From 7a3d8256c8a28849f84516d49a44e537e77eb4f2 Mon Sep 17 00:00:00 2001
From: Brian Ojeda <9335829+sgtoj@users.noreply.github.com>
Date: Sun, 9 Jul 2023 22:42:30 -0400
Subject: [PATCH] feat(syncer): update bucket policy to require ssl (#3342)

feat: update bucket policy to require ssl
---
 modules/runner-binaries-syncer/main.tf | 56 ++++++++++++++++----------
 1 file changed, 35 insertions(+), 21 deletions(-)

diff --git a/modules/runner-binaries-syncer/main.tf b/modules/runner-binaries-syncer/main.tf
index 6ec6dd46..915a45f9 100644
--- a/modules/runner-binaries-syncer/main.tf
+++ b/modules/runner-binaries-syncer/main.tf
@@ -79,38 +79,52 @@ resource "aws_s3_bucket_versioning" "action_dist" {
   }
 }
 
-data "aws_iam_policy_document" "action_dist_sse_policy" {
-  count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
-
+data "aws_iam_policy_document" "action_dist_bucket_policy" {
   statement {
-    effect = "Deny"
+    sid       = "ForceSSLOnlyAccess"
+    effect    = "Deny"
+    actions   = ["s3:*"]
+    resources = [aws_s3_bucket.action_dist.arn, "${aws_s3_bucket.action_dist.arn}/*"]
 
     principals {
-      type = "AWS"
+      identifiers = ["*"]
+      type        = "*"
+    }
 
-      identifiers = [
-        "*",
-      ]
+    condition {
+      test     = "Bool"
+      values   = ["false"]
+      variable = "aws:SecureTransport"
     }
+  }
+
+  dynamic "statement" {
+    for_each = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? [true] : []
 
-    actions = [
-      "s3:PutObject",
-    ]
+    content {
+      sid       = "ForceSSE"
+      effect    = "Deny"
+      actions   = ["s3:PutObject"]
+      resources = ["${aws_s3_bucket.action_dist.arn}/*"]
 
-    resources = [
-      "${aws_s3_bucket.action_dist.arn}/*",
-    ]
+      principals {
+        type = "AWS"
 
-    condition {
-      test     = "StringNotEquals"
-      variable = "s3:x-amz-server-side-encryption"
-      values   = [var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm]
+        identifiers = [
+          "*",
+        ]
+      }
+
+      condition {
+        test     = "StringNotEquals"
+        variable = "s3:x-amz-server-side-encryption"
+        values   = [var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm]
+      }
     }
   }
 }
 
-resource "aws_s3_bucket_policy" "action_dist_sse_policy" {
-  count  = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
+resource "aws_s3_bucket_policy" "action_dist_bucket_policy" {
   bucket = aws_s3_bucket.action_dist.id
-  policy = data.aws_iam_policy_document.action_dist_sse_policy[0].json
+  policy = data.aws_iam_policy_document.action_dist_bucket_policy.json
 }