Resource: awsS3BucketReplicationConfiguration

Provides an independent configuration resource for S3 bucket replication configuration.

\~> NOTE: S3 Buckets only support a single replication configuration. Declaring multiple awsS3BucketReplicationConfiguration resources to the same S3 Bucket will cause a perpetual difference in configuration.

Example Usage

Using replication configuration

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.provider.AwsProvider(this, "aws", {
  region: "eu-west-1",
});
const awsCentral = new aws.provider.AwsProvider(this, "aws_1", {
  alias: "central",
  region: "eu-central-1",
});
const awsS3BucketDestination = new aws.s3Bucket.S3Bucket(this, "destination", {
  bucket: "tf-test-bucket-destination-12345",
});
const awsS3BucketSource = new aws.s3Bucket.S3Bucket(this, "source", {
  bucket: "tf-test-bucket-source-12345",
  provider: `\${${awsCentral.fqn}}`,
});
new aws.s3BucketAcl.S3BucketAcl(this, "source_bucket_acl", {
  acl: "private",
  bucket: awsS3BucketSource.id,
  provider: `\${${awsCentral.fqn}}`,
});
const awsS3BucketVersioningDestination =
  new aws.s3BucketVersioning.S3BucketVersioningA(this, "destination_5", {
    bucket: awsS3BucketDestination.id,
    versioningConfiguration: {
      status: "Enabled",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketVersioningDestination.overrideLogicalId("destination");
const awsS3BucketVersioningSource =
  new aws.s3BucketVersioning.S3BucketVersioningA(this, "source_6", {
    bucket: awsS3BucketSource.id,
    provider: `\${${awsCentral.fqn}}`,
    versioningConfiguration: {
      status: "Enabled",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketVersioningSource.overrideLogicalId("source");
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["s3.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const dataAwsIamPolicyDocumentReplication =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "replication",
    {
      statement: [
        {
          actions: ["s3:GetReplicationConfiguration", "s3:ListBucket"],
          effect: "Allow",
          resources: [awsS3BucketSource.arn],
        },
        {
          actions: [
            "s3:GetObjectVersionForReplication",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectVersionTagging",
          ],
          effect: "Allow",
          resources: [`\${${awsS3BucketSource.arn}}/*`],
        },
        {
          actions: [
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ReplicateTags",
          ],
          effect: "Allow",
          resources: [`\${${awsS3BucketDestination.arn}}/*`],
        },
      ],
    }
  );
const awsIamPolicyReplication = new aws.iamPolicy.IamPolicy(
  this,
  "replication_9",
  {
    name: "tf-iam-role-policy-replication-12345",
    policy: dataAwsIamPolicyDocumentReplication.json,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamPolicyReplication.overrideLogicalId("replication");
const awsIamRoleReplication = new aws.iamRole.IamRole(this, "replication_10", {
  assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
  name: "tf-iam-role-replication-12345",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleReplication.overrideLogicalId("replication");
const awsIamRolePolicyAttachmentReplication =
  new aws.iamRolePolicyAttachment.IamRolePolicyAttachment(
    this,
    "replication_11",
    {
      policyArn: awsIamPolicyReplication.arn,
      role: awsIamRoleReplication.name,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyAttachmentReplication.overrideLogicalId("replication");
const awsS3BucketReplicationConfigurationReplication =
  new aws.s3BucketReplicationConfiguration.S3BucketReplicationConfigurationA(
    this,
    "replication_12",
    {
      bucket: awsS3BucketSource.id,
      depends_on: [`\${${awsS3BucketVersioningSource.fqn}}`],
      provider: `\${${awsCentral.fqn}}`,
      role: awsIamRoleReplication.arn,
      rule: [
        {
          destination: {
            bucket: awsS3BucketDestination.arn,
            storageClass: "STANDARD",
          },
          filter: {
            prefix: "foo",
          },
          id: "foobar",
          status: "Enabled",
        },
      ],
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketReplicationConfigurationReplication.overrideLogicalId("replication");

Bi-Directional Replication

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketEast = new aws.s3Bucket.S3Bucket(this, "east", {
  bucket: "tf-test-bucket-east-12345",
});
const awsS3BucketWest = new aws.s3Bucket.S3Bucket(this, "west", {
  bucket: "tf-test-bucket-west-12345",
  provider: "${aws.west}",
});
const awsS3BucketVersioningEast =
  new aws.s3BucketVersioning.S3BucketVersioningA(this, "east_2", {
    bucket: awsS3BucketEast.id,
    versioningConfiguration: {
      status: "Enabled",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketVersioningEast.overrideLogicalId("east");
const awsS3BucketVersioningWest =
  new aws.s3BucketVersioning.S3BucketVersioningA(this, "west_3", {
    bucket: awsS3BucketWest.id,
    provider: "${aws.west}",
    versioningConfiguration: {
      status: "Enabled",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketVersioningWest.overrideLogicalId("west");
new aws.s3BucketReplicationConfiguration.S3BucketReplicationConfigurationA(
  this,
  "east_to_west",
  {
    bucket: awsS3BucketEast.id,
    depends_on: [`\${${awsS3BucketVersioningEast.fqn}}`],
    role: "${aws_iam_role.east_replication.arn}",
    rule: [
      {
        destination: {
          bucket: awsS3BucketWest.arn,
          storageClass: "STANDARD",
        },
        filter: {
          prefix: "foo",
        },
        id: "foobar",
        status: "Enabled",
      },
    ],
  }
);
new aws.s3BucketReplicationConfiguration.S3BucketReplicationConfigurationA(
  this,
  "west_to_east",
  {
    bucket: awsS3BucketWest.id,
    depends_on: [`\${${awsS3BucketVersioningWest.fqn}}`],
    provider: "${aws.west}",
    role: "${aws_iam_role.west_replication.arn}",
    rule: [
      {
        destination: {
          bucket: awsS3BucketEast.arn,
          storageClass: "STANDARD",
        },
        filter: {
          prefix: "foo",
        },
        id: "foobar",
        status: "Enabled",
      },
    ],
  }
);

Argument Reference

The following arguments are supported:

bucket - (Required) Name of the source S3 bucket you want Amazon S3 to monitor.
role - (Required) ARN of the IAM role for Amazon S3 to assume when replicating the objects.
rule - (Required) List of configuration blocks describing the rules managing the replication. See below.
token - (Optional) Token to allow replication to be enabled on an Object Lock-enabled bucket. You must contact AWS support for the bucket's "Object Lock token". For more details, see Using S3 Object Lock with replication.

rule

\~> NOTE: Replication to multiple destination buckets requires that priority is specified in the rule object. If the corresponding rule requires no filter, an empty configuration block filter {} must be specified.

\~> NOTE: Amazon S3's latest version of the replication configuration is V2, which includes the filter attribute for replication rules.

\~> NOTE: The existingObjectReplication parameter is not supported by Amazon S3 at this time and should not be included in your rule configurations. Specifying this parameter will result in malformedXml errors. To replicate existing objects, please refer to the Replicating existing objects with S3 Batch Replication documentation in the Amazon S3 User Guide.

The rule configuration block supports the following arguments:

deleteMarkerReplication - (Optional) Whether delete markers are replicated. This argument is only valid with V2 replication configurations (i.e., when filter is used)documented below.
destination - (Required) Specifies the destination for the rule. See below.
existingObjectReplication - (Optional) Replicate existing objects in the source bucket according to the rule configurations. See below.
filter - (Optional, Conflicts with prefix) Filter that identifies subset of objects to which the replication rule applies. See below. If not specified, the rule will default to using prefix.
id - (Optional) Unique identifier for the rule. Must be less than or equal to 255 characters in length.
prefix - (Optional, Conflicts with filter, Deprecated) Object key name prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. Defaults to an empty string ("") if filter is not specified.
priority - (Optional) Priority associated with the rule. Priority should only be set if filter is configured. If not provided, defaults to 0. Priority must be unique between multiple rules.
sourceSelectionCriteria - (Optional) Specifies special object selection criteria. See below.
status - (Required) Status of the rule. Either "enabled" or "disabled". The rule is ignored if status is not "Enabled".

deleteMarkerReplication

\~> NOTE: This argument is only available with V2 replication configurations.

delete_marker_replication {
  status = "Enabled"
}

The deleteMarkerReplication configuration block supports the following arguments:

status - (Required) Whether delete markers should be replicated. Either "enabled" or "disabled".

destination

The destination configuration block supports the following arguments:

accessControlTranslation - (Optional) Configuration block that specifies the overrides to use for object owners on replication. See below. Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS account that owns the source object. Must be used in conjunction with account owner override configuration.
account - (Optional) Account ID to specify the replica ownership. Must be used in conjunction with accessControlTranslation override configuration.
bucket - (Required) ARN of the bucket where you want Amazon S3 to store the results.
encryptionConfiguration - (Optional) Configuration block that provides information about encryption. See below. If sourceSelectionCriteria is specified, you must specify this element.
metrics - (Optional) Configuration block that specifies replication metrics-related settings enabling replication metrics and events. See below.
replicationTime - (Optional) Configuration block that specifies S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. See below. Replication Time Control must be used in conjunction with metrics.
storageClass - (Optional) The storage class used to store the object. By default, Amazon S3 uses the storage class of the source object to create the object replica.

accessControlTranslation

access_control_translation {
  owner = "Destination"
}

The accessControlTranslation configuration block supports the following arguments:

owner - (Required) Specifies the replica ownership. For default and valid values, see PUT bucket replication in the Amazon S3 API Reference. Valid values: destination.

encryptionConfiguration

encryption_configuration {
  replica_kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}

The encryptionConfiguration configuration block supports the following arguments:

replicaKmsKeyId - (Required) ID (Key ARN or Alias ARN) of the customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket.

metrics

metrics {
  event_threshold {
    minutes = 15
  }
  status = "Enabled"
}

The metrics configuration block supports the following arguments:

eventThreshold - (Optional) Configuration block that specifies the time threshold for emitting the s3:replication:operationMissedThreshold event. See below.
status - (Required) Status of the Destination Metrics. Either "enabled" or "disabled".

eventThreshold

The eventThreshold configuration block supports the following arguments:

minutes - (Required) Time in minutes. Valid values: 15.

replicationTime

replication_time {
  status = "Enabled"
  time {
    minutes = 15
  }
}

The replicationTime configuration block supports the following arguments:

status - (Required) Status of the Replication Time Control. Either "enabled" or "disabled".
time - (Required) Configuration block specifying the time by which replication should be complete for all objects and operations on objects. See below.

time

The time configuration block supports the following arguments:

minutes - (Required) Time in minutes. Valid values: 15.

existingObjectReplication

\~> NOTE: Replication for existing objects requires activation by AWS Support. See userguide/replication-what-is-isnot-replicated

existing_object_replication {
  status = "Enabled"
}

The existingObjectReplication configuration block supports the following arguments:

status - (Required) Whether the existing objects should be replicated. Either "enabled" or "disabled".

filter

\~> NOTE: The filter argument must be specified as either an empty configuration block (filter {}) to imply the rule requires no filter or with exactly one of prefix, tag, or and. Replication configuration V1 supports filtering based on only the prefix attribute. For backwards compatibility, Amazon S3 continues to support the V1 configuration.

The filter configuration block supports the following arguments:

and - (Optional) Configuration block for specifying rule filters. This element is required only if you specify more than one filter. See and below for more details.
prefix - (Optional) Object key name prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length.
tag - (Optional) Configuration block for specifying a tag key and value. See below.

and

The and configuration block supports the following arguments:

prefix - (Optional) Object key name prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length.
tags - (Optional, Required if prefix is configured) Map of tags (key and value pairs) that identifies a subset of objects to which the rule applies. The rule applies only to objects having all the tags in its tagset.

tag

The tag configuration block supports the following arguments:

key - (Required) Name of the object key.
value - (Required) Value of the tag.

sourceSelectionCriteria

source_selection_criteria {
  replica_modifications {
    status = "Enabled"
  }
  sse_kms_encrypted_objects {
    status = "Enabled"
  }
}

The sourceSelectionCriteria configuration block supports the following arguments:

replicaModifications - (Optional) Configuration block that you can specify for selections for modifications on replicas. Amazon S3 doesn't replicate replica modifications by default. In the latest version of replication configuration (when filter is specified), you can specify this element and set the status to enabled to replicate modifications on replicas.
sseKmsEncryptedObjects - (Optional) Configuration block for filter information for the selection of Amazon S3 objects encrypted with AWS KMS. If specified, replicaKmsKeyId in destination encryptionConfiguration must be specified as well.

replicaModifications

The replicaModifications configuration block supports the following arguments:

status - (Required) Whether the existing objects should be replicated. Either "enabled" or "disabled".

sseKmsEncryptedObjects

The sseKmsEncryptedObjects configuration block supports the following arguments:

status - (Required) Whether the existing objects should be replicated. Either "enabled" or "disabled".

Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - S3 source bucket name.

Import

S3 bucket replication configuration can be imported using the bucket, e.g.

$ terraform import aws_s3_bucket_replication_configuration.replication bucket-name