Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Conditionally create default NonSecureTransportAccessedViaMountTarget policy statement #35

Merged
merged 4 commits into from
Nov 21, 2024
Merged

fix: Conditionally create default NonSecureTransportAccessedViaMountTarget policy statement #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
594c09a
add variable to toggle use of default policy
magreenbaum Nov 13, 2024
6655a67
check for policy_statements vs new var
magreenbaum Nov 13, 2024
fe56474
Revert "check for policy_statements vs new var"
magreenbaum Nov 21, 2024
f498df4
feedback changes
magreenbaum Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,7 @@ No modules.
| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines whether a security group is created | `bool` | `true` | no |
| <a name="input_creation_token"></a> [creation\_token](#input\_creation\_token) | A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform | `string` | `null` | no |
| <a name="input_deny_nonsecure_transport"></a> [deny\_nonsecure\_transport](#input\_deny\_nonsecure\_transport) | Determines whether `aws:SecureTransport` is required when connecting to elastic file system | `bool` | `true` | no |
| <a name="input_deny_nonsecure_transport_via_mount_target"></a> [deny\_nonsecure\_transport\_via\_mount\_target](#input\_deny\_nonsecure\_transport\_via\_mount\_target) | Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target | `bool` | `true` | no |
| <a name="input_enable_backup_policy"></a> [enable\_backup\_policy](#input\_enable\_backup\_policy) | Determines whether a backup policy is `ENABLED` or `DISABLED` | `bool` | `true` | no |
| <a name="input_encrypted"></a> [encrypted](#input\_encrypted) | If `true`, the disk will be encrypted | `bool` | `true` | no |
| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. When specifying `kms_key_arn`, encrypted needs to be set to `true` | `string` | `null` | no |
Expand Down
5 changes: 3 additions & 2 deletions examples/complete/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,9 @@ module "efs" {
}

# File system policy
attach_policy = true
bypass_policy_lockout_safety_check = false
attach_policy = true
deny_nonsecure_transport_via_mount_target = false
bypass_policy_lockout_safety_check = false
policy_statements = [
{
sid = "Example"
Expand Down
2 changes: 1 addition & 1 deletion main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ data "aws_iam_policy_document" "policy" {
}

dynamic "statement" {
for_each = var.deny_nonsecure_transport ? [1] : []
for_each = var.deny_nonsecure_transport_via_mount_target ? [1] : []

content {
sid = "NonSecureTransportAccessedViaMountTarget"
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,12 @@ variable "deny_nonsecure_transport" {
default = true
}

variable "deny_nonsecure_transport_via_mount_target" {
description = "Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target"
type = bool
default = true
}

################################################################################
# Mount Target(s)
################################################################################
Expand Down
59 changes: 30 additions & 29 deletions wrappers/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,33 +3,34 @@ module "wrapper" {

for_each = var.items

access_points = try(each.value.access_points, var.defaults.access_points, {})
attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, true)
availability_zone_name = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
bypass_policy_lockout_safety_check = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
create = try(each.value.create, var.defaults.create, true)
create_backup_policy = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
create_replication_configuration = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
creation_token = try(each.value.creation_token, var.defaults.creation_token, null)
deny_nonsecure_transport = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
enable_backup_policy = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
encrypted = try(each.value.encrypted, var.defaults.encrypted, true)
kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
lifecycle_policy = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
mount_targets = try(each.value.mount_targets, var.defaults.mount_targets, {})
name = try(each.value.name, var.defaults.name, "")
override_policy_documents = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
performance_mode = try(each.value.performance_mode, var.defaults.performance_mode, null)
policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, [])
provisioned_throughput_in_mibps = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null)
security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null)
security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
security_group_vpc_id = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
source_policy_documents = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
tags = try(each.value.tags, var.defaults.tags, {})
throughput_mode = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
access_points = try(each.value.access_points, var.defaults.access_points, {})
attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, true)
availability_zone_name = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
bypass_policy_lockout_safety_check = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
create = try(each.value.create, var.defaults.create, true)
create_backup_policy = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
create_replication_configuration = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
creation_token = try(each.value.creation_token, var.defaults.creation_token, null)
deny_nonsecure_transport = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
deny_nonsecure_transport_via_mount_target = try(each.value.deny_nonsecure_transport_via_mount_target, var.defaults.deny_nonsecure_transport_via_mount_target, true)
enable_backup_policy = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
encrypted = try(each.value.encrypted, var.defaults.encrypted, true)
kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
lifecycle_policy = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
mount_targets = try(each.value.mount_targets, var.defaults.mount_targets, {})
name = try(each.value.name, var.defaults.name, "")
override_policy_documents = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
performance_mode = try(each.value.performance_mode, var.defaults.performance_mode, null)
policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, [])
provisioned_throughput_in_mibps = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null)
security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null)
security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
security_group_vpc_id = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
source_policy_documents = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
tags = try(each.value.tags, var.defaults.tags, {})
throughput_mode = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
}