Adding supporting for s3 bucket replication (#66)

danjbh · web-flow · commit 6613d91f970e · 2020-09-16T10:02:09.000-07:00
diff --git a/README.md b/README.md
@@ -94,12 +94,13 @@ Follow this procedure just once to create your deployment.
     # be bootstrapped according to the simple yet essential procedure in
     # https://github.com/cloudposse/terraform-aws-tfstate-backend#usage
     module "terraform_state_backend" {
-      source        = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
-      namespace     = "eg"
-      stage         = "test"
-      name          = "terraform"
-      attributes    = ["state"]
-      region        = "us-east-1"
+      source     = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
+      namespace  = "eg"
+      stage      = "test"
+      name       = "terraform"
+      attributes = ["state"]
+      region     = "us-east-1"
+
       terraform_backend_config_file_path = "."
       terraform_backend_config_file_name = "backend.tf"
       force_destroy                      = false
@@ -174,6 +175,28 @@ Follow this procedure to delete your deployment.
 
 ![s3-bucket-with-terraform-state](images/s3-bucket-with-terraform-state.png)
 
+### Bucket Replication (Disaster Recovery)
+
+To enable S3 bucket replication in this module, set `s3_replication_enabled` to `true` and populate `s3_replica_bucket_arn` with the ARN of an existing bucket.
+
+   ```hcl
+    module "terraform_state_backend" {
+      source     = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
+      namespace  = "eg"
+      stage      = "test"
+      name       = "terraform"
+      attributes = ["state"]
+      region     = "us-east-1"
+
+      terraform_backend_config_file_path = "."
+      terraform_backend_config_file_name = "backend.tf"
+      force_destroy                      = false
+
+      s3_replication_enabled = true
+      s3_replica_bucket_arn  = "arn:aws:s3:::eg-test-terraform-tfstate-replica"
+    }
+   ```
+
 
 
 
@@ -241,6 +264,8 @@ Available targets:
 | restrict\_public\_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket | `bool` | `true` | no |
 | role\_arn | The role to be assumed | `string` | `""` | no |
 | s3\_bucket\_name | S3 bucket name. If not provided, the name will be generated by the label module in the format namespace-stage-name | `string` | `""` | no |
+| s3\_replica\_bucket\_arn | The ARN of the S3 replica bucket (destination) | `string` | `""` | no |
+| s3\_replication\_enabled | Set this to true and specify `s3_replica_bucket_arn` to enable replication | `bool` | `false` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `""` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
 | terraform\_backend\_config\_file\_name | Name of terraform backend config file | `string` | `"terraform.tf"` | no |
diff --git a/README.yaml b/README.yaml
@@ -68,12 +68,13 @@ usage: |-
       # be bootstrapped according to the simple yet essential procedure in
       # https://github.com/cloudposse/terraform-aws-tfstate-backend#usage
       module "terraform_state_backend" {
-        source        = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
-        namespace     = "eg"
-        stage         = "test"
-        name          = "terraform"
-        attributes    = ["state"]
-        region        = "us-east-1"
+        source     = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
+        namespace  = "eg"
+        stage      = "test"
+        name       = "terraform"
+        attributes = ["state"]
+        region     = "us-east-1"
+
         terraform_backend_config_file_path = "."
         terraform_backend_config_file_name = "backend.tf"
         force_destroy                      = false
@@ -148,6 +149,27 @@ usage: |-
 
   ![s3-bucket-with-terraform-state](images/s3-bucket-with-terraform-state.png)
 
+  ### Bucket Replication (Disaster Recovery)
+  
+  To enable S3 bucket replication in this module, set `s3_replication_enabled` to `true` and populate `s3_replica_bucket_arn` with the ARN of an existing bucket.
+
+     ```hcl
+      module "terraform_state_backend" {
+        source     = "git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=master"
+        namespace  = "eg"
+        stage      = "test"
+        name       = "terraform"
+        attributes = ["state"]
+        region     = "us-east-1"
+
+        terraform_backend_config_file_path = "."
+        terraform_backend_config_file_name = "backend.tf"
+        force_destroy                      = false
+
+        s3_replication_enabled = true
+        s3_replica_bucket_arn  = "arn:aws:s3:::eg-test-terraform-tfstate-replica"
+      }
+     ```
 
 include:
   - "docs/targets.md"
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -48,6 +48,8 @@
 | restrict\_public\_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket | `bool` | `true` | no |
 | role\_arn | The role to be assumed | `string` | `""` | no |
 | s3\_bucket\_name | S3 bucket name. If not provided, the name will be generated by the label module in the format namespace-stage-name | `string` | `""` | no |
+| s3\_replica\_bucket\_arn | The ARN of the S3 replica bucket (destination) | `string` | `""` | no |
+| s3\_replication\_enabled | Set this to true and specify `s3_replica_bucket_arn` to enable replication | `bool` | `false` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `""` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
 | terraform\_backend\_config\_file\_name | Name of terraform backend config file | `string` | `"terraform.tf"` | no |
diff --git a/main.tf b/main.tf
@@ -141,6 +141,24 @@ resource "aws_s3_bucket" "default" {
     }
   }
 
+  dynamic "replication_configuration" {
+    for_each = var.s3_replication_enabled ? toset([var.s3_replica_bucket_arn]) : []
+    content {
+      role = aws_iam_role.replication[0].arn
+
+      rules {
+        id     = module.base_label.id
+        prefix = ""
+        status = "Enabled"
+
+        destination {
+          bucket        = var.s3_replica_bucket_arn
+          storage_class = "STANDARD"
+        }
+      }
+    }
+  }
+
   tags = module.s3_bucket_label.tags
 }
 
diff --git a/replication.tf b/replication.tf
@@ -0,0 +1,66 @@
+resource "aws_iam_role" "replication" {
+  count = var.s3_replication_enabled ? 1 : 0
+
+  name               = format("%s-replication", module.base_label.id)
+  assume_role_policy = data.aws_iam_policy_document.replication_sts[0].json
+}
+
+data "aws_iam_policy_document" "replication_sts" {
+  count = var.s3_replication_enabled ? 1 : 0
+
+  statement {
+    sid    = "AllowPrimaryToAssumeServiceRole"
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole"
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["s3.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "replication" {
+  count = var.s3_replication_enabled ? 1 : 0
+
+  name   = format("%s-replication", module.base_label.id)
+  policy = data.aws_iam_policy_document.replication[0].json
+}
+
+data "aws_iam_policy_document" "replication" {
+  count = var.s3_replication_enabled ? 1 : 0
+
+  statement {
+    sid    = "AllowPrimaryToGetReplicationConfiguration"
+    effect = "Allow"
+    actions = [
+      "s3:Get*",
+      "s3:ListBucket"
+    ]
+    resources = [
+      aws_s3_bucket.default.arn,
+      "${aws_s3_bucket.default.arn}/*"
+    ]
+  }
+
+  statement {
+    sid    = "AllowPrimaryToReplicate"
+    effect = "Allow"
+    actions = [
+      "s3:ReplicateObject",
+      "s3:ReplicateDelete",
+      "s3:ReplicateTags",
+      "s3:GetObjectVersionTagging"
+    ]
+
+    resources = ["${var.s3_replica_bucket_arn}/*"]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "replication" {
+  count      = var.s3_replication_enabled ? 1 : 0
+  role       = aws_iam_role.replication[0].name
+  policy_arn = aws_iam_policy.replication[0].arn
+}
diff --git a/variables.tf b/variables.tf
@@ -227,3 +227,15 @@ variable "s3_bucket_name" {
   default     = ""
   description = "S3 bucket name. If not provided, the name will be generated by the label module in the format namespace-stage-name"
 }
+
+variable "s3_replication_enabled" {
+  type        = bool
+  default     = false
+  description = "Set this to true and specify `s3_replica_bucket_arn` to enable replication"
+}
+
+variable "s3_replica_bucket_arn" {
+  type        = string
+  default     = ""
+  description = "The ARN of the S3 replica bucket (destination)"
+}
