From 64be7c16713aa231f23e3bc440a888dea3d44a3a Mon Sep 17 00:00:00 2001 From: "Gabriel De Obieta (deobieta)" Date: Sun, 21 Aug 2022 22:24:10 -0500 Subject: [PATCH] infra/aws: Add reg.k8s.io S3 buckets replication rules Signed-off-by: Gabriel De Obieta --- infra/aws/terraform/registry.k8s.io/main.tf | 70 ++++++++++++++++--- .../terraform/registry.k8s.io/providers.tf | 4 +- .../terraform/registry.k8s.io/s3/bucket.tf | 47 ++++++++++++- .../aws/terraform/registry.k8s.io/s3/data.tf | 17 +++++ .../terraform/registry.k8s.io/s3/variables.tf | 16 +++-- .../terraform/registry.k8s.io/s3/versions.tf | 27 +++++++ 6 files changed, 166 insertions(+), 15 deletions(-) create mode 100644 infra/aws/terraform/registry.k8s.io/s3/data.tf create mode 100644 infra/aws/terraform/registry.k8s.io/s3/versions.tf diff --git a/infra/aws/terraform/registry.k8s.io/main.tf b/infra/aws/terraform/registry.k8s.io/main.tf index 93bf605bf2be..976bc41628df 100644 --- a/infra/aws/terraform/registry.k8s.io/main.tf +++ b/infra/aws/terraform/registry.k8s.io/main.tf @@ -36,7 +36,6 @@ module "us-west-1" { aws = aws.us-west-1 } - region = "us-west-1" prefix = var.prefix } @@ -47,7 +46,6 @@ module "us-west-2" { aws = aws.us-west-2 } - region = "us-west-2" prefix = var.prefix } @@ -58,7 +56,6 @@ module "us-east-1" { aws = aws.us-east-1 } - region = "us-east-1" prefix = var.prefix } @@ -69,8 +66,68 @@ module "us-east-2" { aws = aws.us-east-2 } - region = "us-east-2" prefix = var.prefix + + s3_replication_iam_role_arn = "arn:aws:iam::513428760722:role/registry.k8s.io_s3admin" + + s3_replication_rules = [ + { + id = "registry-k8s-io-us-east-2-to-registry-k8s-io-us-west-1" + status = "Enabled" + priority = 1 + destination_bucket_arn = "arn:aws:s3:::${var.prefix}registry-k8s-io-us-west-1" + destination_bucket_storage_class = "STANDARD" + }, + { + id = "registry-k8s-io-us-east-2-to-registry-k8s-io-us-west-2" + status = "Enabled" + priority = 2 + destination_bucket_arn = "arn:aws:s3:::${var.prefix}registry-k8s-io-us-west-2" + destination_bucket_storage_class = "STANDARD" + }, + { + id = "registry-k8s-io-us-east-2-to-registry-k8s-io-us-east-1" + status = "Enabled" + priority = 3 + destination_bucket_arn = "arn:aws:s3:::${var.prefix}registry-k8s-io-us-east-1" + destination_bucket_storage_class = "STANDARD" + }, + { + id = "registry-k8s-io-us-east-2-to-registry-k8s-io-eu-west-1" + status = "Enabled" + priority = 4 + destination_bucket_arn = "arn:aws:s3:::${var.prefix}registry-k8s-io-eu-west-1" + destination_bucket_storage_class = "STANDARD" + }, + { + id = "registry-k8s-io-us-east-2-to-registry-k8s-io-eu-central-1" + status = "Enabled" + priority = 5 + destination_bucket_arn = "arn:aws:s3:::${var.prefix}registry-k8s-io-eu-central-1" + destination_bucket_storage_class = "STANDARD" + }, + { + id = "registry-k8s-io-us-east-2-to-registry-k8s-io-ap-southeast-1" + status = "Enabled" + priority = 6 + destination_bucket_arn = "arn:aws:s3:::${var.prefix}registry-k8s-io-ap-southeast-1" + destination_bucket_storage_class = "STANDARD" + }, + { + id = "registry-k8s-io-us-east-2-to-registry-k8s-io-ap-northeast-1" + status = "Enabled" + priority = 7 + destination_bucket_arn = "arn:aws:s3:::${var.prefix}registry-k8s-io-ap-northeast-1" + destination_bucket_storage_class = "STANDARD" + }, + { + id = "registry-k8s-io-us-east-2-to-registry-k8s-io-ap-south-1" + status = "Enabled" + priority = 8 + destination_bucket_arn = "arn:aws:s3:::${var.prefix}registry-k8s-io-ap-south-1" + destination_bucket_storage_class = "STANDARD" + }, + ] } module "eu-west-1" { @@ -80,7 +137,6 @@ module "eu-west-1" { aws = aws.eu-west-1 } - region = "eu-west-1" prefix = var.prefix } @@ -91,7 +147,6 @@ module "eu-central-1" { aws = aws.eu-central-1 } - region = "eu-central-1" prefix = var.prefix } @@ -102,7 +157,6 @@ module "ap-southeast-1" { aws = aws.ap-southeast-1 } - region = "ap-southeast-1" prefix = var.prefix } @@ -113,7 +167,6 @@ module "ap-northeast-1" { aws = aws.ap-northeast-1 } - region = "ap-northeast-1" prefix = var.prefix } @@ -124,6 +177,5 @@ module "ap-south-1" { aws = aws.ap-south-1 } - region = "ap-south-1" prefix = var.prefix } diff --git a/infra/aws/terraform/registry.k8s.io/providers.tf b/infra/aws/terraform/registry.k8s.io/providers.tf index 0e927cca3710..6a8712e686b4 100644 --- a/infra/aws/terraform/registry.k8s.io/providers.tf +++ b/infra/aws/terraform/registry.k8s.io/providers.tf @@ -21,10 +21,12 @@ terraform { region = "us-east-2" } + required_version = ">= 1.0.0" + required_providers { aws = { source = "hashicorp/aws" - version = "~> 3.0" + version = "~> 4.0" } } } diff --git a/infra/aws/terraform/registry.k8s.io/s3/bucket.tf b/infra/aws/terraform/registry.k8s.io/s3/bucket.tf index 499f0d4ee143..e1077413b6e2 100644 --- a/infra/aws/terraform/registry.k8s.io/s3/bucket.tf +++ b/infra/aws/terraform/registry.k8s.io/s3/bucket.tf @@ -15,7 +15,7 @@ limitations under the License. */ resource "aws_s3_bucket" "registry-k8s-io" { - bucket = "${var.prefix}registry-k8s-io-${var.region}" + bucket = "${var.prefix}registry-k8s-io-${data.aws_region.current.name}" } resource "aws_s3_bucket_acl" "registry-k8s-io" { @@ -70,3 +70,48 @@ resource "aws_s3_bucket_ownership_controls" "registry-k8s-io" { aws_s3_bucket_policy.registry-k8s-io-public-read ] } + +# Versioning must be enabled for S3 replication +resource "aws_s3_bucket_versioning" "registry-k8s-io" { + bucket = aws_s3_bucket.registry-k8s-io.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_replication_configuration" "registry-k8s-io" { + count = var.s3_replication_iam_role_arn != "" && length(var.s3_replication_rules) > 0 ? 1 : 0 + + # Must have bucket versioning enabled first + depends_on = [aws_s3_bucket_versioning.registry-k8s-io] + + role = var.s3_replication_iam_role_arn + + bucket = aws_s3_bucket.registry-k8s-io.id + + dynamic "rule" { + for_each = var.s3_replication_rules + + content { + id = rule.value.id + + status = rule.value.status + + # Set priority, filter and delete_marker_replication to use V2 schema for multiple + # destination bucket rules + priority = rule.value.priority + + filter {} + + delete_marker_replication { + status = "Enabled" + } + + destination { + bucket = rule.value.destination_bucket_arn + storage_class = rule.value.destination_bucket_storage_class + } + } + } +} + diff --git a/infra/aws/terraform/registry.k8s.io/s3/data.tf b/infra/aws/terraform/registry.k8s.io/s3/data.tf new file mode 100644 index 000000000000..6b9e3a3dff62 --- /dev/null +++ b/infra/aws/terraform/registry.k8s.io/s3/data.tf @@ -0,0 +1,17 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +data "aws_region" "current" {} diff --git a/infra/aws/terraform/registry.k8s.io/s3/variables.tf b/infra/aws/terraform/registry.k8s.io/s3/variables.tf index 3ca12e43fb46..88a9ad3cdadc 100644 --- a/infra/aws/terraform/registry.k8s.io/s3/variables.tf +++ b/infra/aws/terraform/registry.k8s.io/s3/variables.tf @@ -14,11 +14,19 @@ See the License for the specific language governing permissions and limitations under the License. */ -variable "region" { - type = string -} - variable "prefix" { type = string default = "" } + +variable "s3_replication_iam_role_arn" { + description = "IAM role assumed by S3 service for replication" + type = string + default = "" +} + +variable "s3_replication_rules" { + description = "List of maps for S3 replication rules" + type = list(map(string)) + default = [] +} diff --git a/infra/aws/terraform/registry.k8s.io/s3/versions.tf b/infra/aws/terraform/registry.k8s.io/s3/versions.tf new file mode 100644 index 000000000000..a4a0c85c17dd --- /dev/null +++ b/infra/aws/terraform/registry.k8s.io/s3/versions.tf @@ -0,0 +1,27 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +terraform { + + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +}