Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
s3 cross region replication source bucket
---
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Primary bucket for cross region replication
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- prod
- uat
OriginalBucketName:
Type: String
Default: primary-test-1
ReplicationBucketName:
Type: String
Default: secondary-test-1
RepRegion:
Type: String
Default: us-east-1
AllowedValues:
- us-east-1
OriginalBucketObjectVersioning:
Type: String
Default: Enabled
AllowedValues:
- Suspend
- Enabled
OriginalBucketObjectVersioningLength:
Type: Number
Default: 21
CrossRegionReplicationIAMPolicyName:
Type: String
Default: CrossRegionReplication-Policy
CrossRegionReplicationRoleName:
Type: String
Default: CrossRegionReplication-Role
Conditions:
OriginalBucketObjectVersioningEnabled:
Fn::Equals:
- Ref: OriginalBucketObjectVersioning
- Enabled
Resources:
OriginalBucket:
Type: AWS::S3::Bucket
DependsOn: CrossRegionReplicationRole
Properties:
VersioningConfiguration:
Status:
Ref: OriginalBucketObjectVersioning
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: !Ref OriginalMasterKeyID
BucketName: !Sub "${OriginalBucketName}-${Environment}-bucket"
LifecycleConfiguration:
Fn::If:
- OriginalBucketObjectVersioningEnabled
- Rules:
- Id: Lifecycle for original bucket
AbortIncompleteMultipartUpload:
DaysAfterInitiation: !Ref OriginalBucketObjectVersioningLength
NoncurrentVersionExpirationInDays: !Ref OriginalBucketObjectVersioningLength
Prefix: ''
Status: Enabled
- Ref: AWS::NoValue
ReplicationConfiguration:
Role: !GetAtt CrossRegionReplicationRole.Arn
Rules:
-
Destination:
Bucket:
!Join
- ""
-
- "arn:aws:s3:::"
- !Sub "${ReplicationBucketName}-${Environment}-bucket"
StorageClass: STANDARD
Id: Rule1
Prefix: ""
Status: Enabled
CrossRegionReplicationIAMPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub "${CrossRegionReplicationIAMPolicyName}-${Environment}"
Description: !Sub "Access policy to CRR S3 Replication Bucket in ${Environment}"
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetReplicationConfiguration
- s3:ListBucket
Resource: !Sub "arn:aws:s3:::${OriginalBucketName}-${Environment}-bucket"
- Effect: Allow
Action:
- s3:GetObjectVersionForReplication
- s3:GetObjectVersionAcl
Resource: !Sub "arn:aws:s3:::${OriginalBucketName}-${Environment}-bucket/*"
- Effect: Allow
Action:
- s3:ReplicateObject
- s3:ReplicateDelete
- s3:ReplicateTags
- s3:GetObjectVersionTagging
Resource: !Sub "arn:aws:s3:::${ReplicationBucketName}-${Environment}-bucket/*"
CrossRegionReplicationRole:
Type: AWS::IAM::Role
DependsOn: CrossRegionReplicationIAMPolicy
Properties:
RoleName: !Ref CrossRegionReplicationRoleName
Description: !Sub "Grants access to S3 replication bucket in ${Environment}"
Path: /
ManagedPolicyArns:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/${CrossRegionReplicationIAMPolicyName}-${Environment}"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- "s3.amazonaws.com"
Action:
- "sts:AssumeRole"
Outputs:
OriginalBucket:
Value: !Ref OriginalBucket
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment