diff --git a/main.tf b/main.tf index 3d50a9b..9681e6d 100644 --- a/main.tf +++ b/main.tf @@ -31,14 +31,27 @@ locals { # "boc:tf_module_version" = var._module_version "boc:created_by" = "terraform" } + condition_allowed_cidr = { + "test": "NotIpAddress" + "variable": "aws:sourceIp" + "values": var.allowed_cidr + } + condition_allowed_endpoints = { + "test": "StringNotEquals" + "variable": "aws:sourceVpce" + "values": var.allowed_endpoints + } + s3_bucket_conditions_list = list(local.condition_allowed_cidr,local.condition_allowed_endpoints) + s3_bucket_conditions = [ for x in local.s3_bucket_conditions_list: x if length(x.values)>0 ] } #--- # s3 bucket #--- resource "aws_s3_bucket" "this" { - bucket = var.bucket_name - acl = "private" + bucket = var.bucket_name + acl = "private" + force_destroy = var.force_destroy server_side_encryption_configuration { rule { @@ -117,6 +130,25 @@ data "aws_iam_policy_document" "this" { values = ["false"] } } + statement { + sid = "RemoteAccessBucketRestrictions" + effect = "Deny" + actions = ["s3:*"] + principals { + type = "AWS" + identifiers = ["*"] + } + resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"] + dynamic "condition" { + for_each = local.s3_bucket_conditions + iterator = c + content { + test = c.value.test + variable = c.value.variable + values = c.value.values + } + } + } } #--- diff --git a/variables.tf b/variables.tf index 7ea57bb..58a6c06 100644 --- a/variables.tf +++ b/variables.tf @@ -32,3 +32,21 @@ variable "access_log_bucket" { type = string # default = null } + +variable "allowed_cidr" { + description = "List of allowed source IPs (NOT from within the VPC)" + type = list(string) + default = [ ] +} + +variable "allowed_endpoints" { + description = "List of allowed VPC endpoint IDs" + type = list(string) + default = [ ] +} + +variable "force_destroy" { + description = "Sets force_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time" + type = bool + default = false +}