Block public access to S3 state buckets

[jmcvetta]

Summary

Currently, when Terraspace creates an S3 bucket to hold state files, it does not configure the bucket to block all public access.

The state files are still protected, because they can only be read by owner. Nevertheless definitively blocking all public access to the bucket is strongly suggested for defense in depth.

Motivation

This feature improves Terraspace security.

Guide-level explanation

When Terraspace automatically creates an S3 bucket for remote state, it ensures that bucket is protected against public access.

Reference-level explanation

This proposal adds a Public Access Block to the S3 bucket configuration.

• Terraform aws_s3_bucket_public_access_block documentation
• CloudFormation PublicAccessBlockConfiguration documentation
• "Configuring block public access settings for your S3 buckets" AWS documentation

Drawbacks

There is no drawback.

Unresolved Questions

No unresolved questions.

[jmcvetta]

@tongueroo If you can point me in the right direction, I will submit a PR to implement this feature request. Where in the code does it create the S3 state bucket?

[jmcvetta]

Looks like the state bucket is created by the AWS plugin over in this repo: https://github.com/boltops-tools/terraspace_plugin_aws

[tongueroo]

Yup. You found it. 👍 Looked and it's actually a few repos that would have to be updated.

• https://github.com/boltops-tools/terraspace_plugin_aws
• https://github.com/boltops-tools/s3-secure

Code trace:

terraspace_plugin_aws:

• Where the secure settings are applied https://github.com/boltops-tools/terraspace_plugin_aws/blob/master/lib/terraspace_plugin_aws/interfaces/backend/bucket.rb#L13
• The secure method calls another lib https://github.com/boltops-tools/terraspace_plugin_aws/blob/master/lib/terraspace_plugin_aws/interfaces/backend/bucket/secure.rb

That other lib is s3_secure:

• So would add class and method. Something like PublicAccess#block to https://github.com/boltops-tools/s3-secure/tree/master/lib/s3_secure
• Then the terraspace_plugin_aws would be able to call that new class and method.

Then would update the docs. That's here:

• Terraspace Docs: https://terraspace.cloud/docs/plugins/aws/
• GitHub Source: https://github.com/boltops-tools/terraspace-docs/blob/master/_docs/plugins/aws.md

It's a few steps. No sweat either way of course. 😄 Appreciate it if you get to it. Hope to get to it in time if you don’t got the time. ⏱ Thanks!

[tongueroo]

Docs: https://terraspace.cloud/docs/plugins/aws/

[jmcvetta]

Awesome!

On Wed, Dec 29, 2021, 22:20 Tung Nguyen @.***> wrote:

Closed #161 https://github.com/boltops-tools/terraspace/issues/161 via boltops-tools/terraspace_plugin_aws#15 https://github.com/boltops-tools/terraspace_plugin_aws/pull/15.

— Reply to this email directly, view it on GitHub https://github.com/boltops-tools/terraspace/issues/161#event-5826601489, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAANTAWSQ737S4PHKY6NYFLUTPFZFANCNFSM5JW3BU3A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>