Policy Packs
Enforce CloudFront Distribution for AWS S3 Buckets Is Secured

Policy Setting: AWS > S3 > Bucket > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "aws_s3_bucket_approved_custom" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/aws-s3#/policy/types/bucketApprovedCustom"
template_input = <<-EOT
- |
{
item: bucket {
Name
}
account {
turbot {
id
}
}
}
- |
{
resources(filter: "resourceId:{{ $.account.turbot.id }} resourceTypeId:'tmod:@turbot/aws-cloudfront#/resource/types/cloudFront' resourceTypeLevel:self $.DistributionConfig.Origins.Items.*.DomainName:'{{ $.item.Name }}.s3.amazonaws.com'")
{
items {
ViewerProtocolPolicy: get(path:"DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy")
CacheBehaviorsItems: get(path:"DistributionConfig.CacheBehaviors.Items")
}
}
item: bucket {
Website: get(path:"Website")
}
}
EOT
template = <<-EOT
{%- if $.bucket.Website -%}
{%- set policyValue = "Approved" -%}
{%- if $.resources.items | length == 0 -%}
{%- set policyValue = "Skip" -%}
{%- else -%}
{%- for item in $.resources.items -%}
{%- if item.ViewerProtocolPolicy not in ["redirect-to-https", "https-only"] -%}
{%- set policyValue = "Not approved" -%}
{%- else -%}
{#- Check if the other cache behaviour is not secure, if not then `Not approved`-#}
{%- for behaviorsItem in item.CacheBehaviorsItems -%}
{%- if behaviorsItem.ViewerProtocolPolicy not in ["redirect-to-https", "https-only"] -%}
{%- set policyValue = "Not approved" -%}
{%- endif -%}
{%- endfor -%}
{%- endif -%}
{%- endfor -%}
{%- if policyValue == "Approved" -%}
{%- set data = {
"title": "Secure CloudFront Distribution",
"result": "Approved",
"message": "CloudFront distribution is secured"
} -%}
{%- elif policyValue == "Not approved" -%}
{%- set data = {
"title": "Secure CloudFront Distribution",
"result": "Not approved",
"message": "CloudFront distribution is not secured"
} -%}
{%- else -%}
{%- set data = {
"title": "Secure CloudFront Distribution",
"result": "Skip",
"message": "No data for CloudFront distribution yet"
} -%}
{%- endif -%}
{%- endif -%}
{%- else -%}
{%- set data = {
"title": "Secure CloudFront Distribution",
"result": "Skip",
"message": "No data for website yet"
} -%}
{%- endif -%}
{{ data | json }}
EOT
}