feat: Add VPC flow logs option + s3 https-only policy (#322)

* Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option

* feat: Add VPC flow logs option + s3 https-only policy

main.tf

@@ -29,12 +29,13 @@ locals {
 }
 
 module "file_storage" {
-  source              = "./modules/file_storage"
-  namespace           = var.namespace
-  create_queue        = !local.use_internal_queue
-  sse_algorithm       = "aws:kms"
-  kms_key_arn         = local.s3_kms_key_arn
-  deletion_protection = var.deletion_protection
+  source               = "./modules/file_storage"
+  namespace            = var.namespace
+  create_queue         = !local.use_internal_queue
+  sse_algorithm        = "aws:kms"
+  kms_key_arn          = local.s3_kms_key_arn
+  deletion_protection  = var.deletion_protection
+  enable_s3_https_only = var.enable_s3_https_only
 }
 
 locals {
@@ -43,9 +44,10 @@ locals {
 }
 
 module "networking" {
-  source     = "./modules/networking"
-  namespace  = var.namespace
-  create_vpc = var.create_vpc
+  source          = "./modules/networking"
+  namespace       = var.namespace
+  create_vpc      = var.create_vpc
+  enable_flow_log = var.enable_flow_log
 
   cidr                           = var.network_cidr
   private_subnet_cidrs           = var.network_private_subnet_cidrs

modules/file_storage/main.tf

@@ -21,6 +21,33 @@ resource "aws_s3_bucket" "file_storage" {
   depends_on = [aws_sqs_queue.file_storage]
 }
 
+# Apply an HTTPS-only bucket policy to each bucket
+resource "aws_s3_bucket_policy" "https_only" {
+  count  = var.enable_s3_https_only ? 1 : 0
+  bucket = aws_s3_bucket.file_storage.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid       = "DenyHTTPRequests",
+        Effect    = "Deny",
+        Principal = "*",
+        Action    = "s3:*",
+        Resource = [
+          "arn:aws:s3:::${aws_s3_bucket.file_storage.bucket}",
+          "arn:aws:s3:::${aws_s3_bucket.file_storage.bucket}/*"
+        ],
+        Condition = {
+          Bool = {
+            "aws:SecureTransport" = "false"
+          }
+        }
+      }
+    ]
+  })
+}
+
 resource "aws_s3_bucket_acl" "file_storage" {
   depends_on = [aws_s3_bucket_ownership_controls.file_storage]
 

modules/file_storage/variables.tf

@@ -32,3 +32,9 @@ variable "create_queue_policy" {
   type        = bool
   default     = true
 }
+
+variable "enable_s3_https_only" {
+  description = "Controls whether HTTPS-only is enabled for s3 buckets"
+  type        = bool
+  default     = false
+}

modules/networking/main.tf

@@ -39,11 +39,27 @@ module "vpc" {
 }
 
 resource "aws_vpc_endpoint" "clickhouse" {
-  count = var.create_vpc && var.clickhouse_endpoint_service_id != "" ? 1 : 0
+  count = var.create_vpc && length(var.clickhouse_endpoint_service_id) > 0 ? 1 : 0
 
   vpc_id              = module.vpc.vpc_id
   service_name        = var.clickhouse_endpoint_service_id
   vpc_endpoint_type   = "Interface"
   subnet_ids          = module.vpc.private_subnets
   private_dns_enabled = true
 }
+
+# VPC FLow Logs
+resource "aws_flow_log" "vpc_flow_logs" {
+  count = var.create_vpc && var.enable_flow_log ? 1 : 0
+
+  log_destination      = aws_s3_bucket.flow_log[0].arn
+  log_destination_type = "s3"
+  traffic_type         = "REJECT"
+  vpc_id               = module.vpc.vpc_id
+}
+
+resource "aws_s3_bucket" "flow_log" {
+  count = var.create_vpc && var.enable_flow_log ? 1 : 0
+
+  bucket = "${var.namespace}-vpc-flow-logs"
+}

modules/networking/variables.tf

@@ -68,3 +68,9 @@ variable "clickhouse_endpoint_service_id" {
   type        = string
   default     = ""
 }
+
+variable "enable_flow_log" {
+  description = "Controls whether VPC Flow Logs are enabled"
+  type        = bool
+  default     = false
+}

variables.tf

@@ -214,6 +214,12 @@ variable "create_vpc" {
   default     = true
 }
 
+variable "enable_flow_log" {
+  description = "Controls whether VPC Flow Logs are enabled"
+  type        = bool
+  default     = false
+}
+
 variable "network_id" {
   default     = ""
   description = "The identity of the VPC in which resources will be deployed."
@@ -437,6 +443,17 @@ variable "eks_addon_metrics_server_version" {
   default     = "v0.7.2-eksbuild.1"
 }
 
+##########################################
+# Bucket Policy                          #
+##########################################
+# This setting will ensure that s3 bucket objects will reject HTTP traffic with a 403
+# and will only accept HTTPS traffic
+variable "enable_s3_https_only" {
+  description = "Controls whether HTTPS-only is enabled for s3 buckets"
+  type        = bool
+  default     = false
+}
+
 ##########################################
 # External Bucket                        #
 ##########################################
@@ -540,3 +557,4 @@ variable "kubernetes_cluster_oidc_issuer_url" {
   description = "OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration`"
   default     = ""
 }
+