Skip to content

Commit

Permalink
feat: do you really need backend replication
Browse files Browse the repository at this point in the history
  • Loading branch information
@morganrowse
morganrowse committed Apr 12, 2023
1 parent ee6bf3e commit c30755a
Showing 1 changed file with 0 additions and 224 deletions.
224 changes: 0 additions & 224 deletions modules/aft-backend/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,31 +16,6 @@ resource "aws_s3_bucket" "primary-backend-bucket" {
}
}

resource "aws_s3_bucket_replication_configuration" "primary-backend-bucket-replication" {
provider = aws.primary_region
bucket = aws_s3_bucket.primary-backend-bucket.id
role = aws_iam_role.replication.arn

rule {
id = "0"
priority = "0"
status = "Enabled"
source_selection_criteria {
sse_kms_encrypted_objects {
status = "Enabled"
}
}

destination {
bucket = aws_s3_bucket.secondary-backend-bucket.arn
storage_class = "STANDARD"
encryption_configuration {
replica_kms_key_id = aws_kms_key.encrypt-secondary-region.arn
}
}
}
}

resource "aws_s3_bucket_versioning" "primary-backend-bucket-versioning" {
provider = aws.primary_region
bucket = aws_s3_bucket.primary-backend-bucket.id
Expand Down Expand Up @@ -77,183 +52,6 @@ resource "aws_s3_bucket_public_access_block" "primary-backend-bucket" {
block_public_policy = true
}

resource "aws_s3_bucket" "secondary-backend-bucket" {
provider = aws.secondary_region
bucket = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
tags = {
"Name" = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
}
}

resource "aws_s3_bucket_versioning" "secondary-backend-bucket-versioning" {
provider = aws.secondary_region
bucket = aws_s3_bucket.secondary-backend-bucket.id
versioning_configuration {
status = "Enabled"
}
}

resource "aws_s3_bucket_server_side_encryption_configuration" "secondary-backend-bucket-encryption" {
provider = aws.secondary_region
bucket = aws_s3_bucket.secondary-backend-bucket.id

rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.encrypt-secondary-region.arn
sse_algorithm = "aws:kms"
}
}
}

resource "aws_s3_bucket_acl" "secondary-backend-bucket-acl" {
provider = aws.secondary_region
bucket = aws_s3_bucket.secondary-backend-bucket.id
acl = "private"
}



resource "aws_s3_bucket_public_access_block" "secondary-backend-bucket" {
provider = aws.secondary_region

bucket = aws_s3_bucket.secondary-backend-bucket.id

block_public_acls = true
block_public_policy = true
}

resource "aws_iam_role" "replication" {
provider = aws.primary_region
name = "aft-s3-terraform-backend-replication"

assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow"
}
]
}
POLICY
}

resource "aws_iam_policy" "replication" {
provider = aws.primary_region
name = "aft-s3-terraform-backend-replication-policy"

policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"${aws_s3_bucket.primary-backend-bucket.arn}"
]
},
{
"Action": [
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Resource": [
"${aws_s3_bucket.primary-backend-bucket.arn}/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Effect": "Allow",
"Condition": {
"StringLikeIfExists": {
"s3:x-amz-server-side-encryption": [
"aws:kms",
"AES256"
],
"s3:x-amz-server-side-encryption-aws-kms-key-id": [
"${aws_kms_key.encrypt-secondary-region.arn}"
]
}
},
"Resource": "${aws_s3_bucket.secondary-backend-bucket.arn}/*"
},
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.${var.primary_region}.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"${aws_s3_bucket.primary-backend-bucket.arn}/*"
]
}
},
"Resource": [
"${aws_kms_key.encrypt-primary-region.arn}"
]
},
{
"Action": [
"kms:Encrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.${var.primary_region}.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"${aws_s3_bucket.primary-backend-bucket.arn}/*"
]
}
},
"Resource": [
"${aws_kms_key.encrypt-primary-region.arn}"
]
},
{
"Action": [
"kms:Encrypt"
],
"Effect": "Allow",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.${var.secondary_region}.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn": [
"${aws_s3_bucket.secondary-backend-bucket.arn}/*"
]
}
},
"Resource": [
"${aws_kms_key.encrypt-secondary-region.arn}"
]
}
]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "replication" {
provider = aws.primary_region
role = aws_iam_role.replication.name
policy_arn = aws_iam_policy.replication.arn
}


# DynamoDB Resources
resource "aws_dynamodb_table" "lock-table" {
provider = aws.primary_region
Expand All @@ -268,10 +66,6 @@ resource "aws_dynamodb_table" "lock-table" {
type = "S"
}

replica {
region_name = var.secondary_region
}

tags = {
"Name" = "aft-backend-${data.aws_caller_identity.current.account_id}"
}
Expand All @@ -297,21 +91,3 @@ resource "aws_kms_alias" "encrypt-alias-primary-region" {
name = "alias/aft-backend-${data.aws_caller_identity.current.account_id}-kms-key"
target_key_id = aws_kms_key.encrypt-primary-region.key_id
}

resource "aws_kms_key" "encrypt-secondary-region" {
provider = aws.secondary_region

description = "Terraform backend KMS key."
deletion_window_in_days = 30
enable_key_rotation = "true"
tags = {
"Name" = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region-kms-key"
}
}

resource "aws_kms_alias" "encrypt-alias-secondary-region" {
provider = aws.secondary_region

name = "alias/aft-backend-${data.aws_caller_identity.current.account_id}-kms-key"
target_key_id = aws_kms_key.encrypt-secondary-region.key_id
}

0 comments on commit c30755a

Please sign in to comment.