From 261c806cc856510a2fb014869aff0907b03edeb3 Mon Sep 17 00:00:00 2001
From: Daniel Palmer <daniel.palmer@structsure.io>
Date: Fri, 10 Mar 2023 10:48:40 -0700
Subject: [PATCH] feat: s3 requires SSL by default

---
 README.md                       |  1 +
 main.tf                         |  2 ++
 modules/statestore/main.tf      | 38 +++++++++++++++++++++++++++++++++
 modules/statestore/variables.tf |  4 ++++
 variables.tf                    |  9 ++++++++
 5 files changed, 54 insertions(+)

diff --git a/README.md b/README.md
index e5d91b6..bdc1919 100644
--- a/README.md
+++ b/README.md
@@ -178,6 +178,7 @@ Optional policies have the option of being created by default, but are specified
 | vpc\_id | VPC ID to create resources in | `string` | n/a | yes |
 | wait_for_capacity_timeout | How long Terraform should wait for ASG instances to be healthy before timing out. | `string` | `"10m"` | no |
 | metadata_options | Instance Metadata Options | `map` | <pre>{<br>  http_endpoint: "enabled",<br>  http_tokens: "required",<br>  http_put_response_hop_limit: 1,<br>  instance_metadata_tags: "disabled"}</pre> | no |
+| statestore_attach_deny_insecure_transport_policy | Toggle for enabling s3 policy to reject non-SSL requests | `bool` | `true` | yes |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
index e4b044f..52d2b2d 100644
--- a/main.tf
+++ b/main.tf
@@ -41,6 +41,8 @@ module "statestore" {
   name   = local.uname
   token  = random_password.token.result
   tags   = merge(local.default_tags, var.tags)
+
+  attach_deny_insecure_transport_policy = var.statestore_attach_deny_insecure_transport_policy
 }
 
 #
diff --git a/modules/statestore/main.tf b/modules/statestore/main.tf
index 99b14e9..fa1a445 100644
--- a/modules/statestore/main.tf
+++ b/modules/statestore/main.tf
@@ -47,3 +47,41 @@ data "aws_iam_policy_document" "setter" {
     ]
   }
 }
+
+data "aws_iam_policy_document" "deny_insecure_transport" {
+  count = var.attach_deny_insecure_transport_policy ? 1 : 0
+
+  statement {
+    sid    = "denyInsecureTransport"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      aws_s3_bucket.bucket.arn,
+      "${aws_s3_bucket.bucket.arn}/*",
+    ]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values = [
+        "false"
+      ]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  count = var.attach_deny_insecure_transport_policy ? 1 : 0
+
+  bucket = aws_s3_bucket.bucket.id
+  policy = data.aws_iam_policy_document.deny_insecure_transport[0].json
+}
diff --git a/modules/statestore/variables.tf b/modules/statestore/variables.tf
index 4b5e9e3..3e5cebe 100644
--- a/modules/statestore/variables.tf
+++ b/modules/statestore/variables.tf
@@ -10,3 +10,7 @@ variable "tags" {
   type    = map(string)
   default = {}
 }
+
+variable "attach_deny_insecure_transport_policy" {
+  type = bool
+}
diff --git a/variables.tf b/variables.tf
index 41dc778..9f252b4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -185,3 +185,12 @@ variable "extra_cloud_config_config" {
   default     = ""
 }
 
+#
+### Statestore Variables
+#
+
+variable "statestore_attach_deny_insecure_transport_policy" {
+  description = "Toggle for enabling s3 policy to reject non-SSL requests"
+  type        = bool
+  default     = true
+}