我们如何在 Terraform 中启用 Amazon S3 复制修改同步?
How can we enable Amazon S3 replication modification sync in terraform?
我正在使用 terraform 进行 Amazon S3 复制。我想启用规则“Repilcate modification sync”,但我不认为它是在 terraform 中定义的。
现在我的代码看起来是:
replication_configuration {
role = "${aws_iam_role.source_replication.arn}"
rules {
id = "${local.replication_name}"
status = "Enabled"
prefix = "${var.replicate_prefix}"
destination {
bucket = "${local.dest_bucket_arn}"
storage_class = "STANDARD"
access_control_translation = {
owner = "Destination"
}
account_id = "${data.aws_caller_identity.dest.account_id}"
}
source_selection_criteria {
replica_modifications {
Status = "Enabled"
}
}
}
}
报错:
Error: Unsupported block type
on s3_bucket.tf line 61, in resource "aws_s3_bucket" "bucket":
61: replica_modifications {
Blocks of type "replica_modifications" are not expected here.
我必须启用的规则在控制台中看起来像这样。
在 terraform 中使用 AWS CLI,我不确定如何在我正在调用的子文件中使用目标 ${local.dest_bucket_arn} 和 ${aws_iam_role.source_replication.arn} 等变量。
resource "null_resource" "awsrepl" {
# ...
provisioner "local-exec" {
command = "aws s3api put-bucket-replication --replication-configuration templatefile://replication_source.json --bucket ${var.bucket_name}"
}
}
replication_source.json 看起来像:
{
"Rules": [
{
"Status": "Enabled",
"DeleteMarkerReplication": { "Status": "Enabled" },
"SourceSelectionCriteria": {
"ReplicaModifications":{
"Status": "Enabled"
}
},
"Destination": {
"Bucket": "${local.dest_bucket_arn}"
},
"Priority": 1
}
],
"Role": "${aws_iam_role.source_replication.arn}"
}
你是对的。 尚不支持,但已经存在 GitHub 问题:
顺便说一句,Delete marker replication也不支持。
您的选择是在部署存储桶后手动执行,或者使用 local-exec to run AWS CLI to do it, or aws_lambda_invocation。
能够在 terraform 中使用 local-exec 和 temmplate_file 实现此目的:
data "template_file" "replication_dest" {
template = "${file("replication_dest.json")}"
vars = {
srcarn = "${aws_s3_bucket.bucket.arn}"
destrolearn = "${aws_iam_role.dest_replication.arn}"
kmskey = "${data.aws_caller_identity.current.account_id}"
keyalias = "${data.aws_kms_key.s3.key_id}"
srcregion = "${data.aws_region.active.name}"
}
}
resource "null_resource" "awsdestrepl" {
# ...
provisioner "local-exec" {
command = "aws s3api put-bucket-replication --bucket ${aws_s3_bucket.dest.bucket} --replication-configuration ${data.template_file.replication_dest.rendered}"
}
depends_on = [aws_s3_bucket.dest]
}
而 replication_dest.json 看起来像这样:
"{
\"Rules\": [
{
\"Status\": \"Enabled\",
\"DeleteMarkerReplication\": { \"Status\": \"Enabled\" },
\"Filter\": {\"Prefix\": \"\"},
\"SourceSelectionCriteria\": {
\"ReplicaModifications\":{
\"Status\": \"Enabled\"
},
\"SseKmsEncryptedObjects\":{
\"Status\": \"Enabled\"
}
},
\"Destination\": {
\"Bucket\": \"${bucketarn}\",
\"EncryptionConfiguration\": {
\"ReplicaKmsKeyID\": \"arn:aws:kms:${destregion}:${kmskey}:${keyalias}\"
}
},
\"Priority\": 1
}
],
\"Role\": \"${rolearn}\"
}"
您可以开始了。 :)
我正在使用 terraform 进行 Amazon S3 复制。我想启用规则“Repilcate modification sync”,但我不认为它是在 terraform 中定义的。
现在我的代码看起来是:
replication_configuration {
role = "${aws_iam_role.source_replication.arn}"
rules {
id = "${local.replication_name}"
status = "Enabled"
prefix = "${var.replicate_prefix}"
destination {
bucket = "${local.dest_bucket_arn}"
storage_class = "STANDARD"
access_control_translation = {
owner = "Destination"
}
account_id = "${data.aws_caller_identity.dest.account_id}"
}
source_selection_criteria {
replica_modifications {
Status = "Enabled"
}
}
}
}
报错:
Error: Unsupported block type
on s3_bucket.tf line 61, in resource "aws_s3_bucket" "bucket":
61: replica_modifications {
Blocks of type "replica_modifications" are not expected here.
我必须启用的规则在控制台中看起来像这样。
在 terraform 中使用 AWS CLI,我不确定如何在我正在调用的子文件中使用目标 ${local.dest_bucket_arn} 和 ${aws_iam_role.source_replication.arn} 等变量。
resource "null_resource" "awsrepl" {
# ...
provisioner "local-exec" {
command = "aws s3api put-bucket-replication --replication-configuration templatefile://replication_source.json --bucket ${var.bucket_name}"
}
}
replication_source.json 看起来像:
{
"Rules": [
{
"Status": "Enabled",
"DeleteMarkerReplication": { "Status": "Enabled" },
"SourceSelectionCriteria": {
"ReplicaModifications":{
"Status": "Enabled"
}
},
"Destination": {
"Bucket": "${local.dest_bucket_arn}"
},
"Priority": 1
}
],
"Role": "${aws_iam_role.source_replication.arn}"
}
你是对的。 尚不支持,但已经存在 GitHub 问题:
顺便说一句,Delete marker replication也不支持。
您的选择是在部署存储桶后手动执行,或者使用 local-exec to run AWS CLI to do it, or aws_lambda_invocation。
能够在 terraform 中使用 local-exec 和 temmplate_file 实现此目的:
data "template_file" "replication_dest" {
template = "${file("replication_dest.json")}"
vars = {
srcarn = "${aws_s3_bucket.bucket.arn}"
destrolearn = "${aws_iam_role.dest_replication.arn}"
kmskey = "${data.aws_caller_identity.current.account_id}"
keyalias = "${data.aws_kms_key.s3.key_id}"
srcregion = "${data.aws_region.active.name}"
}
}
resource "null_resource" "awsdestrepl" {
# ...
provisioner "local-exec" {
command = "aws s3api put-bucket-replication --bucket ${aws_s3_bucket.dest.bucket} --replication-configuration ${data.template_file.replication_dest.rendered}"
}
depends_on = [aws_s3_bucket.dest]
}
而 replication_dest.json 看起来像这样:
"{
\"Rules\": [
{
\"Status\": \"Enabled\",
\"DeleteMarkerReplication\": { \"Status\": \"Enabled\" },
\"Filter\": {\"Prefix\": \"\"},
\"SourceSelectionCriteria\": {
\"ReplicaModifications\":{
\"Status\": \"Enabled\"
},
\"SseKmsEncryptedObjects\":{
\"Status\": \"Enabled\"
}
},
\"Destination\": {
\"Bucket\": \"${bucketarn}\",
\"EncryptionConfiguration\": {
\"ReplicaKmsKeyID\": \"arn:aws:kms:${destregion}:${kmskey}:${keyalias}\"
}
},
\"Priority\": 1
}
],
\"Role\": \"${rolearn}\"
}"
您可以开始了。 :)