diff --git a/iam-source.tf b/iam-source.tf index c8ff334..2d2339a 100644 --- a/iam-source.tf +++ b/iam-source.tf @@ -4,8 +4,16 @@ data "aws_iam_policy_document" "source_write" { "s3:PutObject", ] + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibility in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. resources = [ - "${local.source_bucket_object_arn}", + local.source_bucket_object_arn, ] } @@ -14,31 +22,40 @@ data "aws_iam_policy_document" "source_write" { "s3:ListBucket", ] + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibility in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. resources = [ - "${local.source_bucket_arn}", + local.source_bucket_arn, ] } } resource "aws_iam_policy" "source_write" { - provider = "aws.source" + provider = aws.source name_prefix = "${local.replication_name}-source-write-" - policy = "${data.aws_iam_policy_document.source_write.json}" + policy = data.aws_iam_policy_document.source_write.json } resource "aws_iam_user" "source_write" { - provider = "aws.source" + provider = aws.source name = "${local.replication_name}-source-write-user" force_destroy = true } resource "aws_iam_user_policy_attachment" "source_write" { - provider = "aws.source" - user = "${aws_iam_user.source_write.name}" - policy_arn = "${aws_iam_policy.source_write.arn}" + provider = aws.source + user = aws_iam_user.source_write.name + policy_arn = aws_iam_policy.source_write.arn } resource "aws_iam_access_key" "source_write" { - provider = "aws.source" - user = "${aws_iam_user.source_write.name}" + provider = aws.source + user = aws_iam_user.source_write.name } + diff --git a/locals.tf b/locals.tf index ee4be80..2a537f6 100644 --- a/locals.tf +++ b/locals.tf @@ -1,8 +1,9 @@ locals { - "source_bucket_arn" = "arn:aws:s3:::${var.source_bucket_name}" - "dest_bucket_arn" = "arn:aws:s3:::${var.dest_bucket_name}" - "source_bucket_object_arn" = "arn:aws:s3:::${var.source_bucket_name}/${var.replicate_prefix}*" - "dest_bucket_object_arn" = "arn:aws:s3:::${var.dest_bucket_name}/${var.replicate_prefix}*" - "replication_name" = "tf-${var.replication_name}" - "source_root_user_arn" = "arn:aws:iam::${data.aws_caller_identity.source.account_id}:root" + source_bucket_arn = "arn:aws:s3:::${var.source_bucket_name}" + dest_bucket_arn = "arn:aws:s3:::${var.dest_bucket_name}" + source_bucket_object_arn = "arn:aws:s3:::${var.source_bucket_name}/${var.replicate_prefix}*" + dest_bucket_object_arn = "arn:aws:s3:::${var.dest_bucket_name}/${var.replicate_prefix}*" + replication_name = "tf-${var.replication_name}" + source_root_user_arn = "arn:aws:iam::${data.aws_caller_identity.source.account_id}:root" } + diff --git a/main.tf b/main.tf index 86e4ed4..394c5b0 100644 --- a/main.tf +++ b/main.tf @@ -9,9 +9,10 @@ provider "aws" { } data "aws_caller_identity" "source" { - provider = "aws.source" + provider = aws.source } data "aws_caller_identity" "dest" { - provider = "aws.dest" + provider = aws.dest } + diff --git a/outputs.tf b/outputs.tf index 5ea813d..e4b8daa 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,16 +1,17 @@ # Destination bucket policy to add manually output "dest_bucket_policy_json" { - value = "${var.create_dest_bucket == "true" ? "not needed" : data.aws_iam_policy_document.dest_bucket_policy.json}" + value = var.create_dest_bucket == "true" ? "not needed" : data.aws_iam_policy_document.dest_bucket_policy.json } # Source write IAM user output "source_write_iam_user_access_key_id" { - value = "${aws_iam_access_key.source_write.id}" + value = aws_iam_access_key.source_write.id } output "source_write_iam_user_secret_access_key" { - value = "${aws_iam_access_key.source_write.secret}" + value = aws_iam_access_key.source_write.secret sensitive = true } + diff --git a/s3-dest.tf b/s3-dest.tf index 46a21de..58d3334 100644 --- a/s3-dest.tf +++ b/s3-dest.tf @@ -10,28 +10,45 @@ data "aws_iam_policy_document" "dest_bucket_policy" { "s3:ObjectOwnerOverrideToBucketOwner", ] + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibility in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. resources = [ - "${local.dest_bucket_object_arn}", + local.dest_bucket_object_arn, ] principals { type = "AWS" + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibility in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. identifiers = [ - "${local.source_root_user_arn}", + local.source_root_user_arn, ] } } } resource "aws_s3_bucket" "dest" { - count = "${var.create_dest_bucket == "true" ? 1 : 0}" - provider = "aws.dest" - bucket = "${var.dest_bucket_name}" - region = "${var.dest_region}" - policy = "${data.aws_iam_policy_document.dest_bucket_policy.json}" + count = var.create_dest_bucket == "true" ? 1 : 0 + provider = aws.dest + bucket = var.dest_bucket_name + region = var.dest_region + policy = data.aws_iam_policy_document.dest_bucket_policy.json versioning { enabled = true } } + diff --git a/s3-source.tf b/s3-source.tf index 9e2b380..23e6808 100644 --- a/s3-source.tf +++ b/s3-source.tf @@ -20,8 +20,16 @@ data "aws_iam_policy_document" "source_replication_policy" { "s3:ListBucket", ] + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibility in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. resources = [ - "${local.source_bucket_arn}", + local.source_bucket_arn, ] } @@ -31,8 +39,16 @@ data "aws_iam_policy_document" "source_replication_policy" { "s3:GetObjectVersionAcl", ] + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibility in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. resources = [ - "${local.source_bucket_object_arn}", + local.source_bucket_object_arn, ] } @@ -43,58 +59,67 @@ data "aws_iam_policy_document" "source_replication_policy" { "s3:ObjectOwnerOverrideToBucketOwner", ] + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibility in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. resources = [ - "${local.dest_bucket_object_arn}", + local.dest_bucket_object_arn, ] } } resource "aws_iam_role" "source_replication" { - provider = "aws.source" + provider = aws.source name = "${local.replication_name}-replication-role" - assume_role_policy = "${data.aws_iam_policy_document.source_replication_role.json}" + assume_role_policy = data.aws_iam_policy_document.source_replication_role.json } resource "aws_iam_policy" "source_replication" { - provider = "aws.source" + provider = aws.source name = "${local.replication_name}-replication-policy" - policy = "${data.aws_iam_policy_document.source_replication_policy.json}" + policy = data.aws_iam_policy_document.source_replication_policy.json } resource "aws_iam_role_policy_attachment" "source_replication" { - provider = "aws.source" - role = "${aws_iam_role.source_replication.name}" - policy_arn = "${aws_iam_policy.source_replication.arn}" + provider = aws.source + role = aws_iam_role.source_replication.name + policy_arn = aws_iam_policy.source_replication.arn } # S3 source bucket resource "aws_s3_bucket" "source" { - provider = "aws.source" - bucket = "${var.source_bucket_name}" - region = "${var.source_region}" + provider = aws.source + bucket = var.source_bucket_name + region = var.source_region versioning { enabled = true } replication_configuration { - role = "${aws_iam_role.source_replication.arn}" + role = aws_iam_role.source_replication.arn rules { - id = "${local.replication_name}" + id = local.replication_name status = "Enabled" - prefix = "${var.replicate_prefix}" + priority = var.priority + prefix = var.replicate_prefix destination { - bucket = "${local.dest_bucket_arn}" + bucket = local.dest_bucket_arn storage_class = "STANDARD" - access_control_translation = { + access_control_translation { owner = "Destination" } - account_id = "${data.aws_caller_identity.dest.account_id}" + account_id = data.aws_caller_identity.dest.account_id } } } diff --git a/variables.tf b/variables.tf index 5c459a6..3fd4205 100644 --- a/variables.tf +++ b/variables.tf @@ -1,36 +1,41 @@ variable "source_region" { - type = "string" + type = string description = "AWS region for the source bucket" } variable "dest_region" { - type = "string" + type = string description = "AWS region for the destination bucket" } variable "source_bucket_name" { - type = "string" + type = string description = "Name for source s3 bucket" } variable "replicate_prefix" { - type = "string" + type = string description = "Prefix to replicate, default \"\" for all objects. Note if specifying, must end in a /" default = "" } variable "dest_bucket_name" { - type = "string" + type = string description = "Name for dest s3 bucket" } variable "create_dest_bucket" { - type = "string" + type = string description = "Boolean for whether this module should create the destination bucket" default = "true" } variable "replication_name" { - type = "string" + type = string description = "Short name to describe this replication" } + +variable "priority" { + description = "The priority associated with the rule." + default = 0 +}