terraforming remote state bucket for lumina

README.md

@@ -4,11 +4,16 @@ tf_mod_aws_remotestate
 A Terraform module for creating an initial S3 bucket for remote state storage
 and a DynamoDB table for remote state locking.
 
+Optional cross_account_replication_enabled var for cross account bucket replication
+
 ```
 module "remote_state" {
   source = "git::https://git.steamhaus.co.uk/steamhaus/tf_mod_aws_remotestate"
 
   name                               = "my-awesome-remote-state"
+  replication_destination_bucket_arn = "arn:aws:s3:::somebucket"
+  replication_destination_account_id = "someaccountid"
+  cross_account_replication_enabled  = "true"
 }
 ```
 
@@ -17,3 +22,4 @@ Notes:
 needs to be globally unique.
 - The S3 bucket policy only allows SSE object uploads so ensure Terraform is
 configured with the encryption setting on the S3 backend.
+- The cross_account_replication_enabled default is false.

s3.tf

@@ -6,6 +6,81 @@ resource "aws_s3_bucket" "remote_state" {
     enabled    = true
     mfa_delete = true
   }
+  replication_configuration {
+  role = "${aws_iam_role.replication.arn}"
+
+    rules {
+      id        = "${var.name}-replication"
+      priority  = "1"
+      status    = "Enabled"
+
+      destination {
+        account_id    = "${var.replication_destination_account_id}"
+        bucket        = "${var.replication_destination_bucket_arn}"
+      }
+    }
+  }
+}
+
+resource "aws_iam_role" "replication" {
+  count =  "${var.cross_account_replication_enabled == "true" ? 1 : 0}"
+  name = "${var.name}-replication"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "s3.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_policy" "replication" {
+  count = "${var.cross_account_replication_enabled == "true" ? 1 : 0}"
+  name = "module-remote-state-iam-role-replication"
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "s3:Get*",
+                "s3:ListBucket"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+                "arn:aws:s3:::{var.name}",
+                "arn:aws:s3:::{var.name}/*"
+            ]
+        },
+        {
+            "Action": [
+                "s3:ReplicateObject",
+                "s3:ReplicateDelete",
+                "s3:ReplicateTags",
+                "s3:GetObjectVersionTagging"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::{var.name}-back-up-prod-tf-state/*"
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_iam_policy_attachment" "remote_state_replication" {
+  name       = "${var.name}-replication-attachment"
+  roles      = ["${aws_iam_role.replication.name}"]
+  policy_arn = "${aws_iam_policy.replication.arn}"
 }
 
 data "aws_iam_policy_document" "remote_state_always_enc" {

variables.tf

@@ -7,3 +7,15 @@ variable "dynamodb_read_capacity" {
 variable "dynamodb_write_capacity" {
   default = "1"
 }
+
+variable "cross_account_replication_enabled" {
+  default = "false"
+}
+
+variable "replication_destination_bucket_arn"  {
+  default = ""
+}
+
+variable "replication_destination_account_id" {
+  default = ""
+}