Reputation: 1043
AWS SecurityLake roll-up regions in Terraform
In the example usage on https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securitylake_data_lake
, the following region is set to "eu-west-1". The documentation is not clear on what this region argument is exactly. The documentation states:
configuration - (Required) Specify the Region or Regions that will contribute data to the rollup region.
and then later states:
region - (Required) The AWS Regions where Security Lake is automatically enabled.
My understanding after reading the docs https://docs.aws.amazon.com/security-lake/latest/userguide/manage-regions.html#add-rollup-region is that you define multiple regions to then roll-up to a specific region, i.e. you could roll all US regions into us-east-1, and all EU Regions in to eu-west-1. Is the terraform provider able to actually do this? I'm not seeing how this would work given the available arguments, or is this what the replication_configuration is akin to? If so, how would you write the terraform to roll all EU regions into eu-west-1 to adhere to GDPR requirements?
Upvotes: 1
Views: 174
Answers (1)
Reputation: 66
You would need to create an AWS provider for each of the region that you want to manage, then use that provider for each of the resources
Let me give you some example
Let's say you want to rollup us-east-1, eu-west-1, eu-west-2 and eu-west-3 to eu-west-1
You would need to write the following code, you can copy paste the same thing and change the region, also do note that what I'm configuring is the bare minimum, on a best practice scenario you would want to configure lifecycle and encryption configuration
# eu-west-1
provider "aws" {
region = "eu-west-1"
}
resource "aws_securitylake_data_lake" "eu_west_1" {
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "eu-west-1"
# No need to do replication for the eu-west-1 region
}
}
# eu-west-2
provider "aws" {
region = "eu-west-2"
alias = "eu_west_2"
}
resource "aws_securitylake_data_lake" "eu_west_2" {
provider = aws.eu_west_2
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "eu-west-2"
replication_configuration {
regions = ["eu-west-1"]
}
}
}
# eu-west-3
provider "aws" {
region = "eu-west-3"
alias = "eu_west_3"
}
resource "aws_securitylake_data_lake" "eu_west_3" {
provider = aws.eu_west_3
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "eu-west-3"
replication_configuration {
regions = ["eu-west-1"]
}
}
}
# us-east-1
provider "aws" {
region = "us-east-1"
alias = "us_east_1"
}
resource "aws_securitylake_data_lake" "us_east_1" {
provider = aws.us_east_1
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "us-east-1"
replication_configuration {
regions = ["eu-west-1"]
}
}
}
Upvotes: 1
Related Questions
- there error while try initialize terraform aws file in vscode
- Exporting openAPI specification with terraform + apigateway + AWS?
- Terraform: Inappropriate value for attribute "ingress" while creating SG
- How to Terraform Create and Validate AWS Certificate
- Terraform : Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes
- terraform aws serverless v2 multi AZ
- Terraform provider for AWS: refreshing token for assume_role
- Launching EIP using Terraform in AWS Local Zone