FEATURE CCMG-1729: Enforce HTTPS on bucket level (#30)

Author: kristian-lesko

modules/vertice-cur-bucket/iam_policies.tf

@@ -3,7 +3,27 @@
 ########
 
 data "aws_iam_policy_document" "vertice_cur_bucket_access" {
-  count = var.cur_bucket_name == null ? 0 : 1
+  statement {
+    sid    = "AllowSSLRequestsOnly"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${var.cur_bucket_name}",
+      "arn:aws:s3:::${var.cur_bucket_name}/*"
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values = [
+        "false"
+      ]
+    }
+  }
 
   statement {
     sid = "AllowCURBucketActions"

modules/vertice-cur-bucket/main.tf

@@ -9,7 +9,7 @@ module "vertice_cur_bucket" {
 
   attach_deny_insecure_transport_policy = true
   attach_policy                         = true
-  policy                                = data.aws_iam_policy_document.vertice_cur_bucket_access[0].json
+  policy                                = data.aws_iam_policy_document.vertice_cur_bucket_access.json
 
   versioning     = var.cur_bucket_versioning
   lifecycle_rule = var.cur_bucket_lifecycle_rules

modules/vertice-governance-role/iam_policies.tf

@@ -31,33 +31,6 @@ data "aws_iam_policy_document" "vertice_cur_bucket_access" {
     ]
   }
 
-  statement {
-    sid    = "AllowSSLRequestsOnly"
-    effect = "Deny"
-
-    actions = [
-      "s3:*",
-    ]
-
-    resources = [
-      "arn:aws:s3:::${var.cur_bucket_name}",
-      "arn:aws:s3:::${var.cur_bucket_name}/*"
-    ]
-
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-
-    condition {
-      test     = "Bool"
-      variable = "aws:SecureTransport"
-      values = [
-        "false"
-      ]
-    }
-  }
-
   lifecycle {
     precondition {
       condition     = var.cur_bucket_name != null