initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,152 @@
+# sets up data sources for s3 buckets
+
+data "aws_s3_bucket" "source-bucket" {
+  bucket = var.source-bucket-name
+}
+
+data "aws_s3_bucket" "destination-bucket" {
+  bucket = var.destination-bucket-name
+}
+
+# Create replication role in source account
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "replication-role-policy" {
+  statement {
+    sid = "AccessToReplicaBucket"
+    actions = [
+      "s3:ReplicateObject",
+      "s3:ReplicateDelete",
+      "s3:ReplicateTags",
+      "s3:ObjectOwnerOverrideToBucketOwner"
+    ]
+    effect = "Allow"
+    resources = [
+      data.aws_s3_bucket.source-bucket.arn,
+      data.aws_s3_bucket.destination-bucket.arn,
+      "${data.aws_s3_bucket.source-bucket.arn}/*",
+      "${data.aws_s3_bucket.destination-bucket.arn}/*"
+    ]
+  }
+  statement {
+    sid     = "ReadAccessOnSourceBuckets"
+    actions = ["s3:Get*", "s3:List*"]
+    effect  = "Allow"
+    resources = [
+      data.aws_s3_bucket.source-bucket.arn,
+    ]
+  }
+  statement {
+    sid = "ObjectAccessOnSourceBuckets"
+    actions = [
+      "s3:GetObjectVersionForReplication",
+      "s3:GetObjectVersionAcl",
+      "s3:GetObjectVersionTagging"
+    ]
+    effect = "Allow"
+    resources = [
+      "${data.aws_s3_bucket.source-bucket.arn}/*"
+    ]
+  }
+  statement {
+    sid = "DecryptSourceBucketObjects"
+    actions = [
+      "kms:Decrypt"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+  statement {
+    sid = "EncryptReplicaObjects"
+    actions = [
+      "kms:Encrypt"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "random_id" "rid" {
+  byte_length = 4
+}
+
+resource "aws_iam_role" "replication-role" {
+  name               = "BucketReplicationRole${random_id.rid.dec}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+}
+
+resource "aws_iam_role_policy" "role-policy" {
+  name   = "bucket-replication"
+  role   = aws_iam_role.replication-role.id
+  policy = data.aws_iam_policy_document.replication-role-policy.json
+}
+
+# Setup bucket replication
+resource "aws_s3_bucket_replication_configuration" "replication-config" {
+  role   = aws_iam_role.replication-role.arn
+  bucket = var.source-bucket-name
+
+  rule {
+    id = "ReplicateAll"
+
+    status = "Enabled"
+
+    source_selection_criteria {
+      sse_kms_encrypted_objects {
+        status = "Enabled"
+      }
+    }
+
+    # V2 replication configurations
+    delete_marker_replication {
+      status = "Enabled"
+    }
+
+    filter {
+    }
+
+    destination {
+      bucket  = data.aws_s3_bucket.destination-bucket.arn
+      storage_class = "INTELLIGENT_TIERING"
+      account = var.destination-bucket-account-id
+
+      access_control_translation {
+        owner = "Destination"
+      }
+
+      encryption_configuration {
+        replica_kms_key_id = var.destination-bucket-encryption-key-arn
+      }
+
+      replication_time {
+        status = "Enabled"
+        time {
+          minutes = 15
+        }
+      }
+
+      metrics {
+        status = "Enabled"
+        event_threshold {
+          minutes = 15
+        }
+      }
+    }
+  }
+}
+
+resource "aws_s3_object" "test-file" {
+  depends_on = [aws_s3_bucket_replication_configuration.replication-config]
+  bucket     = data.aws_s3_bucket.source-bucket.id
+  key        = "replication-test-file"
+  content    = "If this file shows up in the destination bucket, replication has been successfully configured."
+}