feat: add s3 policy resource

clouddrove · Sep 15, 2023 · a2ecaf7 · a2ecaf7
1 parent 5cbb490
commit a2ecaf7
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 2 deletions.
diff --git a/main.tf b/main.tf
@@ -1325,10 +1325,13 @@ resource "aws_s3_bucket_versioning" "webacl_traffic_information" {
   count = var.enable && var.waf_enabled && var.create_logging_configuration ? 1 : 0
 
   bucket = join("", aws_s3_bucket.webacl_traffic_information[*].id)
+  mfa    = var.mfa
   versioning_configuration {
-    status = "Enabled"
+    status     = var.versioning_status
+    mfa_delete = var.mfa_delete
   }
 }
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "webacl_traffic_information" {
   count = var.enable && var.waf_enabled && var.create_logging_configuration ? 1 : 0
 
@@ -1340,6 +1343,33 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "webacl_traffic_in
   }
 }
 
+resource "aws_s3_bucket_policy" "block-http" {
+  count  = var.enable && var.waf_enabled && var.create_logging_configuration && var.only_https_traffic ? 1 : 0
+  bucket = aws_s3_bucket.webacl_traffic_information[0].id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "Blockhttp"
+    Statement = [
+      {
+        "Sid" : "AllowSSLRequestsOnly",
+        "Effect" : "Deny",
+        "Principal" : "*",
+        "Action" : "s3:*",
+        "Resource" : [
+          aws_s3_bucket.webacl_traffic_information[0].arn,
+          "${aws_s3_bucket.webacl_traffic_information[0].arn}/*",
+        ],
+        "Condition" : {
+          "Bool" : {
+            "aws:SecureTransport" : "false"
+          }
+        }
+      },
+    ]
+  })
+}
+
 # AWS Glue Catalog Database. This resource is needed by Amazon Kinesis Firehose as data format conversion configuration, for transforming from JSON to Parquet.
 resource "aws_glue_catalog_database" "database" {
   count = var.enable && var.waf_enabled && var.create_logging_configuration ? 1 : 0

diff --git a/variables.tf b/variables.tf
@@ -143,4 +143,28 @@ variable "s3_sse_algorithm" {
   type        = string
   default     = "aws:kms"
   description = "Server-side encryption algorithm to use. Valid values are AES256 and aws:kms"
-}
+}
+
+variable "only_https_traffic" {
+  type        = bool
+  default     = true
+  description = "This veriables use for only https traffic."
+}
+
+variable "mfa_delete" {
+  type        = string
+  default     = "Disabled"
+  description = "Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled."
+}
+
+variable "mfa" {
+  type        = string
+  default     = null
+  description = "Optional, Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device."
+}
+
+variable "versioning_status" {
+  type        = string
+  default     = "Enabled"
+  description = "Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device."
+}