From f6e071cd99faa56b988b63051b22df260e929b03 Mon Sep 17 00:00:00 2001
From: ksbde <kuzma_shalukhin@epam.com>
Date: Thu, 27 Jun 2024 13:41:20 +0200
Subject: [PATCH] feat: Deny HTTP on Karpenter SQS policy (#3080)

---
 modules/karpenter/main.tf | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index 8a3c9c1..4aee274 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -464,6 +464,27 @@ data "aws_iam_policy_document" "queue" {
       ]
     }
   }
+  statement {
+    sid    = "DenyHTTP"
+    effect = "Deny"
+    actions = [
+      "sqs:*"
+    ]
+    resources = [aws_sqs_queue.this[0].arn]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SecureTransport"
+      values = [
+        "false"
+      ]
+    }
+    principals {
+      type = "*"
+      identifiers = [
+        "*"
+      ]
+    }
+  }
 }
 
 resource "aws_sqs_queue_policy" "this" {