chanzuckerberg · kuannie1 · Jan 12, 2021 · Jan 12, 2021 · Jan 12, 2021
@@ -20,7 +20,7 @@ resource "aws_s3_bucket" "bucket" {
   policy = data.aws_iam_policy_document.bucket_policy.json
 
   versioning {
-    enabled = true
+    enabled = var.enable_versioning
   }
 
   server_side_encryption_configuration {
@@ -37,6 +37,25 @@ data "aws_iam_policy_document" "bucket_policy" {
   # Deny access to bucket if it's not accessed through HTTPS
   source_json = var.bucket_policy
 
+  statement {
+    sid       = "EnforceTLS"
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::${local.bucket_name}/*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    effect = "Deny"
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+
   statement {
     sid       = "AllowPublicRead"
     actions   = ["s3:GetObject"]

@@ -44,3 +44,9 @@ variable "public_read_justification" {
   type        = string
   description = "Describe why this bucket must be public and what it is being used for."
 }
+
+variable "enable_versioning" {
+  type        = bool
+  description = "Keep old versions of objects in this bucket."
+  default     = true
+}