Resource: aws_s3_bucket_replication_configuration

Provides an independent configuration resource for S3 bucket replication configuration.

Example Usage

Using replication configuration

provider "aws" {
  region = "eu-west-1"
}

provider "aws" {
  alias  = "central"
  region = "eu-central-1"
}

data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["s3.amazonaws.com"]
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "replication" {
  name               = "tf-iam-role-replication-12345"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

data "aws_iam_policy_document" "replication" {
  statement {
    effect = "Allow"

    actions = [
      "s3:GetReplicationConfiguration",
      "s3:ListBucket",
    ]

    resources = [aws_s3_bucket.source.arn]
  }

  statement {
    effect = "Allow"

    actions = [
      "s3:GetObjectVersionForReplication",
      "s3:GetObjectVersionAcl",
      "s3:GetObjectVersionTagging",
    ]

    resources = ["${aws_s3_bucket.source.arn}/*"]
  }

  statement {
    effect = "Allow"

    actions = [
      "s3:ReplicateObject",
      "s3:ReplicateDelete",
      "s3:ReplicateTags",
    ]

    resources = ["${aws_s3_bucket.destination.arn}/*"]
  }
}

resource "aws_iam_policy" "replication" {
  name   = "tf-iam-role-policy-replication-12345"
  policy = data.aws_iam_policy_document.replication.json
}

resource "aws_iam_role_policy_attachment" "replication" {
  role       = aws_iam_role.replication.name
  policy_arn = aws_iam_policy.replication.arn
}

resource "aws_s3_bucket" "destination" {
  bucket = "tf-test-bucket-destination-12345"
}

resource "aws_s3_bucket_versioning" "destination" {
  bucket = aws_s3_bucket.destination.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket" "source" {
  provider = aws.central
  bucket   = "tf-test-bucket-source-12345"
}

resource "aws_s3_bucket_acl" "source_bucket_acl" {
  provider = aws.central

  bucket = aws_s3_bucket.source.id
  acl    = "private"
}

resource "aws_s3_bucket_versioning" "source" {
  provider = aws.central

  bucket = aws_s3_bucket.source.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_replication_configuration" "replication" {
  provider = aws.central
  # Must have bucket versioning enabled first
  depends_on = [aws_s3_bucket_versioning.source]

  role   = aws_iam_role.replication.arn
  bucket = aws_s3_bucket.source.id

  rule {
    id = "foobar"

    filter {
      prefix = "foo"
    }

    status = "Enabled"

    destination {
      bucket        = aws_s3_bucket.destination.arn
      storage_class = "STANDARD"
    }
  }
}

Bi-Directional Replication

# ... other configuration ...

resource "aws_s3_bucket" "east" {
  bucket = "tf-test-bucket-east-12345"
}

resource "aws_s3_bucket_versioning" "east" {
  bucket = aws_s3_bucket.east.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket" "west" {
  provider = aws.west
  bucket   = "tf-test-bucket-west-12345"
}

resource "aws_s3_bucket_versioning" "west" {
  provider = aws.west

  bucket = aws_s3_bucket.west.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_replication_configuration" "east_to_west" {
  # Must have bucket versioning enabled first
  depends_on = [aws_s3_bucket_versioning.east]

  role   = aws_iam_role.east_replication.arn
  bucket = aws_s3_bucket.east.id

  rule {
    id = "foobar"

    filter {
      prefix = "foo"
    }

    status = "Enabled"

    destination {
      bucket        = aws_s3_bucket.west.arn
      storage_class = "STANDARD"
    }
  }
}

resource "aws_s3_bucket_replication_configuration" "west_to_east" {
  provider = aws.west
  # Must have bucket versioning enabled first
  depends_on = [aws_s3_bucket_versioning.west]

  role   = aws_iam_role.west_replication.arn
  bucket = aws_s3_bucket.west.id

  rule {
    id = "foobar"

    filter {
      prefix = "foo"
    }

    status = "Enabled"

    destination {
      bucket        = aws_s3_bucket.east.arn
      storage_class = "STANDARD"
    }
  }
}

Argument Reference

This resource supports the following arguments:

rule

The rule configuration block supports the following arguments:

delete_marker_replication

delete_marker_replication {
  status = "Enabled"
}

The delete_marker_replication configuration block supports the following arguments:

destination

The destination configuration block supports the following arguments:

access_control_translation

access_control_translation {
  owner = "Destination"
}

The access_control_translation configuration block supports the following arguments:

encryption_configuration

encryption_configuration {
  replica_kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}

The encryption_configuration configuration block supports the following arguments:

metrics

metrics {
  event_threshold {
    minutes = 15
  }
  status = "Enabled"
}

The metrics configuration block supports the following arguments:

event_threshold

The event_threshold configuration block supports the following arguments:

replication_time

replication_time {
  status = "Enabled"
  time {
    minutes = 15
  }
}

The replication_time configuration block supports the following arguments:

time

The time configuration block supports the following arguments:

existing_object_replication

existing_object_replication {
  status = "Enabled"
}

The existing_object_replication configuration block supports the following arguments:

filter

The filter configuration block supports the following arguments:

and

The and configuration block supports the following arguments:

tag

The tag configuration block supports the following arguments:

source_selection_criteria

source_selection_criteria {
  replica_modifications {
    status = "Enabled"
  }
  sse_kms_encrypted_objects {
    status = "Enabled"
  }
}

The source_selection_criteria configuration block supports the following arguments:

replica_modifications

The replica_modifications configuration block supports the following arguments:

sse_kms_encrypted_objects

The sse_kms_encrypted_objects configuration block supports the following arguments:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import S3 bucket replication configuration using the bucket. For example:

import {
  to = aws_s3_bucket_replication_configuration.replication
  id = "bucket-name"
}

Using terraform import, import S3 bucket replication configuration using the bucket. For example:

% terraform import aws_s3_bucket_replication_configuration.replication bucket-name