From 48ac13a0d063155b4496ec7b03d1de28eb7eace8 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 10 Jun 2021 11:31:59 -0400 Subject: [PATCH] add allow_ssl_requests_only to force ssl communication (#171) Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> --- README.md | 2 ++ docs/terraform.md | 2 ++ main.tf | 26 +++++++++++++++++++++++++- variables.tf | 6 ++++++ 4 files changed, 35 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e9b6566a..947e69d5 100644 --- a/README.md +++ b/README.md @@ -356,6 +356,7 @@ Available targets: | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.s3_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.s3_ssl_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.s3_website_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_s3_bucket.cf_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | | [aws_s3_bucket.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | @@ -369,6 +370,7 @@ Available targets: | [additional\_bucket\_policy](#input\_additional\_bucket\_policy) | Additional policies for the bucket. If included in the policies, the variables `${bucket_name}`, `${origin_path}` and `${cloudfront_origin_access_identity_iam_arn}` will be substituted.
It is also possible to override the default policy statements by providing statements with `S3GetObjectForCloudFront` and `S3ListBucketForCloudFront` sid. | `string` | `"{}"` | no | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | | [aliases](#input\_aliases) | List of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on Cloudfront | `list(string)` | `[]` | no | +| [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no | | [allowed\_methods](#input\_allowed\_methods) | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront | `list(string)` | 
[
  "DELETE",
  "GET",
  "HEAD",
  "OPTIONS",
  "PATCH",
  "POST",
  "PUT"
]
| no | | [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | [block\_origin\_public\_access\_enabled](#input\_block\_origin\_public\_access\_enabled) | When set to 'true' the s3 origin bucket will have public access block enabled | `bool` | `false` | no | diff --git a/docs/terraform.md b/docs/terraform.md index e1901dc6..c2c75381 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -36,6 +36,7 @@ | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.s3_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.s3_ssl_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.s3_website_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_s3_bucket.cf_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | | [aws_s3_bucket.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | @@ -49,6 +50,7 @@ | [additional\_bucket\_policy](#input\_additional\_bucket\_policy) | Additional policies for the bucket. If included in the policies, the variables `${bucket_name}`, `${origin_path}` and `${cloudfront_origin_access_identity_iam_arn}` will be substituted.
It is also possible to override the default policy statements by providing statements with `S3GetObjectForCloudFront` and `S3ListBucketForCloudFront` sid. | `string` | `"{}"` | no | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | | [aliases](#input\_aliases) | List of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on Cloudfront | `list(string)` | `[]` | no | +| [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no | | [allowed\_methods](#input\_allowed\_methods) | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront | `list(string)` | 
[
  "DELETE",
  "GET",
  "HEAD",
  "OPTIONS",
  "PATCH",
  "POST",
  "PUT"
]
| no | | [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | [block\_origin\_public\_access\_enabled](#input\_block\_origin\_public\_access\_enabled) | When set to 'true' the s3 origin bucket will have public access block enabled | `bool` | `false` | no | diff --git a/main.tf b/main.tf index a0dfe8e5..dfda97a4 100644 --- a/main.tf +++ b/main.tf @@ -182,17 +182,41 @@ data "aws_iam_policy_document" "deployment" { } } +data "aws_iam_policy_document" "s3_ssl_only" { + count = var.allow_ssl_requests_only ? 1 : 0 + statement { + sid = "ForceSSLOnlyAccess" + effect = "Deny" + actions = ["s3:*"] + resources = [ + local.origin_bucket.arn, + "${local.origin_bucket.arn}/*" + ] + + principals { + identifiers = ["*"] + type = "*" + } + + condition { + test = "Bool" + values = ["false"] + variable = "aws:SecureTransport" + } + } +} + data "aws_iam_policy_document" "combined" { count = local.enabled ? 1 : 0 source_policy_documents = compact(concat( data.aws_iam_policy_document.s3_origin.*.json, data.aws_iam_policy_document.s3_website_origin.*.json, + data.aws_iam_policy_document.s3_ssl_only.*.json, values(data.aws_iam_policy_document.deployment)[*].json )) } - resource "aws_s3_bucket_policy" "default" { count = local.create_s3_origin_bucket || local.override_origin_bucket_policy ? 1 : 0 diff --git a/variables.tf b/variables.tf index e74faef1..d3a21ec9 100644 --- a/variables.tf +++ b/variables.tf @@ -608,3 +608,9 @@ variable "realtime_log_config_arn" { default = null description = "The ARN of the real-time log configuration that is attached to this cache behavior" } + +variable "allow_ssl_requests_only" { + type = bool + default = true + description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests" +}