From 8a05fda9585470b3b45bc9019186d73906664f50 Mon Sep 17 00:00:00 2001 From: Arthur Diniz Date: Thu, 8 Jul 2021 09:26:11 -0300 Subject: [PATCH] Enable bucket replication to another account Signed-off-by: Arthur Diniz --- _variables.tf | 24 +++++ obfuscation_scripts_bucket.tf | 2 +- obfuscation_scripts_bucket_replication.tf | 109 ++++++++++++++++++++++ 3 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 obfuscation_scripts_bucket_replication.tf diff --git a/_variables.tf b/_variables.tf index 1b0cc42..c4f8428 100644 --- a/_variables.tf +++ b/_variables.tf @@ -89,6 +89,30 @@ variable "obfuscation_scripts_bucket_name" { description = "Bucket to store the obfuscations scripts, they should be uploaded inside `/obfuscation` folder." } +variable "replicate_obfuscation_bucket" { + type = bool + default = true + description = "Replicate data inside the bucket to another acount." +} + +variable "replicate_obfuscation_bucket_prefix" { + type = string + default = "dumps" + description = "Name of prefix to replicate inside the bucket to another acount." +} + +variable "replicate_destination_bucket_name" { + type = string + default = "" + description = "Name of the bucket to send dumps data from source bucket." +} + +variable "replicate_destination_account_id" { + type = string + default = "" + description = "Name of the bucket to send dumps data from source bucket." +} + variable "application_name" { type = string default = "MASKOPY" diff --git a/obfuscation_scripts_bucket.tf b/obfuscation_scripts_bucket.tf index 269aa2b..32ee750 100644 --- a/obfuscation_scripts_bucket.tf +++ b/obfuscation_scripts_bucket.tf @@ -1,5 +1,5 @@ resource "aws_s3_bucket" "obfuscation_scripts_bucket" { - count = (var.enabled && var.create_obfuscation_scripts_bucket) ? 1 : 0 + count = (var.enabled && var.create_obfuscation_scripts_bucket && var.replicate_obfuscation_bucket == false) ? 1 : 0 provider = aws.staging bucket = var.obfuscation_scripts_bucket_name diff --git a/obfuscation_scripts_bucket_replication.tf b/obfuscation_scripts_bucket_replication.tf new file mode 100644 index 0000000..48e3d55 --- /dev/null +++ b/obfuscation_scripts_bucket_replication.tf @@ -0,0 +1,109 @@ +resource "aws_s3_bucket" "source_snapshot_bucket" { + count = (var.enabled && var.create_obfuscation_scripts_bucket && var.replicate_obfuscation_bucket) ? 1 : 0 + provider = aws.staging + + bucket = var.obfuscation_scripts_bucket_name + acl = "private" + + versioning { + enabled = true + } + + replication_configuration { + role = aws_iam_role.replication[0].arn + + rules { + id = "dumps" + prefix = var.replicate_obfuscation_bucket_prefix + status = "Enabled" + priority = 0 + + destination { + bucket = "arn:aws:s3:::${var.replicate_destination_bucket_name}" + storage_class = "STANDARD" + account_id = var.replicate_destination_account_id + access_control_translation { + owner = "Destination" + } + } + } + } + + tags = { + Tool = "MASKOPY" + } +} + +resource "aws_iam_role" "replication" { + count = (var.enabled && var.create_obfuscation_scripts_bucket && var.replicate_obfuscation_bucket) ? 1 : 0 + + name = "${var.obfuscation_scripts_bucket_name}-iam-role-replication" + + assume_role_policy = <