fix: S3 https-only (#326)

* fix: S3 https-only

* fix: S3 https-only

main.tf

@@ -49,6 +49,7 @@ module "networking" {
   create_vpc           = var.create_vpc
   enable_flow_log      = var.enable_flow_log
   keep_flow_log_bucket = var.keep_flow_log_bucket
+  enable_s3_https_only = var.enable_s3_https_only
 
   cidr                           = var.network_cidr
   private_subnet_cidrs           = var.network_private_subnet_cidrs

modules/networking/main.tf

@@ -62,4 +62,32 @@ resource "aws_s3_bucket" "flow_log" {
   count         = (var.create_vpc && var.enable_flow_log) || var.keep_flow_log_bucket ? 1 : 0
   bucket        = "${var.namespace}-vpc-flow-logs"
   force_destroy = true
+}
+
+resource "aws_s3_bucket_policy" "flow_log_https_only" {
+  count  = var.enable_s3_https_only ? 1 : 0
+  bucket = aws_s3_bucket.flow_log[0].bucket
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid       = "DenyHTTPRequests",
+        Effect    = "Deny",
+        Principal = "*",
+        Action    = "s3:*",
+        Resource = [
+          "arn:aws:s3:::${aws_s3_bucket.flow_log[0].bucket}",
+          "arn:aws:s3:::${aws_s3_bucket.flow_log[0].bucket}/*"
+        ],
+        Condition = {
+          Bool = {
+            "aws:SecureTransport" = "false"
+          }
+        }
+      }
+    ]
+  })
+
+  depends_on = [aws_s3_bucket.flow_log]
 }

modules/networking/variables.tf

@@ -79,4 +79,10 @@ variable "keep_flow_log_bucket" {
   description = "Controls whether S3 bucket storing VPC Flow Logs will be kept"
   type        = bool
   default     = true
+}
+
+variable "enable_s3_https_only" {
+  description = "Controls whether HTTPS-only is enabled for s3 buckets"
+  type        = bool
+  default     = false
 }