From c56c684a9cc148ad1bad9883514b6e4ec2c4c67a Mon Sep 17 00:00:00 2001 From: Lawrence Aiello Date: Sat, 15 Jan 2022 14:27:40 -0500 Subject: [PATCH] feat: Added optional bucket policy for requiring TLS 1.2 (#126) Co-authored-by: Anton Babenko --- README.md | 2 ++ examples/complete/main.tf | 2 ++ main.tf | 34 +++++++++++++++++++++++++++++++++- variables.tf | 6 ++++++ 4 files changed, 43 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 184edf74..3c3a95bf 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,7 @@ No modules. | [aws_iam_policy_document.deny_insecure_transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.elb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.lb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.require_latest_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs @@ -145,6 +146,7 @@ No modules. | [attach\_lb\_log\_delivery\_policy](#input\_attach\_lb\_log\_delivery\_policy) | Controls if S3 bucket should have ALB/NLB log delivery policy attached | `bool` | `false` | no | | [attach\_policy](#input\_attach\_policy) | Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) | `bool` | `false` | no | | [attach\_public\_policy](#input\_attach\_public\_policy) | Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket) | `bool` | `true` | no | +| [attach\_require\_latest\_tls\_policy](#input\_attach\_require\_latest\_tls\_policy) | Controls if S3 bucket should require the latest version of TLS | `bool` | `false` | no | | [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | `false` | no | | [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | `false` | no | | [bucket](#input\_bucket) | (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. | `string` | `null` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 2d03ff2e..33e7c4ac 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -59,6 +59,7 @@ module "log_bucket" { attach_elb_log_delivery_policy = true attach_lb_log_delivery_policy = true attach_deny_insecure_transport_policy = true + attach_require_latest_tls_policy = true } module "cloudfront_log_bucket" { @@ -90,6 +91,7 @@ module "s3_bucket" { policy = data.aws_iam_policy_document.bucket_policy.json attach_deny_insecure_transport_policy = true + attach_require_latest_tls_policy = true tags = { Owner = "Anton" diff --git a/main.tf b/main.tf index f0e1b759..5c34957d 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,5 @@ locals { - attach_policy = var.attach_elb_log_delivery_policy || var.attach_lb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy + attach_policy = var.attach_require_latest_tls_policy || var.attach_elb_log_delivery_policy || var.attach_lb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy } resource "aws_s3_bucket" "this" { @@ -275,6 +275,7 @@ data "aws_iam_policy_document" "combined" { source_policy_documents = compact([ var.attach_elb_log_delivery_policy ? data.aws_iam_policy_document.elb_log_delivery[0].json : "", var.attach_lb_log_delivery_policy ? data.aws_iam_policy_document.lb_log_delivery[0].json : "", + var.attach_require_latest_tls_policy ? data.aws_iam_policy_document.require_latest_tls[0].json : "", var.attach_deny_insecure_transport_policy ? data.aws_iam_policy_document.deny_insecure_transport[0].json : "", var.attach_policy ? var.policy : "" ]) @@ -390,6 +391,37 @@ data "aws_iam_policy_document" "deny_insecure_transport" { } } +data "aws_iam_policy_document" "require_latest_tls" { + count = var.create_bucket && var.attach_require_latest_tls_policy ? 1 : 0 + + statement { + sid = "denyOutdatedTLS" + effect = "Deny" + + actions = [ + "s3:*", + ] + + resources = [ + aws_s3_bucket.this[0].arn, + "${aws_s3_bucket.this[0].arn}/*", + ] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "NumericLessThan" + variable = "s3:TlsVersion" + values = [ + "1.2" + ] + } + } +} + resource "aws_s3_bucket_public_access_block" "this" { count = var.create_bucket && var.attach_public_policy ? 1 : 0 diff --git a/variables.tf b/variables.tf index e2f86814..ebe9bbc9 100644 --- a/variables.tf +++ b/variables.tf @@ -22,6 +22,12 @@ variable "attach_deny_insecure_transport_policy" { default = false } +variable "attach_require_latest_tls_policy" { + description = "Controls if S3 bucket should require the latest version of TLS" + type = bool + default = false +} + variable "attach_policy" { description = "Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy)" type = bool