[S3使用Terraform进行跨区域复制

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[S3使用Terraform进行跨区域复制相关的知识,希望对你有一定的参考价值。

我使用Terraform来设置S3存储桶(不同区域)并在它们之间设置复制。

在添加KMS之前,它一直工作正常。

我创建了2个KMS密钥,一个用于源,另一个用于目的地。

现在应用复制配置时,有一个选项可以为目标存储桶传递目标密钥,但我不确定如何在源中应用密钥。

任何帮助将不胜感激。

provider "aws" 
  alias  = "east"
  region = "us-east-1"


resource "aws_s3_bucket" "destination-bucket" 
  bucket = ""destination-bucket"
  provider = "aws.east"
  acl    = "private"
  region   = "us-east-1"
  versioning 
    enabled = true
  
  server_side_encryption_configuration 
    rule 
      apply_server_side_encryption_by_default 
        kms_master_key_id = "$var.kms_cmk_dest_arn"
        sse_algorithm     = "aws:kms"
      
    
  


resource "aws_s3_bucket" "source-bucket" 
  bucket = "source-bucket"
  acl    = "private"
  versioning 
    enabled = true
  
  server_side_encryption_configuration 
    rule 
      apply_server_side_encryption_by_default 
        kms_master_key_id = "$var.kms_cmk_arn"
        sse_algorithm     = "aws:kms"
      
    
  
  replication_configuration 
    role = "$aws_iam_role.replication.arn"

    rules 
      status = "Enabled"
	  destination 
        bucket        = "$aws_s3_bucket.source-bucket.arn"
        storage_class = "STANDARD"
		replica_kms_key_id = "$var.kms_cmk_dest_arn"
      
	  source_selection_criteria 
      sse_kms_encrypted_objects 
      enabled = true
	  
    
    
  


resource "aws_iam_role" "replication" 
  name = "cdd-iam-role-replication"
  permissions_boundary    = "arn:aws:iam::$var.account_id:policy/ServiceRoleBoundary"
  assume_role_policy = <<POLICY

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": "sts:AssumeRole",
      "Principal": 
        "Service": "s3.amazonaws.com"
      ,
      "Effect": "Allow",
      "Sid": ""
    
  ]

POLICY


resource "aws_iam_role_policy" "replication" 
  name = "cdd-iam-role-policy-replication"
  role = "$aws_iam_role.replication.id"

  policy = <<POLICY

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": [
        "s3:GetReplicationConfiguration",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "$aws_s3_bucket.source-bucket.arn"
      ]
    ,
    
      "Action": [
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl"
      ],
      "Effect": "Allow",
      "Resource": [
        "$aws_s3_bucket.source-bucket.arn/*"
      ]
    ,
    
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete"
      ],
      "Effect": "Allow",
      "Resource": "$aws_s3_bucket.destination-bucket.arn/*"
    
  ]

POLICY
答案

如果您使用客户托管密钥(CMK)进行S3加密,则需要进行额外的配置。AWS S3文档提到CMK所有者必须授予源存储桶所有者使用CMK的权限。

https://docs.aws.amazon.com/AmazonS3/latest/dev/replication-config-for-kms-objects.html#replication-kms-cross-acct-scenario

另外,一篇很好的文章总结了S3跨区域复制配置:

https://medium.com/@devopslearning/100-days-of-devops-day-44-s3-cross-region-replication-crr-8c58ae8c68d4

以上是关于[S3使用Terraform进行跨区域复制的主要内容,如果未能解决你的问题,请参考以下文章

在 aws redshift 中自动化跨区域复制表

当 S3 和 Lambda 位于不同区域时,如何使用 S3 事件通知触发跨区域 Lambda 函数

获取对象时发生 AWS S3 错误。 S3 错误代码:带有 Terraform 的 NoSuchKey

DynamoDB跨区域复制AWS Java SDK

IAM S3 仅将数据复制到属于组织的账户

如何使用 if、else、elsif 语句创建 Terraform?