Make requiring TLS optional

aws-s3-public-bucket/main.tf

@@ -37,22 +37,25 @@ data "aws_iam_policy_document" "bucket_policy" {
   # Deny access to bucket if it's not accessed through HTTPS
   source_json = var.bucket_policy
 
-  statement {
-    sid       = "EnforceTLS"
-    actions   = ["s3:GetObject"]
-    resources = ["arn:aws:s3:::${local.bucket_name}/*"]
+  dynamic statement {
+    for_each = var.require_tls ? ["enabled"] : []
+    content {
+      sid       = "EnforceTLS"
+      actions   = ["s3:GetObject"]
+      resources = ["arn:aws:s3:::${local.bucket_name}/*"]
 
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
+      principals {
+        type        = "*"
+        identifiers = ["*"]
+      }
 
-    effect = "Deny"
+      effect = "Deny"
 
-    condition {
-      test     = "Bool"
-      variable = "aws:SecureTransport"
-      values   = ["false"]
+      condition {
+        test     = "Bool"
+        variable = "aws:SecureTransport"
+        values   = ["false"]
+      }
     }
   }
 

aws-s3-public-bucket/variables.tf

@@ -50,3 +50,9 @@ variable "enable_versioning" {
   description = "Keep old versions of objects in this bucket."
   default     = true
 }
+
+variable "require_tls" {
+  type        = bool
+  description = "Require TLS to read objects from this bucket."
+  default     = true
+}