Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature request: Support for S3 bucket object cross-region and cross-account replication #10759

Open
1 task done
gitisz opened this issue May 3, 2024 · 0 comments
Open
1 task done

feature request: Support for S3 bucket object cross-region and cross-account replication #10759

gitisz opened this issue May 3, 2024 · 0 comments
Labels
area: integration/cdk Issues related to AWS Cloud Development Kit aws:cloudformation AWS CloudFormation aws:s3 Amazon Simple Storage Service status: backlog Triaged but not yet being worked on type: feature New feature, or improvement to an existing feature

Comments

@gitisz
Copy link

gitisz commented May 3, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Feature description

AWS S3 supports object replication between buckets in same region, alternate region, and cross-account. LocalStack should also support this feature, such that when dropping a file into a bucket, with replication enabled, the same file should be replicated to an alternate bucket.

🧑‍💻 Implementation

As a developer I would like to provision two S3 buckets, with an IAM role, and S3 replication configured. This feature should be supported via AWS CLI, CloudFormation, CDK, and SDKs.

The following CFTs may help to outline a MWE for the feature requested.

Example IAM CFT:

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  BucketName:
    Description: The bucket name.
    Type: String
    Default: my-bucket
  Account:
    Description: The AWS Account.
    Type: String
    Default: "000000000000"
Mappings:
  RegionMap:
    us-east-1:
      Destination: us-west-2
    us-west-2:
      Destination: us-east-1

Resources:
  BucketReplicationRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: BucketReplicationRole
      Path: "/"
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Principal:
              Service:
                - s3.amazonaws.com
            Action:
              - sts:AssumeRole
            Effect: Allow
      Policies:
        - PolicyName: bucket-replication-permissions-us-east-1
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObjectVersionForReplication
                  - s3:GetObjectVersionAcl
                Resource:
                  - !Join ["", ["arn:aws:s3:::", !Join ["-", [!Ref BucketName, "us-east-1"]]]]
              - Effect: Allow
                Action:
                  - s3:ListBucket
                  - s3:GetReplicationConfiguration
                Resource:
                  - !Join ["", ["arn:aws:s3:::", !Join ["-", [!Ref BucketName, "us-east-1"]]]]
              - Effect: Allow
                Action:
                  - s3:ReplicateObject
                  - s3:ReplicateDelete
                  - s3:ReplicateTags
                  - s3:GetObjectVersionTagging
                Resource:
                  !Join ["", ["arn:aws:s3:::", !Join ["-", [!Ref BucketName, "us-west-2"]]]]
        - PolicyName: bucket-replication-permissions-us-west-2
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObjectVersionForReplication
                  - s3:GetObjectVersionAcl
                Resource:
                  - !Join ["", ["arn:aws:s3:::", !Join ["-", [!Ref BucketName, "us-west-2"]]]]
              - Effect: Allow
                Action:
                  - s3:ListBucket
                  - s3:GetReplicationConfiguration
                Resource:
                  - !Join ["", ["arn:aws:s3:::", !Join ["-", [!Ref BucketName, "us-west-2"]]]]
              - Effect: Allow
                Action:
                  - s3:ReplicateObject
                  - s3:ReplicateDelete
                  - s3:ReplicateTags
                  - s3:GetObjectVersionTagging
                Resource:
                  !Join ["", ["arn:aws:s3:::", !Join ["-", [!Ref BucketName, "us-east-1"]]]]

Example S3 Bucket CFT:

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  BucketName:
    Description: The bucket name
    Type: String
    Default: my-bucket
  Account:
    Description: The AWS Account
    Type: String
    Default: "000000000000"
  BucketRole:
    Description: The IAM Role used for replication.
    Type: String

Mappings:
  RegionMap:
    us-east-1:
      Destination: us-west-2
    us-west-2:
      Destination: us-east-1

Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Join ["-", [!Ref BucketName, !Ref "AWS::Region"]]
      VersioningConfiguration: 
        Status: Enabled
      ReplicationConfiguration:
        Role: !Ref BucketRole
        Rules:
          - Id: REPLICATION
            Priority: 1,
            Filter: 
              Prefix: ""
            Status: Enabled
            Destination:
              Bucket: !Join ["-", [!Ref BucketName, !FindInMap [RegionMap, !Ref "AWS::Region", Destination]]]
              Account: !Ref Account
              AccessControlTranslation: 
                Owner: Destination
              ReplicationTime:
                Status: Enabled
                Time:
                  Minutes: 15
            DeleteMarkerReplication:
              Status: Disabled
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
  BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Id: AccessPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PublicReadForGetBucketObjects
            Effect: Allow
            Principal: '*'
            Action: 's3:GetObject'
            Resource: !Join ["", ["arn:aws:s3:::", !Join ["-", [!Ref BucketName, !Ref "AWS::Region"]], "/*"]]
          - Sid: S3ReplicationPolicyStmt1
            Effect: Allow
            Principal: '*'
            Action:
              - s3:GetBucketVersioning
              - s3:PutBucketVersioning
              - s3:ReplicateObject
              - s3:ReplicateDelete
              - s3:PutObject
              - s3:ObjectOwnerOverrideToBucketOwner
              - s3:GetObjectVersionTagging
              - s3:List*
            Resource:
              - !Join ["", ["arn:aws:s3:::", !Join ["-", [!Ref BucketName, !Ref "AWS::Region"]]]]
              - !Join ["", ["arn:aws:s3:::", !Join ["-", [!Ref BucketName, !Ref "AWS::Region"]], "/*"]]

Anything else?

https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationconfiguration.html
@gitisz gitisz added status: triage needed Requires evaluation by maintainers type: feature New feature, or improvement to an existing feature labels May 3, 2024
@viren-nadkarni viren-nadkarni added the aws:s3 Amazon Simple Storage Service label May 3, 2024
@MarcelStranak MarcelStranak added aws:cloudformation AWS CloudFormation area: integration/cdk Issues related to AWS Cloud Development Kit status: backlog Triaged but not yet being worked on and removed status: triage needed Requires evaluation by maintainers labels May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: integration/cdk Issues related to AWS Cloud Development Kit aws:cloudformation AWS CloudFormation aws:s3 Amazon Simple Storage Service status: backlog Triaged but not yet being worked on type: feature New feature, or improvement to an existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gitisz @viren-nadkarni @MarcelStranak