feat: Add s3 bucket policy

makandra · Sep 6, 2024 · 5b543f1 · 5b543f1
1 parent 1b560f0
commit 5b543f1
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 0 deletions.
diff --git a/s3_bucket.tf b/s3_bucket.tf
@@ -52,3 +52,42 @@ resource "aws_s3_bucket_lifecycle_configuration" "terraform_state" {
     }
   }
 }
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_s3_bucket_policy" "terraform_state_policy" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "EnforcedTLS",
+        "Effect" : "Deny",
+        "Principal" : "*",
+        "Action" : "s3:*",
+        "Resource" : [
+          aws_s3_bucket.terraform_state.arn,
+          "${aws_s3_bucket.terraform_state.arn}/*"
+        ],
+        "Condition" : {
+          "Bool" : {
+            "aws:SecureTransport" : "false"
+          }
+        }
+      },
+      {
+        "Sid" : "RootAccess",
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        "Action" : "s3:*",
+        "Resource" : [
+          aws_s3_bucket.terraform_state.arn,
+          "${aws_s3_bucket.terraform_state.arn}/*"
+        ]
+      }
+    ]
+  })
+}
diff --git a/tests/s3_bucket.tftest.hcl b/tests/s3_bucket.tftest.hcl
@@ -34,6 +34,13 @@ run "encryption_config_attachment" {
   }
 }
 
+run "bucket_policy_attachment" {
+  assert {
+    condition     = aws_s3_bucket_policy.terraform_state_policy.bucket == aws_s3_bucket.terraform_state.id
+    error_message = "Bucket policy is not attached to bucket"
+  }
+}
+
 run "bucket_public" {
   command = plan
   assert {