Terraform module to create backup buckets

buckets.tf

resource "aws_s3_bucket" "main_bucket" {
  provider = aws.main_region
  bucket   = var.bucket_name
  acl      = "private"

  versioning {
    enabled = true
  }

  lifecycle_rule {
    id      = "infrequent_access"
    enabled = true

    transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }

    noncurrent_version_expiration {
      days = 15
    }
  }

  replication_configuration {
    role = aws_iam_role.s3_replication_role.arn

    rules {
      id     = "ReplicateAll"
      status = "Enabled"

      destination {
        bucket        = aws_s3_bucket.replication_bucket.arn
        storage_class = "STANDARD"
      }
    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

resource "aws_s3_bucket_public_access_block" "block_main_bucket_public_access" {
  bucket = aws_s3_bucket.main_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket" "replication_bucket" {
  provider = aws.replication_region
  bucket   = "${var.bucket_name}-replicated"
  acl      = "private"

  versioning {
    enabled = true
  }

  lifecycle_rule {
    id      = "infrequent_access"
    enabled = true

    transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }

    noncurrent_version_expiration {
      days = 15
    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

resource "aws_s3_bucket_public_access_block" "block_replication_bucket_public_access" {
  provider = aws.replication_region
  bucket   = aws_s3_bucket.replication_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

main.tf

provider "aws" {
  alias = "main_region"
}

provider "aws" {
  alias = "replication_region"
}

outputs.tf

output "main_bucket_arn" {
  value = aws_s3_bucket.main_bucket.arn
}

output "replication_bucket_arn" {
  value = aws_s3_bucket.replication_bucket.arn
}

roles.tf

resource "aws_iam_role" "s3_replication_role" {
  name = "${var.bucket_name}-replication-role"

  assume_role_policy = data.aws_iam_policy_document.s3_replication_role_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "s3_replication_role_policy_attachment" {
  role       = aws_iam_role.s3_replication_role.name
  policy_arn = aws_iam_policy.s3_replication_role_policy.arn
}

data "aws_iam_policy_document" "s3_replication_role_assume_role_policy" {
  statement {
    sid = "AllowS3AssumeReplicationRole"

    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["s3.amazonaws.com"]
    }

  }
}

resource "aws_iam_policy" "s3_replication_role_policy" {
  name = "${var.bucket_name}-replication-role-policy"

  policy = data.aws_iam_policy_document.s3_replication_role_policy_document.json
}

data "aws_iam_policy_document" "s3_replication_role_policy_document" {
  statement {
    sid = "GetSourceBucketConfiguration"

    effect = "Allow"
    actions = [
      "s3:GetReplicationConfiguration",
      "s3:ListBucket"
    ]
    resources = [aws_s3_bucket.main_bucket.arn]
  }

  statement {
    sid = "GetObjectVersion"

    effect = "Allow"
    actions = [
      "s3:GetObjectVersion",
      "s3:GetObjectVersionAcl"
    ]
    resources = ["${aws_s3_bucket.main_bucket.arn}/*"]
  }

  statement {
    sid = "ReplicateObjects"

    effect = "Allow"
    actions = [
      "s3:ReplicateObject",
      "s3:ReplicateDelete"
    ]
    resources = ["${aws_s3_bucket.replication_bucket.arn}/*"]
  }
}

variables.tf

variable "bucket_name" {
    type = string
    description = "Name of the bucket to create"
}