CODEWITHSUNDEEP
amazon-web-servicesamazon-s3encryptionterraformreplication
Kiran
Kiran

Reputation: 868

S3 Cross region replication using Terraform

I was using Terraform to setup S3 buckets (different region) and set up replication between them.

It was working properly until I added KMS in it.

I created 2 KMS keys one for source and one for destination.

Now while applying replication configuration, there is an option to pass destination key for destination bucket but I am not sure how to apply key at the source.

Any help would be appreciated.

provider "aws" {
  alias  = "east"
  region = "us-east-1"
}

resource "aws_s3_bucket" "destination-bucket" {
  bucket = ""destination-bucket"
  provider = "aws.east"
  acl    = "private"
  region   = "us-east-1"
  versioning {
    enabled = true
  }
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${var.kms_cmk_dest_arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

resource "aws_s3_bucket" "source-bucket" {
  bucket = "source-bucket"
  acl    = "private"
  versioning {
    enabled = true
  }
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${var.kms_cmk_arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
  replication_configuration {
    role = "${aws_iam_role.replication.arn}"

    rules {
      status = "Enabled"
	  destination {
        bucket        = "${aws_s3_bucket.source-bucket.arn}"
        storage_class = "STANDARD"
		replica_kms_key_id = "${var.kms_cmk_dest_arn}"
      }
	  source_selection_criteria {
      sse_kms_encrypted_objects {
      enabled = true
	  }
    }
    }
  }
}

resource "aws_iam_role" "replication" {
  name = "cdd-iam-role-replication"
  permissions_boundary    = "arn:aws:iam::${var.account_id}:policy/ServiceRoleBoundary"
  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy" "replication" {
  name = "cdd-iam-role-policy-replication"
  role = "${aws_iam_role.replication.id}"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetReplicationConfiguration",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.source-bucket.arn}"
      ]
    },
    {
      "Action": [
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.source-bucket.arn}/*"
      ]
    },
    {
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete"
      ],
      "Effect": "Allow",
      "Resource": "${aws_s3_bucket.destination-bucket.arn}/*"
    }
  ]
}
POLICY
}

Upvotes: 4

Views: 9756

Answers (2)

TimAlonso
TimAlonso

Reputation: 498

If I understand you correctly, you've got two S3 Buckets in two different regions within the same account.

One way I've done this in the past is to plan/apply the KMS keys to both regions first.

Then on a separate plan/apply, I used Terraform's data sources:

data "aws_kms_key" "source_credentials_encryption_key" {
  key_id = "alias/source-encryption-key"
}
    
data "aws_kms_key" "destination_credentials_encryption_key" {
  provider = aws.usEast
  key_id   = "alias/destination-encryption-key"
}

And used the data source for the replication configuration like so:

replication_configuration {
  role = aws_iam_role.replication_role.arn
  
  rules {
    status = "Enabled"
    
    destination {
      bucket = aws_s3_bucket.source_bucket.arn
      storage_class = "STANDARD"
      replicate_kms_key_id = data.aws_kms_key.destination_bucket_encryption_key.arn
    }
    
    source_selection_criteria {
      sse_kms_encrypted_objects {
        enabled = true
      }
    }
  }
}

Upvotes: 0

the-petrolhead
the-petrolhead

Reputation: 617

In case you're using a Customer Managed Key(CMK) for S3 encryption, you need extra configuration. AWS S3 Documentation mentions that the CMK owner must grant the source bucket owner permission to use the CMK.

https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-config-for-kms-objects.html#replication-kms-cross-acct-scenario

Also, a good article to summarize the S3 cross region replication configuration:

https://medium.com/@devopslearning/100-days-of-devops-day-44-s3-cross-region-replication-crr-8c58ae8c68d4

Upvotes: 0

Related Questions