diff --git a/aws-platform-ui-storage/kms.tf b/aws-platform-ui-storage/kms.tf index 0fecf0c..72a6151 100644 --- a/aws-platform-ui-storage/kms.tf +++ b/aws-platform-ui-storage/kms.tf @@ -25,6 +25,13 @@ data "aws_iam_role" "autoscaling_service_role" { name = var.autoscaling_service_role_name } +locals { + s3_kms_regions = compact([ + "s3.${local.region}.amazonaws.com", + local.region_dr != "" ? "s3.${local.region_dr}.amazonaws.com" : null + ]) +} + data "aws_iam_policy_document" "kms_key_main" { # Default statement attached to any kms key statement { @@ -99,9 +106,7 @@ data "aws_iam_policy_document" "kms_key_main" { test = "StringEquals" variable = "kms:ViaService" - values = [ - "s3.${local.region}.amazonaws.com", - ] + values = local.s3_kms_regions } } } diff --git a/aws-platform-ui-storage/kms_dr.tf b/aws-platform-ui-storage/kms_dr.tf new file mode 100644 index 0000000..817ab0b --- /dev/null +++ b/aws-platform-ui-storage/kms_dr.tf @@ -0,0 +1,44 @@ +module "luthername_kms_key_main_dr" { + count = var.enable_dr ? 1 : 0 + + source = "../luthername" + luther_project = var.luther_project + aws_region = local.region_dr + luther_env = var.luther_env + org_name = "luther" + component = "storage" + resource = "kms" + id = random_string.kms_key_main.result +} + +resource "aws_kms_key" "main_dr" { + count = var.enable_dr ? 1 : 0 + + provider = aws.dr + + description = "Master DR KMS key for storage encryption" + policy = data.aws_iam_policy_document.kms_key_main.json + tags = module.luthername_kms_key_main_dr[0].tags +} + +resource "aws_kms_alias" "main_dr" { + count = var.enable_dr ? 1 : 0 + + provider = aws.dr + + name = "alias/${module.luthername_kms_key_main_dr[0].name}" + target_key_id = aws_kms_key.main_dr[0].key_id +} + +locals { + kms_key_dr_arn = var.enable_dr ? aws_kms_key.main_dr[0].arn : "" + kms_key_alias_arn = var.enable_dr ? aws_kms_alias.main_dr[0].arn : "" +} + +output "kms_key_main_dr_arn" { + value = local.kms_key_dr_arn +} + +output "kms_alias_main_dr_arn" { + value = local.kms_key_alias_arn +} diff --git a/aws-platform-ui-storage/s3_buckets.tf b/aws-platform-ui-storage/s3_buckets.tf index 5d09bf9..6c4ef75 100644 --- a/aws-platform-ui-storage/s3_buckets.tf +++ b/aws-platform-ui-storage/s3_buckets.tf @@ -5,6 +5,11 @@ module "static_bucket" { component = "static" aws_kms_key_arn = aws_kms_key.main.arn + dr_bucket_replication = var.enable_dr + replication_role_arn = local.replication_role_arn + replication_destination_arn = local.static_bucket_dr_arn + destination_kms_key_arn = local.kms_key_dr_arn + providers = { aws = aws random = random diff --git a/aws-platform-ui-storage/s3_buckets_dr.tf b/aws-platform-ui-storage/s3_buckets_dr.tf new file mode 100644 index 0000000..90f3515 --- /dev/null +++ b/aws-platform-ui-storage/s3_buckets_dr.tf @@ -0,0 +1,52 @@ + +module "replication_role" { + count = var.enable_dr ? 1 : 0 + + source = "../aws-s3-replication-role" + luther_project = var.luther_project + aws_region = local.region + aws_region_dr = local.region_dr + luther_env = var.luther_env + component = "app" + bucket_source_arns = [ + module.static_bucket.arn, + ] + bucket_destination_arns = [ + local.static_bucket_dr_arn, + ] + source_kms_key_ids = [aws_kms_key.main.arn] + destination_kms_key_ids = [local.kms_key_dr_arn] + + providers = { + aws = aws + } +} + +module "static_bucket_dr" { + count = var.enable_dr ? 1 : 0 + + source = "../aws-s3-bucket" + luther_project = var.luther_project + luther_env = var.luther_env + component = "static" + aws_kms_key_arn = local.kms_key_dr_arn + + providers = { + aws = aws.dr + random = random + } +} + +locals { + replication_role_arn = var.enable_dr ? module.replication_role[0].role_arn : "" + static_bucket_dr_arn = var.enable_dr ? module.static_bucket_dr[0].arn : "" + static_bucket_dr = var.enable_dr ? module.static_bucket_dr[0].bucket : "" +} + +output "static_bucket_dr" { + value = local.static_bucket_dr +} + +output "static_bucket_dr_arn" { + value = local.static_bucket_dr_arn +} diff --git a/aws-platform-ui-storage/tests/test1/test.tf b/aws-platform-ui-storage/tests/test1/test.tf new file mode 100644 index 0000000..0f53bdd --- /dev/null +++ b/aws-platform-ui-storage/tests/test1/test.tf @@ -0,0 +1,31 @@ +data "aws_caller_identity" "current" {} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + random = { + source = "hashicorp/random" + version = "~> 3.0" + } + } +} + +provider "aws" { + alias = "dr" +} + +module "test" { + source = "../../" + luther_env = "env" + luther_project = "project" + + ci_github_repos = [] + + providers = { + aws = aws + aws.dr = aws.dr + random = random + } +} diff --git a/aws-platform-ui-storage/vars.tf b/aws-platform-ui-storage/vars.tf index afce5a0..19a267c 100644 --- a/aws-platform-ui-storage/vars.tf +++ b/aws-platform-ui-storage/vars.tf @@ -1,9 +1,14 @@ data "aws_region" "current" {} +data "aws_region" "dr_region" { + provider = aws.dr +} + data "aws_caller_identity" "current" {} locals { region = data.aws_region.current.name + region_dr = var.enable_dr ? data.aws_region.dr_region.name : "" account_id = data.aws_caller_identity.current.account_id } @@ -59,3 +64,8 @@ variable "ci_static_access" { type = bool default = false } + +variable "enable_dr" { + type = bool + default = false +} diff --git a/aws-platform-ui-storage/versions.tf b/aws-platform-ui-storage/versions.tf index 36318d8..dc284d2 100644 --- a/aws-platform-ui-storage/versions.tf +++ b/aws-platform-ui-storage/versions.tf @@ -3,6 +3,9 @@ terraform { aws = { source = "hashicorp/aws" version = ">= 5.0" + configuration_aliases = [ + aws.dr, + ] } random = { source = "hashicorp/random" diff --git a/luthername/aws.tf b/luthername/aws.tf index 834a8bd..bd10822 100644 --- a/luthername/aws.tf +++ b/luthername/aws.tf @@ -2,6 +2,7 @@ variable "aws_region_short_code" { default = { eu-west-1 = "ie" eu-west-2 = "ln" + eu-west-3 = "fr" us-west-1 = "va" us-west-2 = "or" eu-central-1 = "de"