feat: Allow users to opt out of NonSecureTransport policy requireme…

…nt (#7) Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
terraform-aws-modules · Jan 16, 2023 · 3f851b1 · 3f851b1
1 parent 269fa7c
commit 3f851b1
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -157,6 +157,7 @@ No modules.
 | <a name="input_create_replication_configuration"></a> [create\_replication\_configuration](#input\_create\_replication\_configuration) | Determines whether a replication configuration is created | `bool` | `false` | no |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines whether a security group is created | `bool` | `true` | no |
 | <a name="input_creation_token"></a> [creation\_token](#input\_creation\_token) | A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform | `string` | `null` | no |
+| <a name="input_deny_nonsecure_transport"></a> [deny\_nonsecure\_transport](#input\_deny\_nonsecure\_transport) | Determines whether `aws:SecureTransport` is required when connecting to elastic file system | `bool` | `true` | no |
 | <a name="input_enable_backup_policy"></a> [enable\_backup\_policy](#input\_enable\_backup\_policy) | Determines whether a backup policy is `ENABLED` or `DISABLED` | `bool` | `true` | no |
 | <a name="input_encrypted"></a> [encrypted](#input\_encrypted) | If `true`, the disk will be encrypted | `bool` | `true` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. When specifying `kms_key_arn`, encrypted needs to be set to `true` | `string` | `null` | no |

diff --git a/main.tf b/main.tf
@@ -68,7 +68,7 @@ data "aws_iam_policy_document" "policy" {
  }
 
  dynamic "condition" {
- for_each = try(statement.value.conditions, [])
+ for_each = try(statement.value.conditions, statement.value.condition, [])
 
  content {
  test = condition.value.test
@@ -79,21 +79,25 @@ data "aws_iam_policy_document" "policy" {
  }
  }
 
- statement {
- sid = "NonSecureTransport"
- effect = "Deny"
- actions = ["*"]
- resources = [aws_efs_file_system.this[0].arn]
+ dynamic "statement" {
+ for_each = var.deny_nonsecure_transport ? [1] : []
 
- principals {
- type = "AWS"
- identifiers = ["*"]
- }
+ content {
+ sid = "NonSecureTransport"
+ effect = "Deny"
+ actions = ["*"]
+ resources = [aws_efs_file_system.this[0].arn]
+
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
 
- condition {
- test = "Bool"
- variable = "aws:SecureTransport"
- values = ["false"]
+ condition {
+ test = "Bool"
+ variable = "aws:SecureTransport"
+ values = ["false"]
+ }
  }
  }
 }

diff --git a/variables.tf b/variables.tf
@@ -102,6 +102,12 @@ variable "policy_statements" {
  default = []
 }
 
+variable "deny_nonsecure_transport" {
+ description = "Determines whether `aws:SecureTransport` is required when connecting to elastic file system"
+ type = bool
+ default = true
+}
+
 ################################################################################
 # Mount Target(s)
 ################################################################################