Skip to content

Commit

Permalink
fix: Conditionally create default `NonSecureTransportAccessedViaMount…
Browse files Browse the repository at this point in the history
…Target` policy statement (#35)
  • Loading branch information
magreenbaum authored Nov 21, 2024
1 parent 715f30c commit 7c58eb1
Show file tree
Hide file tree
Showing 5 changed files with 41 additions and 32 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,7 @@ No modules.
| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines whether a security group is created | `bool` | `true` | no |
| <a name="input_creation_token"></a> [creation\_token](#input\_creation\_token) | A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform | `string` | `null` | no |
| <a name="input_deny_nonsecure_transport"></a> [deny\_nonsecure\_transport](#input\_deny\_nonsecure\_transport) | Determines whether `aws:SecureTransport` is required when connecting to elastic file system | `bool` | `true` | no |
| <a name="input_deny_nonsecure_transport_via_mount_target"></a> [deny\_nonsecure\_transport\_via\_mount\_target](#input\_deny\_nonsecure\_transport\_via\_mount\_target) | Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target | `bool` | `true` | no |
| <a name="input_enable_backup_policy"></a> [enable\_backup\_policy](#input\_enable\_backup\_policy) | Determines whether a backup policy is `ENABLED` or `DISABLED` | `bool` | `true` | no |
| <a name="input_encrypted"></a> [encrypted](#input\_encrypted) | If `true`, the disk will be encrypted | `bool` | `true` | no |
| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. When specifying `kms_key_arn`, encrypted needs to be set to `true` | `string` | `null` | no |
Expand Down
5 changes: 3 additions & 2 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,9 @@ module "efs" {
}

# File system policy
attach_policy = true
bypass_policy_lockout_safety_check = false
attach_policy = true
deny_nonsecure_transport_via_mount_target = false
bypass_policy_lockout_safety_check = false
policy_statements = [
{
sid = "Example"
Expand Down
2 changes: 1 addition & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ data "aws_iam_policy_document" "policy" {
}

dynamic "statement" {
for_each = var.deny_nonsecure_transport ? [1] : []
for_each = var.deny_nonsecure_transport_via_mount_target ? [1] : []

content {
sid = "NonSecureTransportAccessedViaMountTarget"
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,12 @@ variable "deny_nonsecure_transport" {
default = true
}

variable "deny_nonsecure_transport_via_mount_target" {
description = "Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target"
type = bool
default = true
}

################################################################################
# Mount Target(s)
################################################################################
Expand Down
59 changes: 30 additions & 29 deletions wrappers/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,33 +3,34 @@ module "wrapper" {

for_each = var.items

access_points = try(each.value.access_points, var.defaults.access_points, {})
attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, true)
availability_zone_name = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
bypass_policy_lockout_safety_check = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
create = try(each.value.create, var.defaults.create, true)
create_backup_policy = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
create_replication_configuration = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
creation_token = try(each.value.creation_token, var.defaults.creation_token, null)
deny_nonsecure_transport = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
enable_backup_policy = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
encrypted = try(each.value.encrypted, var.defaults.encrypted, true)
kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
lifecycle_policy = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
mount_targets = try(each.value.mount_targets, var.defaults.mount_targets, {})
name = try(each.value.name, var.defaults.name, "")
override_policy_documents = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
performance_mode = try(each.value.performance_mode, var.defaults.performance_mode, null)
policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, [])
provisioned_throughput_in_mibps = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null)
security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null)
security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
security_group_vpc_id = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
source_policy_documents = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
tags = try(each.value.tags, var.defaults.tags, {})
throughput_mode = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
access_points = try(each.value.access_points, var.defaults.access_points, {})
attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, true)
availability_zone_name = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
bypass_policy_lockout_safety_check = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
create = try(each.value.create, var.defaults.create, true)
create_backup_policy = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
create_replication_configuration = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
creation_token = try(each.value.creation_token, var.defaults.creation_token, null)
deny_nonsecure_transport = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
deny_nonsecure_transport_via_mount_target = try(each.value.deny_nonsecure_transport_via_mount_target, var.defaults.deny_nonsecure_transport_via_mount_target, true)
enable_backup_policy = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
encrypted = try(each.value.encrypted, var.defaults.encrypted, true)
kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
lifecycle_policy = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
mount_targets = try(each.value.mount_targets, var.defaults.mount_targets, {})
name = try(each.value.name, var.defaults.name, "")
override_policy_documents = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
performance_mode = try(each.value.performance_mode, var.defaults.performance_mode, null)
policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, [])
provisioned_throughput_in_mibps = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null)
security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null)
security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
security_group_vpc_id = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
source_policy_documents = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
tags = try(each.value.tags, var.defaults.tags, {})
throughput_mode = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
}

0 comments on commit 7c58eb1

Please sign in to comment.