Unable to set a Block SSL Policy on the logs bucket

[marcottedan]

Describe the Bug

Amazon states that S3 buckets should require requests to use Secure Socket Layer: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation

Even though the original bucket has the right policy, the log bucket created with the module has no policy attached to it. There seems to be no variable giving the log bucket id & arn in outputs.tf

So, I tried adding the bucket policy myself but I was unable to.

Here's an example of how not possible it is to use the module's output.

resource "aws_s3_bucket_policy" "logs-policy" {
 # logs doesn't offer access to the s3 bucket here
 bucket = module.cdn.logs.s3_bucket

 # logs doesn't offer access to the s3 bucket arn in the Resource block
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "BUCKET-POLICY"
    Statement = [
      {
        Sid       = "EnforceTls"
        Effect    = "Deny"
        Principal = "*"
        Action    = "s3:*"
        Resource = [
          "${module.cdn.logs.s3_bucket_arn}/*",
          "${module.cdn.logs.s3_bucket_arn}",
        ]
        Condition = {
          Bool = {
            "aws:SecureTransport" = "false"
          }
          NumericLessThan = {
            "s3:TlsVersion": 1.2
          }
        }
      },
    ]
  })
}

Expected Behavior

The log bucket should either follow the same policy the S3 content bucket has or at least provide a way to set it.

Steps to Reproduce

Steps to reproduce the behavior:

1. Go to https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn
2. Copy the example '"cloudposse/cloudfront-s3-cdn/aws"'
3. Terraform apply
4. You'll see the log policy is empty.

Screenshots

The content bucket policy is OK:

The log bucket policy is empty:

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

• OS: OSX BigSur
• Version 11.6.1

Additional Context

N/A