initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,50 @@
+<!-- This readme file is generated with terraform-docs -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| aws | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 5.0 |
+| random | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.replication-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_s3_bucket_replication_configuration.replication-config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |
+| [random_id.rid](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.replication-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_s3_bucket.destination-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
+| [aws_s3_bucket.source-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default          | Required |
+|------|-------------|------|------------------|:--------:|
+| destination-bucket-account-id | Account id of destination bucket. | `string` | `"111122223333"` | no |
+| destination-bucket-encryption-key-arn | Encryption key arn for destination bucket | `string` | n/a              | yes |
+| destination-bucket-name | Name of destination bucket | `string` | n/a              | yes |
+| source-bucket-name | Name of source s3 bucket | `string` | n/a              | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| replication-role-arn | n/a |
+ 
+---
+## Authorship
+This module was developed by xpk.
@@ -0,0 +1,152 @@
+# sets up data sources for s3 buckets
+
+data "aws_s3_bucket" "source-bucket" {
+  bucket = var.source-bucket-name
+}
+
+data "aws_s3_bucket" "destination-bucket" {
+  bucket = var.destination-bucket-name
+}
+
+# Create replication role in source account
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "replication-role-policy" {
+  statement {
+    sid = "AccessToReplicaBucket"
+    actions = [
+      "s3:ReplicateObject",
+      "s3:ReplicateDelete",
+      "s3:ReplicateTags",
+      "s3:ObjectOwnerOverrideToBucketOwner"
+    ]
+    effect = "Allow"
+    resources = [
+      data.aws_s3_bucket.source-bucket.arn,
+      data.aws_s3_bucket.destination-bucket.arn,
+      "${data.aws_s3_bucket.source-bucket.arn}/*",
+      "${data.aws_s3_bucket.destination-bucket.arn}/*"
+    ]
+  }
+  statement {
+    sid     = "ReadAccessOnSourceBuckets"
+    actions = ["s3:Get*", "s3:List*"]
+    effect  = "Allow"
+    resources = [
+      data.aws_s3_bucket.source-bucket.arn,
+    ]
+  }
+  statement {
+    sid = "ObjectAccessOnSourceBuckets"
+    actions = [
+      "s3:GetObjectVersionForReplication",
+      "s3:GetObjectVersionAcl",
+      "s3:GetObjectVersionTagging"
+    ]
+    effect = "Allow"
+    resources = [
+      "${data.aws_s3_bucket.source-bucket.arn}/*"
+    ]
+  }
+  statement {
+    sid = "DecryptSourceBucketObjects"
+    actions = [
+      "kms:Decrypt"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+  statement {
+    sid = "EncryptReplicaObjects"
+    actions = [
+      "kms:Encrypt"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "random_id" "rid" {
+  byte_length = 4
+}
+
+resource "aws_iam_role" "replication-role" {
+  name               = "BucketReplicationRole${random_id.rid.dec}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+}
+
+resource "aws_iam_role_policy" "role-policy" {
+  name   = "bucket-replication"
+  role   = aws_iam_role.replication-role.id
+  policy = data.aws_iam_policy_document.replication-role-policy.json
+}
+
+# Setup bucket replication
+resource "aws_s3_bucket_replication_configuration" "replication-config" {
+  role   = aws_iam_role.replication-role.arn
+  bucket = var.source-bucket-name
+
+  rule {
+    id = "ReplicateAll"
+
+    status = "Enabled"
+
+    source_selection_criteria {
+      sse_kms_encrypted_objects {
+        status = "Enabled"
+      }
+    }
+
+    # V2 replication configurations
+    delete_marker_replication {
+      status = "Enabled"
+    }
+
+    filter {
+    }
+
+    destination {
+      bucket  = data.aws_s3_bucket.destination-bucket.arn
+      storage_class = "INTELLIGENT_TIERING"
+      account = var.destination-bucket-account-id
+
+      access_control_translation {
+        owner = "Destination"
+      }
+
+      encryption_configuration {
+        replica_kms_key_id = var.destination-bucket-encryption-key-arn
+      }
+
+      replication_time {
+        status = "Enabled"
+        time {
+          minutes = 15
+        }
+      }
+
+      metrics {
+        status = "Enabled"
+        event_threshold {
+          minutes = 15
+        }
+      }
+    }
+  }
+}
+
+resource "aws_s3_object" "test-file" {
+  depends_on = [aws_s3_bucket_replication_configuration.replication-config]
+  bucket     = data.aws_s3_bucket.source-bucket.id
+  key        = "replication-test-file"
+  content    = "If this file shows up in the destination bucket, replication has been successfully configured."
+}
@@ -0,0 +1,3 @@
+output replication-role-arn {
+  value = aws_iam_role.replication-role.arn
+}
@@ -0,0 +1,20 @@
+variable source-bucket-name {
+  type = string
+  description = "Name of source s3 bucket"
+}
+
+variable destination-bucket-name {
+  type = string
+  description = "Name of destination bucket"
+}
+
+variable destination-bucket-account-id {
+  type = string
+  description = "Account id of destination bucket. Defaults to BEA-SYS-LOG-UAT"
+  default = "894849410890"
+}
+
+variable destination-bucket-encryption-key-arn {
+  type = string
+  description = "Encryption key arn for destination bucket"
+}
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}