From de60accf1c10a01ef03a6affe96b001859de1e85 Mon Sep 17 00:00:00 2001
From: Simon Hofmannn <simon.hofmann@makandra.de>
Date: Fri, 6 Sep 2024 15:44:41 +0200
Subject: [PATCH] feat: Add s3 bucket policy

---
 s3_bucket.tf | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/s3_bucket.tf b/s3_bucket.tf
index ce7192f..6fc1d13 100644
--- a/s3_bucket.tf
+++ b/s3_bucket.tf
@@ -52,3 +52,45 @@ resource "aws_s3_bucket_lifecycle_configuration" "terraform_state" {
     }
   }
 }
+
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "terraform_state_policy" {
+  statement {
+    sid    = "EnforcedTLS"
+    effect = "Deny"
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.terraform_state.arn,
+      "${aws_s3_bucket.terraform_state.arn}/*"
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+  statement {
+    sid    = "RootAccess"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.terraform_state.arn,
+      "${aws_s3_bucket.terraform_state.arn}/*"
+    ]
+  }
+}
+
+resource "aws_s3_bucket_policy" "terraform_state" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  policy = data.aws_iam_policy_document.terraform_state_policy.json
+}