fix: Conditionally create default NonSecureTransportAccessedViaMountTarget policy statement (#35)

Author: magreenbaum

README.md

@@ -159,6 +159,7 @@ No modules.
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines whether a security group is created | `bool` | `true` | no |
 | <a name="input_creation_token"></a> [creation\_token](#input\_creation\_token) | A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform | `string` | `null` | no |
 | <a name="input_deny_nonsecure_transport"></a> [deny\_nonsecure\_transport](#input\_deny\_nonsecure\_transport) | Determines whether `aws:SecureTransport` is required when connecting to elastic file system | `bool` | `true` | no |
+| <a name="input_deny_nonsecure_transport_via_mount_target"></a> [deny\_nonsecure\_transport\_via\_mount\_target](#input\_deny\_nonsecure\_transport\_via\_mount\_target) | Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target | `bool` | `true` | no |
 | <a name="input_enable_backup_policy"></a> [enable\_backup\_policy](#input\_enable\_backup\_policy) | Determines whether a backup policy is `ENABLED` or `DISABLED` | `bool` | `true` | no |
 | <a name="input_encrypted"></a> [encrypted](#input\_encrypted) | If `true`, the disk will be encrypted | `bool` | `true` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. When specifying `kms_key_arn`, encrypted needs to be set to `true` | `string` | `null` | no |

examples/complete/main.tf

@@ -42,8 +42,9 @@ module "efs" {
   }
 
   # File system policy
-  attach_policy                      = true
-  bypass_policy_lockout_safety_check = false
+  attach_policy                             = true
+  deny_nonsecure_transport_via_mount_target = false
+  bypass_policy_lockout_safety_check        = false
   policy_statements = [
     {
       sid     = "Example"

main.tf

@@ -103,7 +103,7 @@ data "aws_iam_policy_document" "policy" {
   }
 
   dynamic "statement" {
-    for_each = var.deny_nonsecure_transport ? [1] : []
+    for_each = var.deny_nonsecure_transport_via_mount_target ? [1] : []
 
     content {
       sid    = "NonSecureTransportAccessedViaMountTarget"

variables.tf

@@ -108,6 +108,12 @@ variable "deny_nonsecure_transport" {
   default     = true
 }
 
+variable "deny_nonsecure_transport_via_mount_target" {
+  description = "Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target"
+  type        = bool
+  default     = true
+}
+
 ################################################################################
 # Mount Target(s)
 ################################################################################

wrappers/main.tf

@@ -3,33 +3,34 @@ module "wrapper" {
 
   for_each = var.items
 
-  access_points                         = try(each.value.access_points, var.defaults.access_points, {})
-  attach_policy                         = try(each.value.attach_policy, var.defaults.attach_policy, true)
-  availability_zone_name                = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
-  bypass_policy_lockout_safety_check    = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
-  create                                = try(each.value.create, var.defaults.create, true)
-  create_backup_policy                  = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
-  create_replication_configuration      = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
-  create_security_group                 = try(each.value.create_security_group, var.defaults.create_security_group, true)
-  creation_token                        = try(each.value.creation_token, var.defaults.creation_token, null)
-  deny_nonsecure_transport              = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
-  enable_backup_policy                  = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
-  encrypted                             = try(each.value.encrypted, var.defaults.encrypted, true)
-  kms_key_arn                           = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
-  lifecycle_policy                      = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
-  mount_targets                         = try(each.value.mount_targets, var.defaults.mount_targets, {})
-  name                                  = try(each.value.name, var.defaults.name, "")
-  override_policy_documents             = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
-  performance_mode                      = try(each.value.performance_mode, var.defaults.performance_mode, null)
-  policy_statements                     = try(each.value.policy_statements, var.defaults.policy_statements, [])
-  provisioned_throughput_in_mibps       = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
-  replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
-  security_group_description            = try(each.value.security_group_description, var.defaults.security_group_description, null)
-  security_group_name                   = try(each.value.security_group_name, var.defaults.security_group_name, null)
-  security_group_rules                  = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
-  security_group_use_name_prefix        = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
-  security_group_vpc_id                 = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
-  source_policy_documents               = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
-  tags                                  = try(each.value.tags, var.defaults.tags, {})
-  throughput_mode                       = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
+  access_points                             = try(each.value.access_points, var.defaults.access_points, {})
+  attach_policy                             = try(each.value.attach_policy, var.defaults.attach_policy, true)
+  availability_zone_name                    = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
+  bypass_policy_lockout_safety_check        = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
+  create                                    = try(each.value.create, var.defaults.create, true)
+  create_backup_policy                      = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
+  create_replication_configuration          = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
+  create_security_group                     = try(each.value.create_security_group, var.defaults.create_security_group, true)
+  creation_token                            = try(each.value.creation_token, var.defaults.creation_token, null)
+  deny_nonsecure_transport                  = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
+  deny_nonsecure_transport_via_mount_target = try(each.value.deny_nonsecure_transport_via_mount_target, var.defaults.deny_nonsecure_transport_via_mount_target, true)
+  enable_backup_policy                      = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
+  encrypted                                 = try(each.value.encrypted, var.defaults.encrypted, true)
+  kms_key_arn                               = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
+  lifecycle_policy                          = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
+  mount_targets                             = try(each.value.mount_targets, var.defaults.mount_targets, {})
+  name                                      = try(each.value.name, var.defaults.name, "")
+  override_policy_documents                 = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
+  performance_mode                          = try(each.value.performance_mode, var.defaults.performance_mode, null)
+  policy_statements                         = try(each.value.policy_statements, var.defaults.policy_statements, [])
+  provisioned_throughput_in_mibps           = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
+  replication_configuration_destination     = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
+  security_group_description                = try(each.value.security_group_description, var.defaults.security_group_description, null)
+  security_group_name                       = try(each.value.security_group_name, var.defaults.security_group_name, null)
+  security_group_rules                      = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
+  security_group_use_name_prefix            = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
+  security_group_vpc_id                     = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
+  source_policy_documents                   = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
+  tags                                      = try(each.value.tags, var.defaults.tags, {})
+  throughput_mode                           = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
 }