From 543f54cdf203108106d006ea693463ea463df293 Mon Sep 17 00:00:00 2001
From: Anton Babenko <anton@antonbabenko.com>
Date: Fri, 12 Jan 2024 15:57:16 +0100
Subject: [PATCH] feat: Added AccessedViaMountTarget condition for
 deny_nonsecure_transport (#21)

---
 .pre-commit-config.yaml |  2 +-
 main.tf                 | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 145baf9..74b0a6b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.5
+    rev: v1.86.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/main.tf b/main.tf
index 4e0e9f7..76f9cc1 100644
--- a/main.tf
+++ b/main.tf
@@ -100,6 +100,32 @@ data "aws_iam_policy_document" "policy" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = var.deny_nonsecure_transport ? [1] : []
+
+    content {
+      sid    = "NonSecureTransportAccessedViaMountTarget"
+      effect = "Allow"
+      actions = [
+        "elasticfilesystem:ClientRootAccess",
+        "elasticfilesystem:ClientWrite",
+        "elasticfilesystem:ClientMount"
+      ]
+      resources = [aws_efs_file_system.this[0].arn]
+
+      principals {
+        type        = "AWS"
+        identifiers = ["*"]
+      }
+
+      condition {
+        test     = "Bool"
+        variable = "elasticfilesystem:AccessedViaMountTarget"
+        values   = ["true"]
+      }
+    }
+  }
 }
 
 resource "aws_efs_file_system_policy" "this" {