terraforming remote state bucket for lumina

fd42c5f2 · Adrian Horrocks · d77e949b · fd42c5f2 · fd42c5f2 · fd42c5f2
Commit fd42c5f2 authored Aug 08, 2019 by Adrian Horrocks
Hide whitespace changes
Inline Side-by-side

Showing with 94 additions and 1 deletion

README.md README.md +7 -1

s3.tf s3.tf +75 -0

variables.tf variables.tf +12 -0

No files found.
--- a/README.md
+++ b/README.md
@@ -4,11 +4,16 @@ tf_mod_aws_remotestate
 A Terraform module for creating an initial S3 bucket for remote state storage
 and a DynamoDB table for remote state locking.

+Optional cross_account_replication_enabled var for cross account bucket replication
+
 ```
 module "remote_state" {
  source = "git::https://git.steamhaus.co.uk/steamhaus/tf_mod_aws_remotestate"

-  name  = "my-awesome-remote-state"
+  name                               = "my-awesome-remote-state"
+  replication_destination_bucket_arn = "arn:aws:s3:::somebucket"
+  replication_destination_account_id = "someaccountid"
+  cross_account_replication_enabled  = "true"
 }
 ```

@@ -17,3 +22,4 @@ Notes:
 needs to be globally unique.
 - The S3 bucket policy only allows SSE object uploads so ensure Terraform is
 configured with the encryption setting on the S3 backend.
+- The cross_account_replication_enabled default is false.
--- a/s3.tf
+++ b/s3.tf
@@ -6,6 +6,81 @@ resource "aws_s3_bucket" "remote_state" {
    enabled    = true
    mfa_delete = true
  }
+  replication_configuration {
+  role = "${aws_iam_role.replication.arn}"
+
+    rules {
+      id        = "${var.name}-replication"
+      priority  = "1"
+      status    = "Enabled"
+
+      destination {
+        account_id    = "${var.replication_destination_account_id}"
+        bucket        = "${var.replication_destination_bucket_arn}"
+      }
+    }
+  }
+}
+
+resource "aws_iam_role" "replication" {
+  count =  "${var.cross_account_replication_enabled == "true" ? 1 : 0}"
+  name = "${var.name}-replication"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "s3.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_policy" "replication" {
+  count = "${var.cross_account_replication_enabled == "true" ? 1 : 0}"
+  name = "module-remote-state-iam-role-replication"
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "s3:Get*",
+                "s3:ListBucket"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+                "arn:aws:s3:::{var.name}",
+                "arn:aws:s3:::{var.name}/*"
+            ]
+        },
+        {
+            "Action": [
+                "s3:ReplicateObject",
+                "s3:ReplicateDelete",
+                "s3:ReplicateTags",
+                "s3:GetObjectVersionTagging"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::{var.name}-back-up-prod-tf-state/*"
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_iam_policy_attachment" "remote_state_replication" {
+  name       = "${var.name}-replication-attachment"
+  roles      = ["${aws_iam_role.replication.name}"]
+  policy_arn = "${aws_iam_policy.replication.arn}"
 }

 data "aws_iam_policy_document" "remote_state_always_enc" {

--- a/variables.tf
+++ b/variables.tf
@@ -7,3 +7,15 @@ variable "dynamodb_read_capacity" {
 variable "dynamodb_write_capacity" {
  default = "1"
 }
+
+variable "cross_account_replication_enabled" {
+  default = "false"
+}
+
+variable "replication_destination_bucket_arn"  {
+  default = ""
+}
+
+variable "replication_destination_account_id" {
+  default = ""
+}