Enforce the usage of modern TLS versions (1.2 or higher) for S3 connections (#237)

* fix: Update Terraform version to match the version in variables.tf

* feat: Enforce the usage of modern TLS versions (1.2 or higher)

* refactor: Change input to minimum_tls_version

* fix: Correct for_each

* fix: Correct tests and add var.minimum_tls_version

Author: amontalban

Makefile

@@ -1,5 +1,5 @@
 SHELL := /bin/bash
-export TERRAFORM_VERSION = 1.1.6
+export TERRAFORM_VERSION = 1.3.0
 
 # List of targets the `readme` target should call before generating the readme
 export README_DEPS ?= docs/targets.md docs/terraform.md
@@ -14,5 +14,5 @@ lint:
 test/%:
 	@cd examples/complete && \
 	terraform init && \
-	terraform $* -var-file=fixtures.us-west-1.tfvars && \
-	terraform $* -var-file=grants.us-west-1.tfvars
+	terraform $* -var-file=fixtures.us-east-2.tfvars && \
+	terraform $* -var-file=grants.us-east-2.tfvars

README.md

@@ -293,6 +293,7 @@ Available targets:
 | <a name="input_lifecycle_rule_ids"></a> [lifecycle\_rule\_ids](#input\_lifecycle\_rule\_ids) | DEPRECATED (use `lifecycle_configuration_rules`): A list of IDs to assign to corresponding `lifecycle_rules` | `list(string)` | `[]` | no |
 | <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | DEPRECATED (`use lifecycle_configuration_rules`): A list of lifecycle rules | <pre>list(object({<br>    prefix  = string<br>    enabled = bool<br>    tags    = map(string)<br><br>    enable_glacier_transition            = bool<br>    enable_deeparchive_transition        = bool<br>    enable_standard_ia_transition        = bool<br>    enable_current_object_expiration     = bool<br>    enable_noncurrent_version_expiration = bool<br><br>    abort_incomplete_multipart_upload_days         = number<br>    noncurrent_version_glacier_transition_days     = number<br>    noncurrent_version_deeparchive_transition_days = number<br>    noncurrent_version_expiration_days             = number<br><br>    standard_transition_days    = number<br>    glacier_transition_days     = number<br>    deeparchive_transition_days = number<br>    expiration_days             = number<br>  }))</pre> | `null` | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Bucket access logging configuration. Empty list for no logging, list of 1 to enable logging. | <pre>list(object({<br>    bucket_name = string<br>    prefix      = string<br>  }))</pre> | `[]` | no |
+| <a name="input_minimum_tls_version"></a> [minimum\_tls\_version](#input\_minimum\_tls\_version) | Set the minimum TLS version for in-transit traffic | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | <pre>object({<br>    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.<br>    days  = number<br>    years = number<br>  })</pre> | `null` | no |

docs/terraform.md

@@ -85,6 +85,7 @@
 | <a name="input_lifecycle_rule_ids"></a> [lifecycle\_rule\_ids](#input\_lifecycle\_rule\_ids) | DEPRECATED (use `lifecycle_configuration_rules`): A list of IDs to assign to corresponding `lifecycle_rules` | `list(string)` | `[]` | no |
 | <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | DEPRECATED (`use lifecycle_configuration_rules`): A list of lifecycle rules | <pre>list(object({<br>    prefix  = string<br>    enabled = bool<br>    tags    = map(string)<br><br>    enable_glacier_transition            = bool<br>    enable_deeparchive_transition        = bool<br>    enable_standard_ia_transition        = bool<br>    enable_current_object_expiration     = bool<br>    enable_noncurrent_version_expiration = bool<br><br>    abort_incomplete_multipart_upload_days         = number<br>    noncurrent_version_glacier_transition_days     = number<br>    noncurrent_version_deeparchive_transition_days = number<br>    noncurrent_version_expiration_days             = number<br><br>    standard_transition_days    = number<br>    glacier_transition_days     = number<br>    deeparchive_transition_days = number<br>    expiration_days             = number<br>  }))</pre> | `null` | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Bucket access logging configuration. Empty list for no logging, list of 1 to enable logging. | <pre>list(object({<br>    bucket_name = string<br>    prefix      = string<br>  }))</pre> | `[]` | no |
+| <a name="input_minimum_tls_version"></a> [minimum\_tls\_version](#input\_minimum\_tls\_version) | Set the minimum TLS version for in-transit traffic | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | <pre>object({<br>    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.<br>    days  = number<br>    years = number<br>  })</pre> | `null` | no |

examples/complete/fixtures.us-east-2.tfvars

@@ -28,3 +28,5 @@ allowed_bucket_actions = [
 ]
 
 bucket_key_enabled = true
+
+minimum_tls_version = "1.2"

examples/complete/main.tf

@@ -34,6 +34,7 @@ module "s3_bucket" {
   block_public_policy           = var.block_public_policy
   ignore_public_acls            = var.ignore_public_acls
   restrict_public_buckets       = var.restrict_public_buckets
+  minimum_tls_version           = var.minimum_tls_version
 
   access_key_enabled      = var.access_key_enabled
   store_access_key_in_ssm = var.store_access_key_in_ssm

examples/complete/variables.tf

@@ -315,3 +315,9 @@ variable "transfer_acceleration_enabled" {
   default     = true
   description = "Set true to enable Transfer Acceleration (many regions not supported)"
 }
+
+variable "minimum_tls_version" {
+  type        = string
+  default     = null
+  description = "Set the minimum TLS version for in-transit traffic"
+}

main.tf

@@ -424,6 +424,28 @@ data "aws_iam_policy_document" "bucket_policy" {
     }
   }
 
+  dynamic "statement" {
+    for_each = var.minimum_tls_version != null ? toset([var.minimum_tls_version]) : toset([])
+
+    content {
+      sid       = "EnforceTLSVersion"
+      effect    = "Deny"
+      actions   = ["s3:*"]
+      resources = [local.bucket_arn, "${local.bucket_arn}/*"]
+
+      principals {
+        identifiers = ["*"]
+        type        = "*"
+      }
+
+      condition {
+        test     = "NumericLessThan"
+        values   = [statement.value]
+        variable = "s3:TlsVersion"
+      }
+    }
+  }
+
   dynamic "statement" {
     for_each = length(var.s3_replication_source_roles) > 0 ? [1] : []
 

variables.tf

@@ -139,6 +139,12 @@ variable "allow_ssl_requests_only" {
   nullable    = false
 }
 
+variable "minimum_tls_version" {
+  type        = string
+  default     = null
+  description = "Set the minimum TLS version for in-transit traffic"
+}
+
 variable "lifecycle_configuration_rules" {
   type = list(object({
     enabled = optional(bool, true)