luthersystems · sam-at-luther · Jan 21, 2025 · Jan 13, 2025 · Jan 15, 2025 · Jan 15, 2025
diff --git a/aws-platform-ui-storage/kms.tf b/aws-platform-ui-storage/kms.tf
@@ -25,6 +25,13 @@ data "aws_iam_role" "autoscaling_service_role" {
   name = var.autoscaling_service_role_name
 }
 
+locals {
+  s3_kms_regions = compact([
+    "s3.${local.region}.amazonaws.com",
+    local.region_dr != "" ? "s3.${local.region_dr}.amazonaws.com" : null
+  ])
+}
+
 data "aws_iam_policy_document" "kms_key_main" {
   # Default statement attached to any kms key
   statement {
@@ -99,9 +106,7 @@ data "aws_iam_policy_document" "kms_key_main" {
         test     = "StringEquals"
         variable = "kms:ViaService"
 
-        values = [
-          "s3.${local.region}.amazonaws.com",
-        ]
+        values = local.s3_kms_regions
       }
     }
   }

diff --git a/aws-platform-ui-storage/kms_dr.tf b/aws-platform-ui-storage/kms_dr.tf
@@ -0,0 +1,44 @@
+module "luthername_kms_key_main_dr" {
+  count = var.enable_dr ? 1 : 0
+
+  source         = "../luthername"
+  luther_project = var.luther_project
+  aws_region     = local.region_dr
+  luther_env     = var.luther_env
+  org_name       = "luther"
+  component      = "storage"
+  resource       = "kms"
+  id             = random_string.kms_key_main.result
+}
+
+resource "aws_kms_key" "main_dr" {
+  count = var.enable_dr ? 1 : 0
+
+  provider = aws.dr
+
+  description = "Master DR KMS key for storage encryption"
+  policy      = data.aws_iam_policy_document.kms_key_main.json
+  tags        = module.luthername_kms_key_main_dr[0].tags
+}
+
+resource "aws_kms_alias" "main_dr" {
+  count = var.enable_dr ? 1 : 0
+
+  provider = aws.dr
+
+  name          = "alias/${module.luthername_kms_key_main_dr[0].name}"
+  target_key_id = aws_kms_key.main_dr[0].key_id
+}
+
+locals {
+  kms_key_dr_arn    = var.enable_dr ? aws_kms_key.main_dr[0].arn : ""
+  kms_key_alias_arn = var.enable_dr ? aws_kms_alias.main_dr[0].arn : ""
+}
+
+output "kms_key_main_dr_arn" {
+  value = local.kms_key_dr_arn
+}
+
+output "kms_alias_main_dr_arn" {
+  value = local.kms_key_alias_arn
+}
diff --git a/aws-platform-ui-storage/s3_buckets.tf b/aws-platform-ui-storage/s3_buckets.tf
@@ -5,6 +5,11 @@ module "static_bucket" {
   component       = "static"
   aws_kms_key_arn = aws_kms_key.main.arn
 
+  dr_bucket_replication       = var.enable_dr
+  replication_role_arn        = local.replication_role_arn
+  replication_destination_arn = local.static_bucket_dr_arn
+  destination_kms_key_arn     = local.kms_key_dr_arn
+
   providers = {
     aws    = aws
     random = random

diff --git a/aws-platform-ui-storage/s3_buckets_dr.tf b/aws-platform-ui-storage/s3_buckets_dr.tf
@@ -0,0 +1,52 @@
+
+module "replication_role" {
+  count = var.enable_dr ? 1 : 0
+
+  source         = "../aws-s3-replication-role"
+  luther_project = var.luther_project
+  aws_region     = local.region
+  aws_region_dr  = local.region_dr
+  luther_env     = var.luther_env
+  component      = "app"
+  bucket_source_arns = [
+    module.static_bucket.arn,
+  ]
+  bucket_destination_arns = [
+    local.static_bucket_dr_arn,
+  ]
+  source_kms_key_ids      = [aws_kms_key.main.arn]
+  destination_kms_key_ids = [local.kms_key_dr_arn]
+
+  providers = {
+    aws = aws
+  }
+}
+
+module "static_bucket_dr" {
+  count = var.enable_dr ? 1 : 0
+
+  source          = "../aws-s3-bucket"
+  luther_project  = var.luther_project
+  luther_env      = var.luther_env
+  component       = "static"
+  aws_kms_key_arn = local.kms_key_dr_arn
+
+  providers = {
+    aws    = aws.dr
+    random = random
+  }
+}
+
+locals {
+  replication_role_arn = var.enable_dr ? module.replication_role[0].role_arn : ""
+  static_bucket_dr_arn = var.enable_dr ? module.static_bucket_dr[0].arn : ""
+  static_bucket_dr     = var.enable_dr ? module.static_bucket_dr[0].bucket : ""
+}
+
+output "static_bucket_dr" {
+  value = local.static_bucket_dr
+}
+
+output "static_bucket_dr_arn" {
+  value = local.static_bucket_dr_arn
+}
diff --git a/aws-platform-ui-storage/tests/test1/test.tf b/aws-platform-ui-storage/tests/test1/test.tf
@@ -0,0 +1,31 @@
+data "aws_caller_identity" "current" {}
+
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "aws" {
+  alias = "dr"
+}
+
+module "test" {
+  source         = "../../"
+  luther_env     = "env"
+  luther_project = "project"
+
+  ci_github_repos = []
+
+  providers = {
+    aws    = aws
+    aws.dr = aws.dr
+    random = random
+  }
+}
diff --git a/aws-platform-ui-storage/vars.tf b/aws-platform-ui-storage/vars.tf
@@ -1,9 +1,14 @@
 data "aws_region" "current" {}
 
+data "aws_region" "dr_region" {
+  provider = aws.dr
+}
+
 data "aws_caller_identity" "current" {}
 
 locals {
   region     = data.aws_region.current.name
+  region_dr  = var.enable_dr ? data.aws_region.dr_region.name : ""
   account_id = data.aws_caller_identity.current.account_id
 }
 
@@ -59,3 +64,8 @@ variable "ci_static_access" {
   type    = bool
   default = false
 }
+
+variable "enable_dr" {
+  type    = bool
+  default = false
+}
diff --git a/aws-platform-ui-storage/versions.tf b/aws-platform-ui-storage/versions.tf
@@ -3,6 +3,9 @@ terraform {
     aws = {
       source  = "hashicorp/aws"
       version = ">= 5.0"
+      configuration_aliases = [
+        aws.dr,
+      ]
     }
     random = {
       source  = "hashicorp/random"

diff --git a/luthername/aws.tf b/luthername/aws.tf
@@ -2,6 +2,7 @@ variable "aws_region_short_code" {
   default = {
     eu-west-1    = "ie"
     eu-west-2    = "ln"
+    eu-west-3    = "fr"
     us-west-1    = "va"
     us-west-2    = "or"
     eu-central-1 = "de"