Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce the usage of modern TLS versions (1.2 or higher) for S3 connections #237

Merged
merged 6 commits into from
Jul 25, 2024
Merged

Enforce the usage of modern TLS versions (1.2 or higher) for S3 connections #237

merged 6 commits into from
Jul 25, 2024

Conversation

amontalban
Copy link
Contributor

what

This variables adds a policy to the bucket to deny connections that do not use TLS 1.2 or higher.

why

This is required by our security team.

references

https://repost.aws/knowledge-center/s3-enforce-modern-tls

@amontalban amontalban requested review from a team as code owners June 27, 2024 17:35
@amontalban amontalban requested review from kevcube and jamengual June 27, 2024 17:35
@mergify mergify bot added the triage Needs triage label Jun 27, 2024
@mergify Mergify
Copy link

mergify bot commented Jun 27, 2024

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

@mergify mergify bot added the needs-cloudposse Needs Cloud Posse assistance label Jun 27, 2024
@goruha
Copy link
Member

goruha commented Jun 28, 2024

@amontalban that's a nice feature.
Can we refactor code a bit. I think we need to parameterize tls minimum version to have code like this

  dynamic "statement" {
    for_each = var.minimum_tls_version != null? [var.minimum_tls_version] : []

    content {
      sid       = "EnforceTLSVersion"
      effect    = "Deny"
      actions   = ["s3:*"]
      resources = [local.bucket_arn, "${local.bucket_arn}/*"]

      principals {
        identifiers = ["*"]
        type        = "*"
      }

      condition {
        test     = "NumericLessThan"
        values   = [each.value]
        variable = "s3:TlsVersion"
      }
    }
  }

goruha
goruha requested changes Jun 28, 2024
View reviewed changes
Copy link
Member

@goruha goruha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment

@goruha goruha self-assigned this Jun 28, 2024
@amontalban amontalban requested a review from goruha June 28, 2024 11:38
@amontalban
Copy link
Contributor Author

@goruha thanks for reviewing the PR, what do you think about it now?

@amontalban that's a nice feature. Can we refactor code a bit. I think we need to parameterize tls minimum version to have code like this

  dynamic "statement" {
    for_each = var.minimum_tls_version != null? [var.minimum_tls_version] : []

    content {
      sid       = "EnforceTLSVersion"
      effect    = "Deny"
      actions   = ["s3:*"]
      resources = [local.bucket_arn, "${local.bucket_arn}/*"]

      principals {
        identifiers = ["*"]
        type        = "*"
      }

      condition {
        test     = "NumericLessThan"
        values   = [each.value]
        variable = "s3:TlsVersion"
      }
    }
  }

@goruha
Copy link
Member

goruha commented Jun 28, 2024

/terratest

@goruha
Copy link
Member

goruha commented Jun 28, 2024

@amontalban have you tested that the code works?

I am a bit confused that terraform hcl https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#basic-syntax

use toset for list in for_each for_each = toset(["Todd", "James", "Alice", "Dottie"])

Can you add minimum_tls_version = 1.12 to
https://github.com/amontalban/terraform-aws-s3-bucket/blob/am/enforce_tls12/examples/complete/fixtures.us-east-2.tfvars ?

@amontalban
Copy link
Contributor Author

@goruha yeah, sorry I rushed based on your recommendation because I was on a hurry and didn't properly test the change.

I have implemented the toset and also updated the tests to include minimum_tls_version and fixture paths so I can validate everything with make test/plan.

Let me know what do you think now.

Thanks and sorry for the hassle!

@amontalban have you tested that the code works?

I am a bit confused that terraform hcl https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#basic-syntax

use toset for list in for_each for_each = toset(["Todd", "James", "Alice", "Dottie"])

Can you add minimum_tls_version = 1.12 to https://github.com/amontalban/terraform-aws-s3-bucket/blob/am/enforce_tls12/examples/complete/fixtures.us-east-2.tfvars ?

@goruha
Copy link
Member

goruha commented Jul 25, 2024

/terratest

@mergify mergify bot removed the triage Needs triage label Jul 25, 2024
@goruha goruha enabled auto-merge (squash) July 25, 2024 22:41
@goruha
Copy link
Member

goruha commented Jul 25, 2024

/terratest

@goruha goruha merged commit 19b011a into cloudposse:main Jul 25, 2024
15 checks passed
@mergify mergify bot removed the needs-cloudposse Needs Cloud Posse assistance label Jul 25, 2024
@github-actions GitHub Actions
Copy link

These changes were released in v4.3.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goruha goruha goruha approved these changes

@kevcube kevcube Awaiting requested review from kevcube kevcube is a code owner automatically assigned from cloudposse/contributors

@jamengual jamengual Awaiting requested review from jamengual jamengual is a code owner automatically assigned from cloudposse/contributors

Assignees

@goruha goruha

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@amontalban @goruha