Skip to content
This repository was archived by the owner on Jan 16, 2025. It is now read-only.

Commit 7a3d825

Browse files
sgtojsgtoj
authored
feat(syncer): update bucket policy to require ssl (#3342)
feat: update bucket policy to require ssl
1 parent 41a74ec commit 7a3d825

File tree

1 file changed

+35
-21
lines changed
  • modules/runner-binaries-syncer

1 file changed

+35
-21
lines changed

Diff for: modules/runner-binaries-syncer/main.tf

+35-21
Original file line numberDiff line numberDiff line change
@@ -79,38 +79,52 @@ resource "aws_s3_bucket_versioning" "action_dist" {
7979
}
8080
}
8181

82-
data "aws_iam_policy_document" "action_dist_sse_policy" {
83-
count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
84-
82+
data "aws_iam_policy_document" "action_dist_bucket_policy" {
8583
statement {
86-
effect = "Deny"
84+
sid = "ForceSSLOnlyAccess"
85+
effect = "Deny"
86+
actions = ["s3:*"]
87+
resources = [aws_s3_bucket.action_dist.arn, "${aws_s3_bucket.action_dist.arn}/*"]
8788

8889
principals {
89-
type = "AWS"
90+
identifiers = ["*"]
91+
type = "*"
92+
}
9093

91-
identifiers = [
92-
"*",
93-
]
94+
condition {
95+
test = "Bool"
96+
values = ["false"]
97+
variable = "aws:SecureTransport"
9498
}
99+
}
100+
101+
dynamic "statement" {
102+
for_each = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? [true] : []
95103

96-
actions = [
97-
"s3:PutObject",
98-
]
104+
content {
105+
sid = "ForceSSE"
106+
effect = "Deny"
107+
actions = ["s3:PutObject"]
108+
resources = ["${aws_s3_bucket.action_dist.arn}/*"]
99109

100-
resources = [
101-
"${aws_s3_bucket.action_dist.arn}/*",
102-
]
110+
principals {
111+
type = "AWS"
103112

104-
condition {
105-
test = "StringNotEquals"
106-
variable = "s3:x-amz-server-side-encryption"
107-
values = [var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm]
113+
identifiers = [
114+
"*",
115+
]
116+
}
117+
118+
condition {
119+
test = "StringNotEquals"
120+
variable = "s3:x-amz-server-side-encryption"
121+
values = [var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm]
122+
}
108123
}
109124
}
110125
}
111126

112-
resource "aws_s3_bucket_policy" "action_dist_sse_policy" {
113-
count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
127+
resource "aws_s3_bucket_policy" "action_dist_bucket_policy" {
114128
bucket = aws_s3_bucket.action_dist.id
115-
policy = data.aws_iam_policy_document.action_dist_sse_policy[0].json
129+
policy = data.aws_iam_policy_document.action_dist_bucket_policy.json
116130
}

0 commit comments

Comments
 (0)