feat: Added optional bucket policy for requiring TLS 1.2 (#126)

Co-authored-by: Anton Babenko <anton@antonbabenko.com>

feat: Added optional bucket policy for requiring TLS 1.2 (#126)
Co-authored-by: Anton Babenko <anton@antonbabenko.com>
c56c684a · Lawrence Aiello · GitHub · b1a3fd9e · c56c684a · c56c684a
Commit c56c684a authored Jan 15, 2022 by Lawrence Aiello Committed by GitHub Jan 15, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 1 deletion

README.md README.md +2 -0

main.tf examples/complete/main.tf +2 -0

main.tf main.tf +33 -1

variables.tf variables.tf +6 -0

No files found.
--- a/README.md
+++ b/README.md
@@ -133,6 +133,7 @@ No modules.
 | [aws_iam_policy_document.deny_insecure_transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.elb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.require_latest_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 ## Inputs
@@ -145,6 +146,7 @@ No modules.
 | <a name="input_attach_lb_log_delivery_policy"></a> [attach\_lb\_log\_delivery\_policy](#input\_attach\_lb\_log\_delivery\_policy) | Controls if S3 bucket should have ALB/NLB log delivery policy attached | `bool` | `false` | no |
 | <a name="input_attach_policy"></a> [attach\_policy](#input\_attach\_policy) | Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) | `bool` | `false` | no |
 | <a name="input_attach_public_policy"></a> [attach\_public\_policy](#input\_attach\_public\_policy) | Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket) | `bool` | `true` | no |
+| <a name="input_attach_require_latest_tls_policy"></a> [attach\_require\_latest\_tls\_policy](#input\_attach\_require\_latest\_tls\_policy) | Controls if S3 bucket should require the latest version of TLS | `bool` | `false` | no |
 | <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | `false` | no |
 | <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | `false` | no |
 | <a name="input_bucket"></a> [bucket](#input\_bucket) | (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. | `string` | `null` | no |

--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -59,6 +59,7 @@ module "log_bucket" {
  attach_elb_log_delivery_policy        = true
  attach_lb_log_delivery_policy         = true
  attach_deny_insecure_transport_policy = true
+  attach_require_latest_tls_policy      = true
 }
 module "cloudfront_log_bucket" {
@@ -90,6 +91,7 @@ module "s3_bucket" {
  policy        = data.aws_iam_policy_document.bucket_policy.json
  attach_deny_insecure_transport_policy = true
+  attach_require_latest_tls_policy      = true
  tags = {
    Owner = "Anton"

--- a/main.tf
+++ b/main.tf
 locals {
-  attach_policy = var.attach_elb_log_delivery_policy || var.attach_lb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy
+  attach_policy = var.attach_require_latest_tls_policy || var.attach_elb_log_delivery_policy || var.attach_lb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy
 }
 resource "aws_s3_bucket" "this" {
@@ -275,6 +275,7 @@ data "aws_iam_policy_document" "combined" {
  source_policy_documents = compact([
    var.attach_elb_log_delivery_policy ? data.aws_iam_policy_document.elb_log_delivery[0].json : "",
    var.attach_lb_log_delivery_policy ? data.aws_iam_policy_document.lb_log_delivery[0].json : "",
+    var.attach_require_latest_tls_policy ? data.aws_iam_policy_document.require_latest_tls[0].json : "",
    var.attach_deny_insecure_transport_policy ? data.aws_iam_policy_document.deny_insecure_transport[0].json : "",
    var.attach_policy ? var.policy : ""
  ])
@@ -390,6 +391,37 @@ data "aws_iam_policy_document" "deny_insecure_transport" {
  }
 }
+data "aws_iam_policy_document" "require_latest_tls" {
+  count = var.create_bucket && var.attach_require_latest_tls_policy ? 1 : 0
+  statement {
+    sid    = "denyOutdatedTLS"
+    effect = "Deny"
+    actions = [
+      "s3:*",
+    ]
+    resources = [
+      aws_s3_bucket.this[0].arn,
+      "${aws_s3_bucket.this[0].arn}/*",
+    ]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "NumericLessThan"
+      variable = "s3:TlsVersion"
+      values = [
+        "1.2"
+      ]
+    }
+  }
+}
 resource "aws_s3_bucket_public_access_block" "this" {
  count = var.create_bucket && var.attach_public_policy ? 1 : 0

--- a/variables.tf
+++ b/variables.tf
@@ -22,6 +22,12 @@ variable "attach_deny_insecure_transport_policy" {
  default     = false
 }
+variable "attach_require_latest_tls_policy" {
+  description = "Controls if S3 bucket should require the latest version of TLS"
+  type        = bool
+  default     = false
+}
 variable "attach_policy" {
  description = "Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy)"
  type        = bool