CCM-11586: forgot to save

masl2 · masl2 · commit d3eb5137af11 · 2025-08-20T15:46:22.000+01:00
diff --git a/infrastructure/terraform/components/api/s3_bucket_truststore.tf b/infrastructure/terraform/components/api/s3_bucket_truststore.tf
@@ -44,42 +44,38 @@ resource "aws_s3_bucket_public_access_block" "truststore" {
   restrict_public_buckets = true
 }
 
-resource "aws_s3_bucket_logging" "truststore" {
-  bucket = aws_s3_bucket.truststore.id
-
-  target_bucket = aws_s3_bucket.logging.bucket
-  target_prefix = "${aws_s3_bucket.truststore.bucket}/"
-}
-
-# In manually configured (e.g. dev main, nonprod main, prod main) add lifecycle policy to permit manual management of cert
-resource "aws_s3_object" "placeholder_truststore" {
-  count   = var.manually_configure_mtls_truststore ? 1 : 0
-  bucket  = aws_s3_bucket.truststore.bucket
-  key     = "truststore.pem"
-  content = module.supplier_ssl[0].cacert_pem
+data "aws_iam_policy_document" "truststore" {
+  statement {
+    effect  = "Deny"
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.truststore.arn,
+      "${aws_s3_bucket.truststore.arn}/*",
+    ]
 
-  depends_on = [
-    aws_s3_bucket_versioning.truststore,
-    module.supplier_ssl
-  ]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
 
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values = [
+        false
+      ]
+    }
   }
 }
 
-# In non-manually configured env (e.g. PR) exclude lifecycle policy so resources are managed
-# Requires duplicate block as lifecycle policies cannot be dynamic
-resource "aws_s3_object" "placeholder_truststore_nonprod" {
-  count   = !var.manually_configure_mtls_truststore ? 1 : 0
-  bucket  = aws_s3_bucket.truststore.bucket
-  key     = "truststore.pem"
-  content = module.supplier_ssl[0].cacert_pem
+resource "aws_s3_bucket_policy" "truststore" {
+  bucket = aws_s3_bucket.truststore.id
+  policy = data.aws_iam_policy_document.truststore.json
+}
 
-  depends_on = [
-    aws_s3_bucket_versioning.truststore,
-    module.supplier_ssl
-  ]
+resource "aws_s3_bucket_logging" "truststore" {
+  bucket = aws_s3_bucket.truststore.id
+
+  target_bucket = aws_s3_bucket.logging.bucket
+  target_prefix = "${aws_s3_bucket.truststore.bucket}/"
 }
