diff --git a/README.md b/README.md
index ddb0746..e6c1713 100644
--- a/README.md
+++ b/README.md
@@ -181,12 +181,14 @@ Available targets:
| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
+| [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `false` | no |
| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
} | no |
| [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | List of allowed headers | `list(string)` | [
"*"
]
| no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 74a4260..b503e93 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -31,12 +31,14 @@
| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
+| [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `false` | no |
| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
} | no |
| [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | List of allowed headers | `list(string)` | [
"*"
]
| no |
diff --git a/main.tf b/main.tf
index e6ff24b..a85e2d9 100644
--- a/main.tf
+++ b/main.tf
@@ -1,5 +1,7 @@
locals {
- enabled = module.this.enabled
+ enabled = module.this.enabled
+ bucket_arn = "arn:${data.aws_partition.current.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}"
+
website_config = {
redirect_all = [
{
@@ -129,6 +131,28 @@ data "aws_iam_policy_document" "default" {
}
}
+ dynamic "statement" {
+ for_each = var.allow_ssl_requests_only ? [1] : []
+
+ content {
+ sid = "AllowSSLRequestsOnly"
+ effect = "Deny"
+ actions = ["s3:*"]
+ resources = [local.bucket_arn, "${local.bucket_arn}/*"]
+
+ principals {
+ identifiers = ["*"]
+ type = "*"
+ }
+
+ condition {
+ test = "Bool"
+ values = ["false"]
+ variable = "aws:SecureTransport"
+ }
+ }
+ }
+
# Support replication ARNs
dynamic "statement" {
for_each = flatten(data.aws_iam_policy_document.replication.*.statement)
@@ -253,6 +277,8 @@ data "aws_iam_policy_document" "deployment" {
}
}
+data "aws_partition" "current" {}
+
module "dns" {
source = "cloudposse/route53-alias/aws"
version = "0.12.0"
diff --git a/variables.tf b/variables.tf
index b51ae20..5bb0f4b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -151,4 +151,10 @@ variable "encryption_enabled" {
type = bool
default = false
description = "When set to 'true' the resource will have AES256 encryption enabled by default"
+}
+
+variable "allow_ssl_requests_only" {
+ type = bool
+ default = false
+ description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests"
}
\ No newline at end of file