terraform.aws-baseline-infra/modules/storage/s3-bucket-replication/main.tf

# sets up data sources for s3 buckets

data "aws_s3_bucket" "source-bucket" {
  bucket = var.source-bucket-name
}

data "aws_s3_bucket" "destination-bucket" {
  bucket = var.destination-bucket-name
}

# Create replication role in source account
data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["s3.amazonaws.com"]
    }
  }
}

data "aws_iam_policy_document" "replication-role-policy" {
  statement {
    sid = "AccessToReplicaBucket"
    actions = [
      "s3:ReplicateObject",
      "s3:ReplicateDelete",
      "s3:ReplicateTags",
      "s3:ObjectOwnerOverrideToBucketOwner"
    ]
    effect = "Allow"
    resources = [
      data.aws_s3_bucket.source-bucket.arn,
      data.aws_s3_bucket.destination-bucket.arn,
      "${data.aws_s3_bucket.source-bucket.arn}/*",
      "${data.aws_s3_bucket.destination-bucket.arn}/*"
    ]
  }
  statement {
    sid     = "ReadAccessOnSourceBuckets"
    actions = ["s3:Get*", "s3:List*"]
    effect  = "Allow"
    resources = [
      data.aws_s3_bucket.source-bucket.arn,
    ]
  }
  statement {
    sid = "ObjectAccessOnSourceBuckets"
    actions = [
      "s3:GetObjectVersionForReplication",
      "s3:GetObjectVersionAcl",
      "s3:GetObjectVersionTagging"
    ]
    effect = "Allow"
    resources = [
      "${data.aws_s3_bucket.source-bucket.arn}/*"
    ]
  }
  statement {
    sid = "DecryptSourceBucketObjects"
    actions = [
      "kms:Decrypt"
    ]
    effect    = "Allow"
    resources = ["*"]
  }
  statement {
    sid = "EncryptReplicaObjects"
    actions = [
      "kms:Encrypt"
    ]
    effect    = "Allow"
    resources = ["*"]
  }
}

resource "random_id" "rid" {
  byte_length = 4
}

resource "aws_iam_role" "replication-role" {
  name               = "BucketReplicationRole${random_id.rid.dec}"
  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}

resource "aws_iam_role_policy" "role-policy" {
  name   = "bucket-replication"
  role   = aws_iam_role.replication-role.id
  policy = data.aws_iam_policy_document.replication-role-policy.json
}

# Setup bucket replication
resource "aws_s3_bucket_replication_configuration" "replication-config" {
  role   = aws_iam_role.replication-role.arn
  bucket = var.source-bucket-name

  rule {
    id = "ReplicateAll"

    status = "Enabled"

    source_selection_criteria {
      sse_kms_encrypted_objects {
        status = "Enabled"
      }
    }

    # V2 replication configurations
    delete_marker_replication {
      status = "Enabled"
    }

    filter {
    }

    destination {
      bucket  = data.aws_s3_bucket.destination-bucket.arn
      storage_class = "INTELLIGENT_TIERING"
      account = var.destination-bucket-account-id

      access_control_translation {
        owner = "Destination"
      }

      encryption_configuration {
        replica_kms_key_id = var.destination-bucket-encryption-key-arn
      }

      replication_time {
        status = "Enabled"
        time {
          minutes = 15
        }
      }

      metrics {
        status = "Enabled"
        event_threshold {
          minutes = 15
        }
      }
    }
  }
}

resource "aws_s3_object" "test-file" {
  depends_on = [aws_s3_bucket_replication_configuration.replication-config]
  bucket     = data.aws_s3_bucket.source-bucket.id
  key        = "replication-test-file"
  content    = "If this file shows up in the destination bucket, replication has been successfully configured."
}