diff --git a/README.md b/README.md
index 58ddb98..df38097 100644
--- a/README.md
+++ b/README.md
@@ -159,6 +159,7 @@ No modules.
| [create\_security\_group](#input\_create\_security\_group) | Determines whether a security group is created | `bool` | `true` | no |
| [creation\_token](#input\_creation\_token) | A unique name (a maximum of 64 characters are allowed) used as reference when creating the Elastic File System to ensure idempotent file system creation. By default generated by Terraform | `string` | `null` | no |
| [deny\_nonsecure\_transport](#input\_deny\_nonsecure\_transport) | Determines whether `aws:SecureTransport` is required when connecting to elastic file system | `bool` | `true` | no |
+| [deny\_nonsecure\_transport\_via\_mount\_target](#input\_deny\_nonsecure\_transport\_via\_mount\_target) | Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target | `bool` | `true` | no |
| [enable\_backup\_policy](#input\_enable\_backup\_policy) | Determines whether a backup policy is `ENABLED` or `DISABLED` | `bool` | `true` | no |
| [encrypted](#input\_encrypted) | If `true`, the disk will be encrypted | `bool` | `true` | no |
| [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. When specifying `kms_key_arn`, encrypted needs to be set to `true` | `string` | `null` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index dbfbb2d..93d42e9 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -42,8 +42,9 @@ module "efs" {
}
# File system policy
- attach_policy = true
- bypass_policy_lockout_safety_check = false
+ attach_policy = true
+ deny_nonsecure_transport_via_mount_target = false
+ bypass_policy_lockout_safety_check = false
policy_statements = [
{
sid = "Example"
diff --git a/main.tf b/main.tf
index 76742b9..79061dd 100644
--- a/main.tf
+++ b/main.tf
@@ -103,7 +103,7 @@ data "aws_iam_policy_document" "policy" {
}
dynamic "statement" {
- for_each = var.deny_nonsecure_transport ? [1] : []
+ for_each = var.deny_nonsecure_transport_via_mount_target ? [1] : []
content {
sid = "NonSecureTransportAccessedViaMountTarget"
diff --git a/variables.tf b/variables.tf
index c0c21da..d811dba 100644
--- a/variables.tf
+++ b/variables.tf
@@ -108,6 +108,12 @@ variable "deny_nonsecure_transport" {
default = true
}
+variable "deny_nonsecure_transport_via_mount_target" {
+ description = "Determines whether to use the common policy option for denying nonsecure transport which allows all AWS principals when accessed via EFS mounted target"
+ type = bool
+ default = true
+}
+
################################################################################
# Mount Target(s)
################################################################################
diff --git a/wrappers/main.tf b/wrappers/main.tf
index f852eea..5c41908 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -3,33 +3,34 @@ module "wrapper" {
for_each = var.items
- access_points = try(each.value.access_points, var.defaults.access_points, {})
- attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, true)
- availability_zone_name = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
- bypass_policy_lockout_safety_check = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
- create = try(each.value.create, var.defaults.create, true)
- create_backup_policy = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
- create_replication_configuration = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
- create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
- creation_token = try(each.value.creation_token, var.defaults.creation_token, null)
- deny_nonsecure_transport = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
- enable_backup_policy = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
- encrypted = try(each.value.encrypted, var.defaults.encrypted, true)
- kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
- lifecycle_policy = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
- mount_targets = try(each.value.mount_targets, var.defaults.mount_targets, {})
- name = try(each.value.name, var.defaults.name, "")
- override_policy_documents = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
- performance_mode = try(each.value.performance_mode, var.defaults.performance_mode, null)
- policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, [])
- provisioned_throughput_in_mibps = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
- replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
- security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null)
- security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null)
- security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
- security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
- security_group_vpc_id = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
- source_policy_documents = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
- tags = try(each.value.tags, var.defaults.tags, {})
- throughput_mode = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
+ access_points = try(each.value.access_points, var.defaults.access_points, {})
+ attach_policy = try(each.value.attach_policy, var.defaults.attach_policy, true)
+ availability_zone_name = try(each.value.availability_zone_name, var.defaults.availability_zone_name, null)
+ bypass_policy_lockout_safety_check = try(each.value.bypass_policy_lockout_safety_check, var.defaults.bypass_policy_lockout_safety_check, null)
+ create = try(each.value.create, var.defaults.create, true)
+ create_backup_policy = try(each.value.create_backup_policy, var.defaults.create_backup_policy, true)
+ create_replication_configuration = try(each.value.create_replication_configuration, var.defaults.create_replication_configuration, false)
+ create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
+ creation_token = try(each.value.creation_token, var.defaults.creation_token, null)
+ deny_nonsecure_transport = try(each.value.deny_nonsecure_transport, var.defaults.deny_nonsecure_transport, true)
+ deny_nonsecure_transport_via_mount_target = try(each.value.deny_nonsecure_transport_via_mount_target, var.defaults.deny_nonsecure_transport_via_mount_target, true)
+ enable_backup_policy = try(each.value.enable_backup_policy, var.defaults.enable_backup_policy, true)
+ encrypted = try(each.value.encrypted, var.defaults.encrypted, true)
+ kms_key_arn = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
+ lifecycle_policy = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, {})
+ mount_targets = try(each.value.mount_targets, var.defaults.mount_targets, {})
+ name = try(each.value.name, var.defaults.name, "")
+ override_policy_documents = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
+ performance_mode = try(each.value.performance_mode, var.defaults.performance_mode, null)
+ policy_statements = try(each.value.policy_statements, var.defaults.policy_statements, [])
+ provisioned_throughput_in_mibps = try(each.value.provisioned_throughput_in_mibps, var.defaults.provisioned_throughput_in_mibps, null)
+ replication_configuration_destination = try(each.value.replication_configuration_destination, var.defaults.replication_configuration_destination, {})
+ security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null)
+ security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null)
+ security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {})
+ security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, false)
+ security_group_vpc_id = try(each.value.security_group_vpc_id, var.defaults.security_group_vpc_id, null)
+ source_policy_documents = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
+ tags = try(each.value.tags, var.defaults.tags, {})
+ throughput_mode = try(each.value.throughput_mode, var.defaults.throughput_mode, null)
}