Closed jmcvetta closed 2 years ago
@tongueroo If you can point me in the right direction, I will submit a PR to implement this feature request. Where in the code does it create the S3 state bucket?
Looks like the state bucket is created by the AWS plugin over in this repo: https://github.com/boltops-tools/terraspace_plugin_aws
Yup. You found it. π Looked and it's actually a few repos that would have to be updated.
Code trace:
terraspace_plugin_aws:
That other lib is s3_secure:
Then would update the docs. That's here:
It's a few steps. No sweat either way of course. π Appreciate it if you get to it. Hope to get to it in time if you donβt got the time. β± Thanks!
Awesome!
On Wed, Dec 29, 2021, 22:20 Tung Nguyen @.***> wrote:
Closed #161 https://github.com/boltops-tools/terraspace/issues/161 via boltops-tools/terraspace_plugin_aws#15 https://github.com/boltops-tools/terraspace_plugin_aws/pull/15.
β Reply to this email directly, view it on GitHub https://github.com/boltops-tools/terraspace/issues/161#event-5826601489, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAANTAWSQ737S4PHKY6NYFLUTPFZFANCNFSM5JW3BU3A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
Summary
Currently, when Terraspace creates an S3 bucket to hold state files, it does not configure the bucket to block all public access.
The state files are still protected, because they can only be read by owner. Nevertheless definitively blocking all public access to the bucket is strongly suggested for defense in depth.
Motivation
This feature improves Terraspace security.
Guide-level explanation
When Terraspace automatically creates an S3 bucket for remote state, it ensures that bucket is protected against public access.
Reference-level explanation
This proposal adds a Public Access Block to the S3 bucket configuration.
aws_s3_bucket_public_access_block
documentationPublicAccessBlockConfiguration
documentationDrawbacks
There is no drawback.
Unresolved Questions
No unresolved questions.