UPD: added AllowSSLRequestsOnly bucket policy statement

modules/terraform-setup/main.tf

@@ -86,13 +86,25 @@ resource "aws_s3_bucket_policy" "bucket-policy" {
       "Effect": "Allow",
       "Resource": [
         "arn:aws:s3:::${var.bucket-name}/*",
-        "arn:aws:s3:::${var.bucket-name}-tfstate"
+        "arn:aws:s3:::${var.bucket-name}"
       ],
       "Principal": {
         "AWS": [
           "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"
         ]
       }
+    },
+    {
+      "Sid": "AllowSSLRequestsOnly",
+      "Action": "s3:*",
+      "Effect": "Deny",
+      "Resource": "arn:aws:s3:::${var.bucket-name}/*",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      },
+      "Principal": "*"
     }
   ]
 }
@@ -116,4 +128,4 @@ resource "aws_dynamodb_table" "tfstate-lock-table" {
   }
 }
 
-data aws_caller_identity this {}
+data "aws_caller_identity" "this" {}