[feature] aws-s3-public-bucket require https, allow disabling versioning (#278)

Author: mbarrien

aws-s3-public-bucket/main.tf

@@ -20,7 +20,7 @@ resource "aws_s3_bucket" "bucket" {
   policy = data.aws_iam_policy_document.bucket_policy.json
 
   versioning {
-    enabled = true
+    enabled = var.enable_versioning
   }
 
   server_side_encryption_configuration {
@@ -37,6 +37,28 @@ data "aws_iam_policy_document" "bucket_policy" {
   # Deny access to bucket if it's not accessed through HTTPS
   source_json = var.bucket_policy
 
+  dynamic statement {
+    for_each = var.require_tls ? ["enabled"] : []
+    content {
+      sid       = "EnforceTLS"
+      actions   = ["s3:GetObject"]
+      resources = ["arn:aws:s3:::${local.bucket_name}/*"]
+
+      principals {
+        type        = "*"
+        identifiers = ["*"]
+      }
+
+      effect = "Deny"
+
+      condition {
+        test     = "Bool"
+        variable = "aws:SecureTransport"
+        values   = ["false"]
+      }
+    }
+  }
+
   statement {
     sid       = "AllowPublicRead"
     actions   = ["s3:GetObject"]

aws-s3-public-bucket/variables.tf

@@ -44,3 +44,15 @@ variable "public_read_justification" {
   type        = string
   description = "Describe why this bucket must be public and what it is being used for."
 }
+
+variable "enable_versioning" {
+  type        = bool
+  description = "Keep old versions of objects in this bucket."
+  default     = true
+}
+
+variable "require_tls" {
+  type        = bool
+  description = "Require TLS to read objects from this bucket."
+  default     = true
+}