[NRL-1938] Add HTTPSOnly to policy for new ci-data bucket

mattdean3-nhs · mattdean3-nhs · commit cff34d381e01 · 2026-02-10T15:09:53.000Z
diff --git a/terraform/account-wide-infrastructure/mgmt/s3.tf b/terraform/account-wide-infrastructure/mgmt/s3.tf
@@ -34,3 +34,29 @@ resource "aws_s3_bucket_versioning" "ci_data" {
     aws_s3_bucket.ci_data
   ]
 }
+
+resource "aws_s3_bucket_policy" "ci_data" {
+  bucket = aws_s3_bucket.ci_data.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "${local.prefix}--ci-data-bucket-policy"
+    Statement = [
+      {
+        Sid       = "HTTPSOnly"
+        Effect    = "Deny"
+        Principal = "*"
+        Action    = "s3:*"
+        Resource = [
+          aws_s3_bucket.ci_data.arn,
+          "${aws_s3_bucket.ci_data.arn}/*",
+        ]
+        Condition = {
+          Bool = {
+            "aws:SecureTransport" = "false"
+          }
+        }
+      },
+    ]
+  })
+}
