S3 buckets 使用 terraform 进行双向复制

Question

Using terraform, I'm trying to create two s3 buckets, that each replicate back to each other. This causes a dependency cycle. I'm not sure how to handle this in terraform.

One solution I thought of is possibly split it into two sets of terraform scripts, one to create the two buckets, and then a second to modify those buckets adding the replication rules.

Is there another way to handle this scenario?

Answer 1

Solution for you is described for you. It has some issues with data consistency but works very well.

So basically let's assume you have 2 buckets in 2 separated regions:

• bucket1-us-east-1
• bucket1-us-west-2

To two way replicate you need to setup replication from bucket1-us-east-1 to bucket1-us-west-2 . Then setup replication from bucket1-us-west-2 to bucket1-us-east-1

Terraform solution

There is a problem with circular dependency, so you need to create resources first in one place then you need to enable replication for them:

resource "aws_s3_bucket" "west" {
    provider = "aws.west"
    bucket   = "bucket1-us-west-2"
    region   = "us-west-2"
    acl      = "private"

    versioning {
        enabled = true
    }

  replication_configuration {
    role = "${aws_iam_role.some_replication_role.arn}"

    rules {
      id     = "replicate_all"
      prefix = ""
      status = "Enabled"

      destination {
        bucket        = "arn:aws:s3:::bucket1-us-east-1"
        storage_class = "STANDARD"
      }
    }
  }

}

resource "aws_s3_bucket" "east" {
    provider = "aws.east"
    bucket   = "bucket1-us-east-1"
    region   = "us-east-1"
    acl      = "private"

    versioning {
        enabled = true
    }

  replication_configuration {
    role = "${aws_iam_role.some_replication_role.arn}"

    rules {
      id     = "replicate_all"
      prefix = ""
      status = "Enabled"

      destination {
        bucket        = "arn:aws:s3:::bucket1-us-west-2"
        storage_class = "STANDARD"
      }
    }
  }

}

References

• Official AWS docs: https://aws.amazon.com/about-aws/whats-new/2020/12/amazon-s3-replication-adds-support-two-way-replication/
• Labs for your use-case: https://wellarchitectedlabs.com/reliability/200_labs/200_bidirectional_replication_for_s3/

Answer 2

This is supported in AWS Terraform Provider version 4 (released Feb 2022) by separating out the replication configuration as a separate resource. From the provider documentation :

# ... other configuration ...

resource "aws_s3_bucket" "east" {
  bucket = "tf-test-bucket-east-12345"
}

resource "aws_s3_bucket_versioning" "east" {
  bucket = aws_s3_bucket.east.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket" "west" {
  provider = aws.west
  bucket   = "tf-test-bucket-west-12345"
}

resource "aws_s3_bucket_versioning" "west" {
  provider = aws.west

  bucket = aws_s3_bucket.west.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_replication_configuration" "east_to_west" {
  # Must have bucket versioning enabled first
  depends_on = [aws_s3_bucket_versioning.east]

  role   = aws_iam_role.east_replication.arn
  bucket = aws_s3_bucket.east.id

  rule {
    id = "foobar"

    filter {
      prefix = "foo"
    }

    status = "Enabled"

    destination {
      bucket        = aws_s3_bucket.west.arn
      storage_class = "STANDARD"
    }
  }
}

resource "aws_s3_bucket_replication_configuration" "west_to_east" {
  provider = aws.west
  # Must have bucket versioning enabled first
  depends_on = [aws_s3_bucket_versioning.west]

  role   = aws_iam_role.west_replication.arn
  bucket = aws_s3_bucket.west.id

  rule {
    id = "foobar"

    filter {
      prefix = "foo"
    }

    status = "Enabled"

    destination {
      bucket        = aws_s3_bucket.east.arn
      storage_class = "STANDARD"
    }
  }
}