How can we enable Amazon S3 replication modification sync in terraform?

Question

I am working on an Amazon S3 replication using terraform . I want to enable rule "Repilcate modification sync" but I don't think so it is defined in terraform .

Right now my code looks :

replication_configuration {
    role = "${aws_iam_role.source_replication.arn}"

    rules {
      id     = "${local.replication_name}"
      status = "Enabled"
      prefix = "${var.replicate_prefix}"

      destination {
        bucket        = "${local.dest_bucket_arn}"
        storage_class = "STANDARD"

        access_control_translation = {
          owner = "Destination"
        }

        account_id = "${data.aws_caller_identity.dest.account_id}"
      }

      source_selection_criteria {
        replica_modifications {
          Status = "Enabled"
        }
      }
    }
  }

It gives an error :

Error: Unsupported block type

  on s3_bucket.tf line 61, in resource "aws_s3_bucket" "bucket":
  61:         replica_modifications {

Blocks of type "replica_modifications" are not expected here.

The rules which I have to enable looks like this in console.

With AWS CLI in terraform , I am not sure how can I use variables like destination ${local.dest_bucket_arn} and ${aws_iam_role.source_replication.arn} in my son file which I am calling.

resource "null_resource" "awsrepl" {
  # ...

  provisioner "local-exec" {
    command = "aws s3api put-bucket-replication --replication-configuration templatefile://replication_source.json --bucket ${var.bucket_name}"
    
  }
} 

replication_source.json looks like :

{
    "Rules": [
        {
            "Status": "Enabled",
            "DeleteMarkerReplication": { "Status": "Enabled" },
            "SourceSelectionCriteria": {
                "ReplicaModifications":{
                    "Status": "Enabled"
                }
            },
            "Destination": {
                "Bucket": "${local.dest_bucket_arn}"
            },
            "Priority": 1
        }
    ],
    "Role": "${aws_iam_role.source_replication.arn}"
}

Answer 1

You are correct. It is not yet supported, but there is a GitHub issue for that already:

• Amazon S3 Two-way Replication via Replica Modification Sync

By the way, Delete marker replication is also not supported. Delete markers are now supported using

    delete_marker_replication {
      status = "Enabled"
    }

Your options are to either do it manually after you deploy your bucket, or use local-exec to run AWS CLI to do it, or aws_lambda_invocation.

Answer 2

Support for this was added in this PR: https://github.com/hashicorp/terraform-provider-aws/pull/20777 which is tagged as v3.66.0

It can be added under rule[].source_selection_criteria

    source_selection_criteria {
      replica_modifications {
        status = "Enabled"
      }
    }

Note that I had issues turning on some flags without adding more fields to the rules config. For a working example with the aws provider version 3.69.0 see https://stackoverflow.com/a/79421576/557406

Answer 3

Was able to achieve this using local-exec and temmplate_file in terraform :

data "template_file" "replication_dest" {
  template = "${file("replication_dest.json")}"
  vars = {
    srcarn = "${aws_s3_bucket.bucket.arn}"
    destrolearn = "${aws_iam_role.dest_replication.arn}"
    kmskey = "${data.aws_caller_identity.current.account_id}"
    keyalias = "${data.aws_kms_key.s3.key_id}"
    srcregion = "${data.aws_region.active.name}"
  }
}

resource "null_resource" "awsdestrepl" {
  # ...
  provisioner "local-exec" {
    command = "aws s3api put-bucket-replication --bucket ${aws_s3_bucket.dest.bucket} --replication-configuration ${data.template_file.replication_dest.rendered}"
    
  }
  depends_on = [aws_s3_bucket.dest]
}

And replication_dest.json looks like this :

"{
    \"Rules\": [
        {
            \"Status\": \"Enabled\",
            \"DeleteMarkerReplication\": { \"Status\": \"Enabled\" },
            \"Filter\": {\"Prefix\": \"\"},
            \"SourceSelectionCriteria\": {
                \"ReplicaModifications\":{
                    \"Status\": \"Enabled\"
                },
                \"SseKmsEncryptedObjects\":{
                    \"Status\": \"Enabled\"
                }
            },
            \"Destination\": {
                \"Bucket\": \"${bucketarn}\",
                \"EncryptionConfiguration\": {
                    \"ReplicaKmsKeyID\": \"arn:aws:kms:${destregion}:${kmskey}:${keyalias}\"
                  }
        },
            \"Priority\": 1
        }
    ],
    \"Role\": \"${rolearn}\"
}"

And you are good to go . :)