59 Add S3 Bucket Provisioner

2026-02-04 11:32:12 -08:00
parent dcd405679a
commit 1b706fe858
6 changed files with 258 additions and 0 deletions
--- a/provisioners/modules/aws-s3/data.tf
+++ b/provisioners/modules/aws-s3/data.tf
@@ -0,0 +1,70 @@
+data "aws_caller_identity" "current" {}
+
+# Main S3 bucket policy to reject HTTPS requests
+data "aws_iam_policy_document" "s3_reject_https_policy" {
+  statement {
+    sid    = "s3RejectHTTPS"
+    effect = "Deny"
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    actions = ["s3:*"]
+
+    resources = [
+      aws_s3_bucket.s3_bucket.arn,
+      "${aws_s3_bucket.s3_bucket.arn}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+# Logging bucket policy to reject HTTPS requests and take logs
+data "aws_iam_policy_document" "logging_bucket_policy" {
+  statement {
+    principals {
+      identifiers = ["logging.s3.amazonaws.com"]
+      type        = "Service"
+    }
+
+    actions = ["s3:PutObject"]
+
+    resources = ["${aws_s3_bucket.logging.arn}/*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
+
+  statement {
+    sid    = "loggingRejectHTTPS"
+    effect = "Deny"
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    actions = ["s3:*"]
+
+    resources = [
+      aws_s3_bucket.logging.arn,
+      "${aws_s3_bucket.logging.arn}/*"
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}