Enable bucket replication to another account

Signed-off-by: Arthur Diniz <[email protected]>
DNXLabs · Jul 8, 2021 · 8a05fda · 8a05fda
1 parent 53631e4
commit 8a05fda
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 1 deletion.
diff --git a/_variables.tf b/_variables.tf
@@ -89,6 +89,30 @@ variable "obfuscation_scripts_bucket_name" {
   description = "Bucket to store the obfuscations scripts, they should be uploaded inside `/obfuscation` folder."
 }
 
+variable "replicate_obfuscation_bucket" {
+  type        = bool
+  default     = true
+  description = "Replicate data inside the bucket to another acount."
+}
+
+variable "replicate_obfuscation_bucket_prefix" {
+  type        = string
+  default     = "dumps"
+  description = "Name of prefix to replicate inside the bucket to another acount."
+}
+
+variable "replicate_destination_bucket_name" {
+  type        = string
+  default     = ""
+  description = "Name of the bucket to send dumps data from source bucket."
+}
+
+variable "replicate_destination_account_id" {
+  type        = string
+  default     = ""
+  description = "Name of the bucket to send dumps data from source bucket."
+}
+
 variable "application_name" {
   type        = string
   default     = "MASKOPY"

diff --git a/obfuscation_scripts_bucket.tf b/obfuscation_scripts_bucket.tf
@@ -1,5 +1,5 @@
 resource "aws_s3_bucket" "obfuscation_scripts_bucket" {
-  count    = (var.enabled && var.create_obfuscation_scripts_bucket) ? 1 : 0
+  count    = (var.enabled && var.create_obfuscation_scripts_bucket && var.replicate_obfuscation_bucket == false) ? 1 : 0
   provider = aws.staging
 
   bucket = var.obfuscation_scripts_bucket_name

diff --git a/obfuscation_scripts_bucket_replication.tf b/obfuscation_scripts_bucket_replication.tf
@@ -0,0 +1,109 @@
+resource "aws_s3_bucket" "source_snapshot_bucket" {
+  count    = (var.enabled && var.create_obfuscation_scripts_bucket && var.replicate_obfuscation_bucket) ? 1 : 0
+  provider = aws.staging
+
+  bucket   = var.obfuscation_scripts_bucket_name
+  acl      = "private"
+
+  versioning {
+    enabled = true
+  }
+
+  replication_configuration {
+    role = aws_iam_role.replication[0].arn
+
+    rules {
+      id       = "dumps"
+      prefix   = var.replicate_obfuscation_bucket_prefix
+      status   = "Enabled"
+      priority = 0
+
+      destination {
+        bucket        = "arn:aws:s3:::${var.replicate_destination_bucket_name}"
+        storage_class = "STANDARD"
+        account_id    = var.replicate_destination_account_id
+        access_control_translation {
+          owner = "Destination"
+        }
+      }
+    }
+  }
+
+  tags = {
+    Tool = "MASKOPY"
+  }
+}
+
+resource "aws_iam_role" "replication" {
+  count    = (var.enabled && var.create_obfuscation_scripts_bucket && var.replicate_obfuscation_bucket) ? 1 : 0
+
+  name = "${var.obfuscation_scripts_bucket_name}-iam-role-replication"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "s3.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_policy" "replication" {
+  count    = (var.enabled && var.create_obfuscation_scripts_bucket && var.replicate_obfuscation_bucket) ? 1 : 0
+
+  name = "${var.obfuscation_scripts_bucket_name}-iam-role-policy-replication"
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:GetReplicationConfiguration",
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::${var.obfuscation_scripts_bucket_name}"
+      ]
+    },
+    {
+      "Action": [
+        "s3:GetObjectVersionForReplication",
+        "s3:GetObjectVersionAcl",
+        "s3:GetObjectVersionTagging"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::${var.obfuscation_scripts_bucket_name}/*"
+      ]
+    },
+    {
+      "Action": [
+        "s3:ReplicateObject",
+        "s3:ReplicateDelete",
+        "s3:ReplicateTags",
+        "s3:ObjectOwnerOverrideToBucketOwner"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${var.replicate_destination_bucket_name}/*"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "replication" {
+  count    = (var.enabled && var.create_obfuscation_scripts_bucket && var.replicate_obfuscation_bucket) ? 1 : 0
+
+  role       = aws_iam_role.replication[0].name
+  policy_arn = aws_iam_policy.replication[0].arn
+}