
Timestamp: 2025-01-30T16:39:53.021Z
Learning: The CloudPosse S3 bucket module (cloudposse/s3-bucket/aws) comes with secure defaults: versioning is enabled by default (versioning_enabled=true), ACL is private by default (acl="private"), and public access is blocked by default (block_public_acls=true, block_public_policy=true, ignore_public_acls=true). These don't need to be explicitly specified unless overriding the defaults.

Applied to files:

• variables.tf

📚 Learning: 2025-01-30T16:39:53.021Z

Learnt from: oycyc
PR: masterpointio/terraform-spacelift-events-collector-audit-trail#2
File: s3.tf:2-14
Timestamp: 2025-01-30T16:39:53.021Z
Learning: The CloudPosse S3 bucket module (cloudposse/s3-bucket/aws) comes with secure defaults including versioning, private ACL, blocked public access, and server-side encryption. These don't need to be explicitly specified unless overriding the defaults.

Applied to files:

• variables.tf
• main.tf

📚 Learning: 2024-11-18T13:00:36.189Z

Learnt from: gberenice
PR: masterpointio/terraform-spacelift-aws-integrations#2
File: versions.tf:5-8
Timestamp: 2024-11-18T13:00:36.189Z
Learning: If a Terraform module does not include any AWS resources, there's no need to declare the AWS provider.

Applied to files:

• README.md

🔇 Additional comments (6)

main.tf (1)

201-206: Inputs correctly wired to Cloud Posse module (supports SSL-only and encrypted uploads).

allow_ssl_requests_only and allow_encrypted_uploads_only are valid inputs in cloudposse/terraform-aws-s3-bucket and behave as intended. Nice upgrade alongside v4.10.0. (docs.cloudposse.com, github.com)

variables.tf (1)

185-196: New booleans look good and match upstream module inputs.

Descriptions are clear, types/defaults are sane, and they align with Cloud Posse’s variables. (docs.cloudposse.com)

README.md (4)

95-95: Provider table change is fine (terraform provider shows up when using terraform_data).

---

102-102: Module bump to s3-bucket v4.10.0 aligns with new inputs.

---

124-124: Resource list updates look consistent with code (terraform_data and networking data sources).

---

184-186: Networking input doc tweaks LGTM.

Switching to optional subnet_ids and adding subnet_names/vpc_name matches main.tf resolution logic.

Also applies to: 190-191

[Gowiem]

🚢 🚢 🚢