Skip to content

Commit

Permalink
feat: Add s3 bucket policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@simonhops
simonhops committed Sep 6, 2024
1 parent 1b560f0 commit de60acc
Showing 1 changed file with 42 additions and 0 deletions.
42 changes: 42 additions & 0 deletions s3_bucket.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,45 @@ resource "aws_s3_bucket_lifecycle_configuration" "terraform_state" {
}
}
}

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "terraform_state_policy" {
statement {
sid = "EnforcedTLS"
effect = "Deny"
principals {
type = "*"
identifiers = ["*"]
}
actions = ["s3:*"]
resources = [
aws_s3_bucket.terraform_state.arn,
"${aws_s3_bucket.terraform_state.arn}/*"
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
statement {
sid = "RootAccess"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = ["s3:*"]
resources = [
aws_s3_bucket.terraform_state.arn,
"${aws_s3_bucket.terraform_state.arn}/*"
]
}
}

resource "aws_s3_bucket_policy" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id

policy = data.aws_iam_policy_document.terraform_state_policy.json
}

0 comments on commit de60acc

Please sign in to comment.