To maintainers: can you please explain a use case justifying allow_ssl_requests_only=true since this module includes a Cloudfront CDN with TLS settings of its own? Thanks!

When deploying AWS Config and SecurityHub with the AWS Well-Architected Best Practices, it will raise an issue if TLS on a bucket is not mandatory.

If the module has problems with this enabled, then I suspect we have a cloud front misconfiguration for the origin, since I can't see why it should ever send non TLS requests.

If the module has problems with this enabled, then I suspect we have a cloud front misconfiguration for the origin, since I can't see why it should ever send non TLS requests.

Gotcha. My guess is that Cloudfront would communicate internally with S3, similarly to an ALB when it communicates with the hosts within a target group -- both scenarios not needing TLS. I can see a flaw in the Cloudfront-S3 scenario though: in case someone has the bucket name, they could make requests without TLS.

I can help investigating why the origin fails making TLS requests to S3 in a case like #175. I doesn't happen everywhere -- I've used this module before and didn't see this issue.

If the module has problems with this enabled, then I suspect we have a cloud front misconfiguration for the origin, since I can't see why it should ever send non TLS requests.

Gotcha. My guess is that Cloudfront would communicate internally with S3, similarly to an ALB when it communicates with the hosts within a target group -- both scenarios not needing TLS. I can see a flaw in the Cloudfront-S3 scenario though: in case someone has the bucket name, they could make requests without TLS.

I can help investigating why the origin fails making TLS requests to S3 in a case like #175. I doesn't happen everywhere -- I've used this module before and didn't see this issue.

I believe the issue is with the default origin protocol policy here: https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/master/main.tf#L413
the origin generated by the default s3_origins var will have this problem - it gets forced to http-only but the bucket gets a policy to Deny http-only. I think a fix would be to have the default set to match-viewer (the AWS default) and then let allow_ssl_requests_only=true change it to https-only.
I'd even be in favor of keeping allow_ssl_requests_only=true as default but make sure the origin_protocol_policy on the resource is set appropriately to align with the bucket policy.