updates

.github/workflows/release.yml

@@ -0,0 +1,41 @@
+name: Release
+
+on:
+ push:
+ tags:
+ - '*.*.*'
+ pull_request:
+ branches:
+ - main
+ workflow_dispatch:
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Set env
+ run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
+ - name: Package
+ run: |
+ echo packaging...
+ tar -czf terraform-s3-mrap-${{ env.RELEASE_VERSION }}.tar.gz terraform labfiles
+
+ - name: Upload Artifact
+ uses: actions/upload-artifact@v2
+ with:
+ name: terraform-s3-mrap-${{ env.RELEASE_VERSION }}
+ path: terraform-s3-mrap-${{ env.RELEASE_VERSION }}.tar.gz
+
+ - name: Make Release
+ uses: softprops/[email protected]
+ if: startsWith(github.ref, 'refs/tags/')
+ with:
+ name: terraform-s3-${{ env.RELEASE_VERSION }}.tar.gz
+ files: |
+ terraform-s3-${{ env.RELEASE_VERSION }}.tar.gz
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,4 @@
+terraform.tfstate
+terraform.tfstate.backup
+.terraform.lock.hcl
+.terraform/

terraform/main.tf

@@ -0,0 +1,105 @@
+locals {
+ run_id = "prod"
+}
+
+module "role-s3-replication" {
+ source = "./modules/role"
+
+ saml_enabled = false
+ assumable_service = ["s3.amazonaws.com"]
+ name = "s3-replication"
+}
+
+module "kms-source" {
+ source = "./modules/kms"
+
+ kms_key_alias = join("", ["bucket-key-replication-source-kms", local.run_id])
+ kms_key_description = "Example KMS key for source S3 bucket"
+}
+
+module "kms-dest" {
+ providers = {
+ aws = aws.us-west-2
+ }
+ source = "./modules/kms"
+
+ kms_key_alias = join("", ["bucket-key-replication-dest-kms", local.run_id])
+ kms_key_description = "Example KMS key for destination S3 bucket"
+}
+
+module "s3-source" {
+ source = "./modules/s3"
+
+ kms_key_arn = module.kms-source.kms_key_arn
+ apply_bucket_request_metrics = true
+ core_backups_retention = "NOBACKUP"
+
+ ########################################################################
+ # uncomment the below code only after the creation of buckets in step 1
+ ########################################################################
+ replication_role_arns = [module.role-s3-replication.role_arn]
+
+ replication_configuration = {
+ role_name = module.role-s3-replication.role_name
+ rules = [
+ {
+ id = "bar"
+ status = "Enabled"
+ priority = 1
+
+ destination = {
+ bucket = "DESTINATION_BUCKET_ARN_GOES_HERE"
+ storage_class = "STANDARD"
+ replica_kms_key_id = "DESTINATION_KMS_KEY_ARN_GOES_HERE"
+ }
+
+ filter = {
+ prefix = "logs"
+ tags = {
+ ReplicateMe = "Yes"
+ }
+ }
+ }
+ ]
+ }
+}
+
+module "s3-dest" {
+ providers = {
+ aws = aws.us-west-2
+ }
+ source = "./modules/s3"
+
+ kms_key_arn = module.kms-dest.kms_key_arn
+ apply_bucket_request_metrics = true
+ core_backups_retention = "NOBACKUP"
+
+ ############################################################################
+ #uncomment the below code only after provisioning of the bucket in step 1
+ ############################################################################
+ replication_role_arns = [module.role-s3-replication.role_arn]
+
+ replication_configuration = {
+ role_name = module.role-s3-replication.role_name
+ rules = [
+ {
+ id = "bar"
+ status = "Enabled"
+ priority = 1
+
+ destination = {
+ bucket = "SOURCE_BUCKET_ARN_GOES_HERE"
+ storage_class = "STANDARD"
+ replica_kms_key_id = "SOURCE_KMS_KEY_ARN_GOES_HERE"
+ }
+
+ filter = {
+ prefix = "logs"
+ tags = {
+ ReplicateMe = "Yes"
+ }
+ }
+ }
+ ]
+ }
+}

terraform/modules/kms/main.tf

@@ -0,0 +1,19 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.50.0"
+ }
+ }
+}
+
+resource "aws_kms_key" "key" {
+ description = var.kms_key_description
+ key_usage = "ENCRYPT_DECRYPT"
+ deletion_window_in_days = 7
+}
+
+resource "aws_kms_alias" "alias" {
+ name = "alias/${var.kms_key_alias}"
+ target_key_id = aws_kms_key.key.key_id
+}

terraform/modules/kms/outputs.tf

@@ -0,0 +1,3 @@
+output "kms_key_arn" {
+ value = aws_kms_key.key.arn
+}

terraform/modules/kms/vars.tf

@@ -0,0 +1,14 @@
+# variable "version" {
+# description = "The module version"
+# type = string
+# }
+
+variable "kms_key_alias" {
+ description = "The alias for the KMS key"
+ type = string
+}
+
+variable "kms_key_description" {
+ description = "The description for the KMS key"
+ type = string
+}

terraform/modules/role/main.tf

@@ -0,0 +1,74 @@
+resource "aws_iam_role" "s3_replication" {
+ name = "${var.name}_repl_role"
+
+ assume_role_policy = <<POLICY
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": "sts:AssumeRole",
+ "Principal": {
+ "Service": ${jsonencode(var.assumable_service)}
+ },
+ "Effect": "Allow",
+ "Sid": ""
+ }
+ ]
+}
+POLICY
+}
+
+resource "aws_iam_policy" "s3_replication" {
+ name = "${var.name}_repl_policy"
+
+ policy = <<POLICY
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": [
+ "s3:GetReplicationConfiguration",
+ "s3:ListBucket"
+ ],
+ "Effect": "Allow",
+ "Resource": [
+ "*"
+ ]
+ },
+ {
+ "Action": [
+ "s3:GetObjectVersionForReplication",
+ "s3:GetObjectVersionAcl",
+ "s3:GetObjectVersionTagging"
+ ],
+ "Effect": "Allow",
+ "Resource": [
+ "*"
+ ]
+ },
+ {
+ "Action": [
+ "s3:ReplicateObject",
+ "s3:ReplicateDelete",
+ "s3:ReplicateTags"
+ ],
+ "Effect": "Allow",
+ "Resource": "*"
+ },
+ {
+ "Action": [
+ "s3:*",
+ "kms:*"
+ ],
+ "Effect": "Allow",
+ "Resource": "*"
+ }
+ ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "s3_replication" {
+ role = aws_iam_role.s3_replication.name
+ policy_arn = aws_iam_policy.s3_replication.arn
+}

terraform/modules/role/outputs.tf

@@ -0,0 +1,7 @@
+output "role_name" {
+ value = aws_iam_role.s3_replication.name
+}
+
+output "role_arn" {
+ value = aws_iam_role.s3_replication.arn
+}

terraform/modules/role/vars.tf

@@ -0,0 +1,19 @@
+# variable "version" {
+# description = "The module version"
+# type = string
+# }
+
+variable "saml_enabled" {
+ description = "Whether SAML is enabled"
+ type = bool
+}
+
+variable "assumable_service" {
+ description = "The services that can assume the role"
+ type = list(string)
+}
+
+variable "name" {
+ description = "The name of the role"
+ type = string
+}