Skip to content

Commit 6eda2a8

Browse files
mfjarvismfjarvis
authored
VED-1005: Manage S3 replication config in Terraform. (#1097)
* VED-1005: Manage S3 replication config in Terraform. * VED-1005: Use more descriptive policy names.
1 parent da273a6 commit 6eda2a8

File tree

2 files changed

+143
-0
lines changed

2 files changed

+143
-0
lines changed

infrastructure/account/s3_source_bucket.tf

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,3 +71,63 @@ resource "aws_s3_bucket_lifecycle_configuration" "datasources_lifecycle" {
7171
}
7272
}
7373
}
74+
75+
data "aws_iam_policy_document" "replication_assume_role" {
76+
count = var.blue_green_split ? 1 : 0
77+
78+
statement {
79+
effect = "Allow"
80+
81+
principals {
82+
type = "Service"
83+
identifiers = ["s3.amazonaws.com"]
84+
}
85+
86+
actions = ["sts:AssumeRole"]
87+
}
88+
}
89+
90+
resource "aws_iam_role" "replication" {
91+
count = var.blue_green_split ? 1 : 0
92+
name = "immunisation-batch-${var.environment}-replication"
93+
assume_role_policy = data.aws_iam_policy_document.replication_assume_role[0].json
94+
}
95+
96+
data "aws_iam_policy_document" "replication_allow_source" {
97+
count = var.blue_green_split ? 1 : 0
98+
99+
statement {
100+
effect = "Allow"
101+
102+
actions = [
103+
"s3:GetReplicationConfiguration",
104+
"s3:ListBucket",
105+
]
106+
107+
resources = [aws_s3_bucket.batch_data_source_bucket[0].arn]
108+
}
109+
110+
statement {
111+
effect = "Allow"
112+
113+
actions = [
114+
"s3:GetObjectVersionForReplication",
115+
"s3:GetObjectVersionAcl",
116+
"s3:GetObjectVersionTagging",
117+
]
118+
119+
resources = ["${aws_s3_bucket.batch_data_source_bucket[0].arn}/*"]
120+
}
121+
}
122+
123+
resource "aws_iam_policy" "replication_allow_source" {
124+
count = var.blue_green_split ? 1 : 0
125+
name = "allow-replication-from-${var.environment}-data-sources"
126+
policy = data.aws_iam_policy_document.replication_allow_source[0].json
127+
}
128+
129+
resource "aws_iam_role_policy_attachment" "replication_allow_source" {
130+
count = var.blue_green_split ? 1 : 0
131+
role = aws_iam_role.replication[0].name
132+
policy_arn = aws_iam_policy.replication_allow_source[0].arn
133+
}

infrastructure/instance/s3_config.tf

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,89 @@ resource "aws_s3_bucket_lifecycle_configuration" "datasources_lifecycle" {
102102
}
103103
}
104104

105+
data "aws_iam_role" "existing_replication_role" {
106+
count = var.has_sub_environment_scope ? 0 : 1
107+
name = "immunisation-batch-${var.environment}-replication"
108+
}
109+
110+
data "aws_iam_policy_document" "replication_allow_destination" {
111+
count = var.has_sub_environment_scope ? 0 : 1
112+
113+
statement {
114+
effect = "Allow"
115+
116+
actions = [
117+
"s3:ReplicateObject",
118+
"s3:ReplicateDelete",
119+
"s3:ReplicateTags",
120+
]
121+
122+
resources = ["${aws_s3_bucket.batch_data_source_bucket.arn}/*"]
123+
}
124+
}
125+
126+
resource "aws_iam_policy" "replication_allow_destination" {
127+
count = var.has_sub_environment_scope ? 0 : 1
128+
name = "${local.batch_prefix}-destination"
129+
policy = data.aws_iam_policy_document.replication_allow_destination[0].json
130+
}
131+
132+
resource "aws_iam_role_policy_attachment" "replication_allow_destination" {
133+
count = var.has_sub_environment_scope ? 0 : 1
134+
role = data.aws_iam_role.existing_replication_role[0].name
135+
policy_arn = aws_iam_policy.replication_allow_destination[0].arn
136+
}
137+
138+
resource "aws_s3_bucket_replication_configuration" "replication" {
139+
count = var.has_sub_environment_scope ? 0 : 1
140+
role = data.aws_iam_role.existing_replication_role[0].arn
141+
bucket = "immunisation-batch-${local.resource_scope}-data-sources"
142+
143+
rule {
144+
id = var.sub_environment
145+
priority = strcontains(var.sub_environment, "blue") ? 0 : 1
146+
status = "Enabled"
147+
148+
filter {
149+
prefix = ""
150+
}
151+
152+
destination {
153+
bucket = aws_s3_bucket.batch_data_source_bucket.arn
154+
storage_class = "STANDARD"
155+
156+
replication_time {
157+
status = "Enabled"
158+
time {
159+
minutes = 15
160+
}
161+
}
162+
}
163+
}
164+
165+
rule {
166+
id = strcontains(var.sub_environment, "blue") ? replace(var.sub_environment, "blue", "green") : replace(var.sub_environment, "green", "blue")
167+
priority = strcontains(var.sub_environment, "blue") ? 1 : 0
168+
status = "Disabled"
169+
170+
filter {
171+
prefix = ""
172+
}
173+
174+
destination {
175+
bucket = strcontains(aws_s3_bucket.batch_data_source_bucket.arn, "blue") ? replace(aws_s3_bucket.batch_data_source_bucket.arn, "blue", "green") : replace(aws_s3_bucket.batch_data_source_bucket.arn, "green", "blue")
176+
storage_class = "STANDARD"
177+
178+
replication_time {
179+
status = "Enabled"
180+
time {
181+
minutes = 15
182+
}
183+
}
184+
}
185+
}
186+
}
187+
105188
resource "aws_s3_bucket" "batch_data_destination_bucket" {
106189
# Deliberately not using `local.batch_prefix` as we don't want separate blue / green destinations in prod.
107190
bucket = "immunisation-batch-${local.resource_scope}-data-destinations"

0 commit comments

Comments
 (0)