Skip to content

Commit 5c0451b

Browse files
authored
chore: allow to tune logs bucket traffic security policies (#78)
## what - Allow to set both `allow_ssl_requests_only` and `allow_encrypted_uploads_only` in order to configure it at the underlying S3 bucket level. ## why - We must enable secured traffic for compliance purposes. ## references - N/A <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added `allow_ssl_requests_only` configuration option to enforce SSL-only requests * Added `allow_encrypted_uploads_only` configuration option to require encrypted uploads <!-- end of auto-generated comment: release notes by coderabbit.ai -->
1 parent 7de2d2c commit 5c0451b

File tree

2 files changed

+15
-0
lines changed

2 files changed

+15
-0
lines changed

main.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,9 @@ module "tailscale_subnet_router" {
5353
session_logging_enabled = var.session_logging_enabled
5454
session_logging_ssm_document_name = var.session_logging_ssm_document_name
5555

56+
allow_ssl_requests_only = var.allow_ssl_requests_only
57+
allow_encrypted_uploads_only = var.allow_encrypted_uploads_only
58+
5659
ami = var.ami
5760
architecture = var.architecture
5861
instance_type = var.instance_type

variables.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,18 @@ variable "session_logging_ssm_document_name" {
7070
EOF
7171
}
7272

73+
variable "allow_ssl_requests_only" {
74+
description = "Whether or not to allow SSL requests only. If set to `true` this will create a bucket policy that `Deny` if SSL is not used in the requests using the `aws:SecureTransport` condition."
75+
type = bool
76+
default = false
77+
}
78+
79+
variable "allow_encrypted_uploads_only" {
80+
description = "Whether or not to allow encrypted uploads only. If set to `true` this will create a bucket policy that `Deny` if encryption header is missing in the requests."
81+
type = bool
82+
default = false
83+
}
84+
7385
variable "key_pair_name" {
7486
default = null
7587
type = string

0 commit comments

Comments
 (0)