Skip to content

Commit 8dd36a2

Browse files
authored
KEH-2224 - feat: add S3 bucket policy to enforce SSL connections (#47)
* feat: add S3 bucket policy to enforce SSL connections * feat: add storage module initialization and apply in terraform_infra.sh * deployment order
1 parent 3b74f53 commit 8dd36a2

2 files changed

Lines changed: 43 additions & 2 deletions

File tree

concourse/scripts/terraform_infra.sh

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,17 @@ if [[ ${env} != "prod" ]]; then
1818
env="dev"
1919
fi
2020

21-
cd resource-repo/terraform/lambda
21+
cd resource-repo/terraform/storage
22+
23+
terraform init -backend-config=env/${env}/backend-${env}.tfbackend -reconfigure
24+
terraform apply \
25+
-var "aws_account_id=$aws_account_id" \
26+
-var "aws_access_key_id=$aws_access_key_id" \
27+
-var "aws_secret_access_key=$aws_secret_access_key" \
28+
-var "domain=$domain" \
29+
-auto-approve
30+
31+
cd ../lambda
2232

2333
terraform init -backend-config=env/${env}/backend-${env}.tfbackend -reconfigure
2434
terraform apply \
@@ -40,4 +50,3 @@ terraform apply \
4050
-var "aws_secret_access_key=$aws_secret_access_key" \
4151
-var "domain=$domain" \
4252
-auto-approve
43-

terraform/storage/storage.tf

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,4 +31,36 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "encrypt_by_defaul
3131
sse_algorithm = "AES256"
3232
}
3333
}
34+
}
35+
36+
data "aws_iam_policy_document" "deny_insecure_transport" {
37+
statement {
38+
sid = "DenyInsecureTransport"
39+
effect = "Deny"
40+
41+
principals {
42+
type = "*"
43+
identifiers = ["*"]
44+
}
45+
46+
actions = [
47+
"s3:*"
48+
]
49+
50+
resources = [
51+
aws_s3_bucket.tech_audit_data_bucket.arn,
52+
"${aws_s3_bucket.tech_audit_data_bucket.arn}/*"
53+
]
54+
55+
condition {
56+
test = "Bool"
57+
variable = "aws:SecureTransport"
58+
values = ["false"]
59+
}
60+
}
61+
}
62+
63+
resource "aws_s3_bucket_policy" "enforce_ssl" {
64+
bucket = aws_s3_bucket.tech_audit_data_bucket.id
65+
policy = data.aws_iam_policy_document.deny_insecure_transport.json
3466
}

0 commit comments

Comments
 (0)