S3 Cross region replication using Terraform

Question

I was using Terraform to setup S3 buckets (different region) and set up replication between them.

It was working properly until I added KMS in it.

I created 2 KMS keys one for source and one for destination.

Now while applying replication configuration , there is an option to pass destination key for destination bucket but I am not sure how to apply key at the source.

Any help would be appreciated.

 provider "aws" { alias = "east" region = "us-east-1" } resource "aws_s3_bucket" "destination-bucket" { bucket = ""destination-bucket" provider = "aws.east" acl = "private" region = "us-east-1" versioning { enabled = true } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = "${var.kms_cmk_dest_arn}" sse_algorithm = "aws:kms" } } } } resource "aws_s3_bucket" "source-bucket" { bucket = "source-bucket" acl = "private" versioning { enabled = true } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = "${var.kms_cmk_arn}" sse_algorithm = "aws:kms" } } } replication_configuration { role = "${aws_iam_role.replication.arn}" rules { status = "Enabled" destination { bucket = "${aws_s3_bucket.source-bucket.arn}" storage_class = "STANDARD" replica_kms_key_id = "${var.kms_cmk_dest_arn}" } source_selection_criteria { sse_kms_encrypted_objects { enabled = true } } } } } resource "aws_iam_role" "replication" { name = "cdd-iam-role-replication" permissions_boundary = "arn:aws:iam::${var.account_id}:policy/ServiceRoleBoundary" assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "s3.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] } POLICY } resource "aws_iam_role_policy" "replication" { name = "cdd-iam-role-policy-replication" role = "${aws_iam_role.replication.id}" policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "${aws_s3_bucket.source-bucket.arn}" ] }, { "Action": [ "s3:GetObjectVersion", "s3:GetObjectVersionAcl" ], "Effect": "Allow", "Resource": [ "${aws_s3_bucket.source-bucket.arn}/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Effect": "Allow", "Resource": "${aws_s3_bucket.destination-bucket.arn}/*" } ] } POLICY }

Answer 1

In case you're using a Customer Managed Key(CMK) for S3 encryption, you need extra configuration. AWS S3 Documentation mentions that the CMK owner must grant the source bucket owner permission to use the CMK.

https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-config-for-kms-objects.html#replication-kms-cross-acct-scenario

Also, a good article to summarize the S3 cross region replication configuration:

https://medium.com/@devopslearning/100-days-of-devops-day-44-s3-cross-region-replication-crr-8c58ae8c68d4

Answer 2

If I understand you correctly, you've got two S3 Buckets in two different regions within the same account.

One way I've done this in the past is to plan/apply the KMS keys to both regions first.

Then on a separate plan/apply, I used Terraform's data sources:

data "aws_kms_key" "source_credentials_encryption_key" {
  key_id = "alias/source-encryption-key"
}
    
data "aws_kms_key" "destination_credentials_encryption_key" {
  provider = aws.usEast
  key_id   = "alias/destination-encryption-key"
}

And used the data source for the replication configuration like so:

replication_configuration {
  role = aws_iam_role.replication_role.arn
  
  rules {
    status = "Enabled"
    
    destination {
      bucket = aws_s3_bucket.source_bucket.arn
      storage_class = "STANDARD"
      replicate_kms_key_id = data.aws_kms_key.destination_bucket_encryption_key.arn
    }
    
    source_selection_criteria {
      sse_kms_encrypted_objects {
        enabled = true
      }
    }
  }
}