diff --git a/infrastructure/aws/iam/s3/README.md b/infrastructure/aws/iam/s3/README.md deleted file mode 100644 index 672911c7..00000000 --- a/infrastructure/aws/iam/s3/README.md +++ /dev/null @@ -1,103 +0,0 @@ -# Module: s3 - -## Description - -Attaches an S3 bucket policy that enforces secure transport (HTTPS-only) and optionally merges additional IAM policy statements - -## Architecture - -The module creates an aws_s3_bucket_policy resource attached to an existing S3 bucket. It uses aws_iam_policy_document data sources to construct the policy: one generates a mandatory Deny statement for aws:SecureTransport=false (rejecting non-HTTPS requests), and another merges this with any additional policy JSON provided via input. The merged policy document flows into the aws_s3_bucket_policy resource, which applies it to the bucket identified by bucket_id. - -## Features - -- Enforces HTTPS-only access by denying all S3 actions when aws:SecureTransport is false -- Merges caller-supplied IAM policy statements with the mandatory secure transport policy -- Prevents unrestricted public access by disallowing Principal '*' with Effect 'Allow' -- Outputs the final merged policy JSON for verification and audit purposes - -## Basic Usage - -```hcl -module "s3" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3?ref=v5.3.0" - - bucket_arn = "your-bucket-arn" - bucket_id = "your-bucket-id" -} -``` - -## Using Outputs - -```hcl -# Reference outputs in other resources -resource "example_resource" "this" { - example_attribute = module.s3.bucket_id -} -``` - - - - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | - -## Resources - -| Name | Type | -|------|------| -| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_policy\_json](#input\_additional\_policy\_json) | Optional JSON policy document to merge with the mandatory secure transport policy.
Must NOT contain statements with Principal \"*\" and Effect \"Allow\", as that grants
unrestricted public access. Use specific principals (IAM roles, accounts) instead. | `string` | `null` | no | -| [bucket\_arn](#input\_bucket\_arn) | ARN of the S3 bucket. Used to build the resource ARNs in the secure transport statement. | `string` | n/a | yes | -| [bucket\_id](#input\_bucket\_id) | ID (name) of the S3 bucket to which the policy will be applied. | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| [bucket\_id](#output\_bucket\_id) | ID of the S3 bucket to which the policy was applied. | -| [policy\_json](#output\_policy\_json) | The final bucket policy JSON applied to the bucket. | - - - diff --git a/infrastructure/aws/iam/s3/main.tf b/infrastructure/aws/iam/s3/main.tf deleted file mode 100644 index 157b6eb3..00000000 --- a/infrastructure/aws/iam/s3/main.tf +++ /dev/null @@ -1,46 +0,0 @@ -################################################################################ -# S3 Bucket Policy — Secure Transport enforcement -# -# Rules enforced by this module: -# 1. No Principal "*" with Effect "Allow" (unrestricted public access is forbidden). -# 2. A Deny statement for aws:SecureTransport = false is always present, -# ensuring the bucket rejects any non-HTTPS request. -################################################################################ - -# Mandatory: deny all S3 actions over plain HTTP -data "aws_iam_policy_document" "secure_transport" { - statement { - sid = "DenyNonSecureTransport" - effect = "Deny" - actions = ["s3:*"] - - resources = [ - var.bucket_arn, - "${var.bucket_arn}/*", - ] - - principals { - type = "*" - identifiers = ["*"] - } - - condition { - test = "Bool" - variable = "aws:SecureTransport" - values = ["false"] - } - } -} - -# Merge the secure transport policy with any caller-supplied statements -data "aws_iam_policy_document" "merged" { - source_policy_documents = compact([ - data.aws_iam_policy_document.secure_transport.json, - var.additional_policy_json, - ]) -} - -resource "aws_s3_bucket_policy" "this" { - bucket = var.bucket_id - policy = data.aws_iam_policy_document.merged.json -} diff --git a/infrastructure/aws/iam/s3/outputs.tf b/infrastructure/aws/iam/s3/outputs.tf deleted file mode 100644 index d646a02b..00000000 --- a/infrastructure/aws/iam/s3/outputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "bucket_id" { - description = "ID of the S3 bucket to which the policy was applied." - value = aws_s3_bucket_policy.this.bucket -} - -output "policy_json" { - description = "The final bucket policy JSON applied to the bucket." - value = data.aws_iam_policy_document.merged.json -} diff --git a/infrastructure/aws/iam/s3/variables.tf b/infrastructure/aws/iam/s3/variables.tf deleted file mode 100644 index 08a8385d..00000000 --- a/infrastructure/aws/iam/s3/variables.tf +++ /dev/null @@ -1,19 +0,0 @@ -variable "bucket_id" { - description = "ID (name) of the S3 bucket to which the policy will be applied." - type = string -} - -variable "bucket_arn" { - description = "ARN of the S3 bucket. Used to build the resource ARNs in the secure transport statement." - type = string -} - -variable "additional_policy_json" { - description = <<-EOT - Optional JSON policy document to merge with the mandatory secure transport policy. - Must NOT contain statements with Principal \"*\" and Effect \"Allow\", as that grants - unrestricted public access. Use specific principals (IAM roles, accounts) instead. - EOT - type = string - default = null -}