provider "aws" {
alias = "replica"
region = "us-west-2"
}
module "source_bucket" {
source = "registry.patterneddesigns.ca/essentials/s3-bucket/aws"
version = "3.0.0"
bucket_name = "data-primary-us-east-1"
versioning_enabled = true
encryption_type = "aws:kms"
kms_key_arn = aws_kms_key.primary.arn
}
module "replica_bucket" {
source = "registry.patterneddesigns.ca/essentials/s3-bucket/aws"
version = "3.0.0"
providers = {
aws = aws.replica
}
bucket_name = "data-replica-us-west-2"
versioning_enabled = true
encryption_type = "aws:kms"
kms_key_arn = aws_kms_key.replica.arn
}
resource "aws_iam_role" "replication" {
name = "s3-replication-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
Service = "s3.amazonaws.com"
}
Action = "sts:AssumeRole"
}]
})
}
resource "aws_s3_bucket_replication_configuration" "main" {
bucket = module.source_bucket.bucket_id
role = aws_iam_role.replication.arn
rule {
id = "replicate-all"
status = "Enabled"
destination {
bucket = module.replica_bucket.bucket_arn
storage_class = "STANDARD"
encryption_configuration {
replica_kms_key_id = aws_kms_key.replica.arn
}
}
source_selection_criteria {
sse_kms_encrypted_objects {
status = "Enabled"
}
}
}
}