I was using Terraform to setup S3 buckets (different region) and set up replication between them.
It was working properly until I added KMS in it.
I created 2 KMS keys one for source and one for destination.
Now while applying replication configuration , there is an option to pass destination key for destination bucket but I am not sure how to apply key at the source.
Any help would be appreciated.
provider "aws" { alias = "east" region = "us-east-1" } resource "aws_s3_bucket" "destination-bucket" { bucket = ""destination-bucket" provider = "aws.east" acl = "private" region = "us-east-1" versioning { enabled = true } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = "${var.kms_cmk_dest_arn}" sse_algorithm = "aws:kms" } } } } resource "aws_s3_bucket" "source-bucket" { bucket = "source-bucket" acl = "private" versioning { enabled = true } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = "${var.kms_cmk_arn}" sse_algorithm = "aws:kms" } } } replication_configuration { role = "${aws_iam_role.replication.arn}" rules { status = "Enabled" destination { bucket = "${aws_s3_bucket.source-bucket.arn}" storage_class = "STANDARD" replica_kms_key_id = "${var.kms_cmk_dest_arn}" } source_selection_criteria { sse_kms_encrypted_objects { enabled = true } } } } } resource "aws_iam_role" "replication" { name = "cdd-iam-role-replication" permissions_boundary = "arn:aws:iam::${var.account_id}:policy/ServiceRoleBoundary" assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "s3.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] } POLICY } resource "aws_iam_role_policy" "replication" { name = "cdd-iam-role-policy-replication" role = "${aws_iam_role.replication.id}" policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "${aws_s3_bucket.source-bucket.arn}" ] }, { "Action": [ "s3:GetObjectVersion", "s3:GetObjectVersionAcl" ], "Effect": "Allow", "Resource": [ "${aws_s3_bucket.source-bucket.arn}/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Effect": "Allow", "Resource": "${aws_s3_bucket.destination-bucket.arn}/*" } ] } POLICY }
In case you're using a Customer Managed Key(CMK) for S3 encryption, you need extra configuration. AWS S3 Documentation mentions that the CMK owner must grant the source bucket owner permission to use the CMK.
Also, a good article to summarize the S3 cross region replication configuration:
If I understand you correctly, you've got two S3 Buckets in two different regions within the same account.
One way I've done this in the past is to plan/apply the KMS keys to both regions first.
Then on a separate plan/apply, I used Terraform's data sources:
data "aws_kms_key" "source_credentials_encryption_key" {
key_id = "alias/source-encryption-key"
}
data "aws_kms_key" "destination_credentials_encryption_key" {
provider = aws.usEast
key_id = "alias/destination-encryption-key"
}
And used the data source for the replication configuration like so:
replication_configuration {
role = aws_iam_role.replication_role.arn
rules {
status = "Enabled"
destination {
bucket = aws_s3_bucket.source_bucket.arn
storage_class = "STANDARD"
replicate_kms_key_id = data.aws_kms_key.destination_bucket_encryption_key.arn
}
source_selection_criteria {
sse_kms_encrypted_objects {
enabled = true
}
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.