Skip to content

Commit d8720ad

Browse files
simonhopsmoritz-makandra
simonhops
authored and
moritz-makandra
committed
feat: Add s3 bucket policy
1 parent 1b560f0 commit d8720ad

File tree

2 files changed

+46
-0
lines changed

2 files changed

+46
-0
lines changed

s3_bucket.tf

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,42 @@ resource "aws_s3_bucket_lifecycle_configuration" "terraform_state" {
5252
}
5353
}
5454
}
55+
56+
data "aws_caller_identity" "current" {}
57+
58+
resource "aws_s3_bucket_policy" "terraform_state_policy" {
59+
bucket = aws_s3_bucket.terraform_state.id
60+
61+
policy = jsonencode({
62+
"Version" : "2012-10-17",
63+
"Statement" : [
64+
{
65+
"Sid" : "EnforcedTLS",
66+
"Effect" : "Deny",
67+
"Principal" : "*",
68+
"Action" : "s3:*",
69+
"Resource" : [
70+
aws_s3_bucket.terraform_state.arn,
71+
"${aws_s3_bucket.terraform_state.arn}/*"
72+
],
73+
"Condition" : {
74+
"Bool" : {
75+
"aws:SecureTransport" : "false"
76+
}
77+
}
78+
},
79+
{
80+
"Sid" : "RootAccess",
81+
"Effect" : "Allow",
82+
"Principal" : {
83+
"AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
84+
},
85+
"Action" : "s3:*",
86+
"Resource" : [
87+
aws_s3_bucket.terraform_state.arn,
88+
"${aws_s3_bucket.terraform_state.arn}/*"
89+
]
90+
}
91+
]
92+
})
93+
}

tests/s3_bucket.tftest.hcl

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,13 @@ run "encryption_config_attachment" {
3434
}
3535
}
3636

37+
run "bucket_policy_attachment" {
38+
assert {
39+
condition = aws_s3_bucket_policy.terraform_state_policy.bucket == aws_s3_bucket.terraform_state.id
40+
error_message = "Bucket policy is not attached to bucket"
41+
}
42+
}
43+
3744
run "bucket_public" {
3845
command = plan
3946
assert {

0 commit comments

Comments
 (0)