[S3使用Terraform进行跨区域复制
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[S3使用Terraform进行跨区域复制相关的知识,希望对你有一定的参考价值。
我使用Terraform来设置S3存储桶(不同区域)并在它们之间设置复制。
在添加KMS之前,它一直工作正常。
我创建了2个KMS密钥,一个用于源,另一个用于目的地。
现在应用复制配置时,有一个选项可以为目标存储桶传递目标密钥,但我不确定如何在源中应用密钥。
任何帮助将不胜感激。
provider "aws"
alias = "east"
region = "us-east-1"
resource "aws_s3_bucket" "destination-bucket"
bucket = ""destination-bucket"
provider = "aws.east"
acl = "private"
region = "us-east-1"
versioning
enabled = true
server_side_encryption_configuration
rule
apply_server_side_encryption_by_default
kms_master_key_id = "$var.kms_cmk_dest_arn"
sse_algorithm = "aws:kms"
resource "aws_s3_bucket" "source-bucket"
bucket = "source-bucket"
acl = "private"
versioning
enabled = true
server_side_encryption_configuration
rule
apply_server_side_encryption_by_default
kms_master_key_id = "$var.kms_cmk_arn"
sse_algorithm = "aws:kms"
replication_configuration
role = "$aws_iam_role.replication.arn"
rules
status = "Enabled"
destination
bucket = "$aws_s3_bucket.source-bucket.arn"
storage_class = "STANDARD"
replica_kms_key_id = "$var.kms_cmk_dest_arn"
source_selection_criteria
sse_kms_encrypted_objects
enabled = true
resource "aws_iam_role" "replication"
name = "cdd-iam-role-replication"
permissions_boundary = "arn:aws:iam::$var.account_id:policy/ServiceRoleBoundary"
assume_role_policy = <<POLICY
"Version": "2012-10-17",
"Statement": [
"Action": "sts:AssumeRole",
"Principal":
"Service": "s3.amazonaws.com"
,
"Effect": "Allow",
"Sid": ""
]
POLICY
resource "aws_iam_role_policy" "replication"
name = "cdd-iam-role-policy-replication"
role = "$aws_iam_role.replication.id"
policy = <<POLICY
"Version": "2012-10-17",
"Statement": [
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"$aws_s3_bucket.source-bucket.arn"
]
,
"Action": [
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl"
],
"Effect": "Allow",
"Resource": [
"$aws_s3_bucket.source-bucket.arn/*"
]
,
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Effect": "Allow",
"Resource": "$aws_s3_bucket.destination-bucket.arn/*"
]
POLICY
答案
如果您使用客户托管密钥(CMK)进行S3加密,则需要进行额外的配置。AWS S3文档提到CMK所有者必须授予源存储桶所有者使用CMK的权限。
另外,一篇很好的文章总结了S3跨区域复制配置:
以上是关于[S3使用Terraform进行跨区域复制的主要内容,如果未能解决你的问题,请参考以下文章
当 S3 和 Lambda 位于不同区域时,如何使用 S3 事件通知触发跨区域 Lambda 函数