From 6655a67611672cdf1ad5ccb94a93ed782eb2ecdb Mon Sep 17 00:00:00 2001 From: magreenbaum Date: Tue, 12 Nov 2024 20:33:36 -0500 Subject: [PATCH] check for policy_statements vs new var --- README.md | 1 - examples/complete/main.tf | 5 ++-- main.tf | 2 +- variables.tf | 6 ---- wrappers/main.tf | 59 +++++++++++++++++++-------------------- 5 files changed, 32 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 324b996..58ddb98 100644 --- a/README.md +++ b/README.md @@ -178,7 +178,6 @@ No modules. | [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | | [throughput\_mode](#input\_throughput\_mode) | Throughput mode for the file system. Defaults to `bursting`. Valid values: `bursting`, `elastic`, and `provisioned`. When using `provisioned`, also set `provisioned_throughput_in_mibps` | `string` | `null` | no | -| [use\_default\_deny\_nonsecure\_transport\_policy](#input\_use\_default\_deny\_nonsecure\_transport\_policy) | Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target | `bool` | `true` | no | ## Outputs diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 0e3db2f..dbfbb2d 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -42,9 +42,8 @@ module "efs" { } # File system policy - attach_policy = true - use_default_deny_nonsecure_transport_policy = false - bypass_policy_lockout_safety_check = false + attach_policy = true + bypass_policy_lockout_safety_check = false policy_statements = [ { sid = "Example" diff --git a/main.tf b/main.tf index a2e33b5..8f1dad5 100644 --- a/main.tf +++ b/main.tf @@ -103,7 +103,7 @@ data "aws_iam_policy_document" "policy" { } dynamic "statement" { - for_each = var.deny_nonsecure_transport && var.use_default_deny_nonsecure_transport_policy ? [1] : [] + for_each = var.deny_nonsecure_transport && length(var.policy_statements) == 0 ? [1] : [] content { sid = "NonSecureTransportAccessedViaMountTarget" diff --git a/variables.tf b/variables.tf index 9b889d9..c0c21da 100644 --- a/variables.tf +++ b/variables.tf @@ -108,12 +108,6 @@ variable "deny_nonsecure_transport" { default = true } -variable "use_default_deny_nonsecure_transport_policy" { - description = "Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target" - type = bool - default = true -} - ################################################################################ # Mount Target(s) ################################################################################ diff --git a/wrappers/main.tf b/wrappers/main.tf index fffa413..f852eea 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -3,34 +3,33 @@ module "wrapper" { for_each = var.items - access_points = try(each.value.access_points, var.defaults.access_points, {}) - attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, true) - availability_zone_name = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null) - bypass_policy_lockout_safety_check = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null) - create = try(each.value.create, var.defaults.create, true) - create_backup_policy = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true) - create_replication_configuration = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false) - create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true) - creation_token = try(each.value.creation_token, var.defaults.creation_token, null) - deny_nonsecure_transport = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true) - enable_backup_policy = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true) - encrypted = try(each.value.encrypted, var.defaults.encrypted, true) - kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null) - lifecycle_policy = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {}) - mount_targets = try(each.value.mount_targets, var.defaults.mount_targets, {}) - name = try(each.value.name, var.defaults.name, "") - override_policy_documents = try(each.value.override_policy_documents, var.defaults.override_policy_documents, []) - performance_mode = try(each.value.performance_mode, var.defaults.performance_mode, null) - policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, []) - provisioned_throughput_in_mibps = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null) - replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {}) - security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null) - security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null) - security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {}) - security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false) - security_group_vpc_id = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null) - source_policy_documents = try(each.value.source_policy_documents, var.defaults.source_policy_documents, []) - tags = try(each.value.tags, var.defaults.tags, {}) - throughput_mode = try(each.value.throughput_mode, var.defaults.throughput_mode, null) - use_default_deny_nonsecure_transport_policy = try(each.value.use_default_deny_nonsecure_transport_policy, var.defaults.use_default_deny_nonsecure_transport_policy, true) + access_points = try(each.value.access_points, var.defaults.access_points, {}) + attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, true) + availability_zone_name = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null) + bypass_policy_lockout_safety_check = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null) + create = try(each.value.create, var.defaults.create, true) + create_backup_policy = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true) + create_replication_configuration = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false) + create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true) + creation_token = try(each.value.creation_token, var.defaults.creation_token, null) + deny_nonsecure_transport = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true) + enable_backup_policy = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true) + encrypted = try(each.value.encrypted, var.defaults.encrypted, true) + kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null) + lifecycle_policy = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {}) + mount_targets = try(each.value.mount_targets, var.defaults.mount_targets, {}) + name = try(each.value.name, var.defaults.name, "") + override_policy_documents = try(each.value.override_policy_documents, var.defaults.override_policy_documents, []) + performance_mode = try(each.value.performance_mode, var.defaults.performance_mode, null) + policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, []) + provisioned_throughput_in_mibps = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null) + replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {}) + security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null) + security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null) + security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {}) + security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false) + security_group_vpc_id = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null) + source_policy_documents = try(each.value.source_policy_documents, var.defaults.source_policy_documents, []) + tags = try(each.value.tags, var.defaults.tags, {}) + throughput_mode = try(each.value.throughput_mode, var.defaults.throughput_mode, null) }