Attaching MULTIPLE replication configurations to one S3 bucket?

Hi

I’d like to replicate objects from one S3 bucket to multiple destination buckets. Using the web interface console, it’s possible to attach multple Replication rules. With Terraform, only one configuration seems to get attached to a bucket.

In Terraform, I’ve got the following.

$ terraform version
Terraform v1.2.5
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.24.0
+ provider registry.terraform.io/hashicorp/random v3.3.2
resource "aws_s3_bucket_replication_configuration" "replication_source_to_destination" {
  provider = aws.source

  # Must have bucket versioning enabled first
  depends_on = [aws_s3_bucket_versioning.source, aws_s3_bucket_versioning.destination]

  role   = aws_iam_role.replication_source_to_destination.arn
  bucket = aws_s3_bucket.source.bucket

  rule {
    id = "repl-s2d-${local.source_to_destination_uuidv5}"

    filter {}

    status = "Enabled"
    priority = 100

    delete_marker_replication {
      status = "Enabled"
    }

    destination {
      account = data.aws_caller_identity.destination_primary.account_id # account id of the destination account.
      bucket  = aws_s3_bucket.destination.arn
      access_control_translation { # We want to make the destination bucket the owner
        owner = "Destination"
      }

      encryption_configuration {
        replica_kms_key_id = aws_kms_key.destination.arn
      }

      metrics {
        event_threshold {
          minutes = 15
        }
        status = "Enabled"
      }

      replication_time {
        status = "Enabled"
        time {
          minutes = 15
        }
      }
    }

    source_selection_criteria {
      replica_modifications {
        status = "Enabled"
      }
      sse_kms_encrypted_objects {
        status = "Enabled"
      }
    }
  }
}

resource "aws_s3_bucket_replication_configuration" "replication_source_primary_to_secondary" {
  provider = aws.source

  # Must have bucket versioning enabled first
  depends_on = [aws_s3_bucket_versioning.source, aws_s3_bucket_versioning.source_secondary]

  role   = aws_iam_role.replication_source_to_destination.arn
  bucket = aws_s3_bucket.source.bucket

  rule {
    id = "repl-p2s-${local.source_primary_to_secondary_uuidv5}"

    filter {}

    status = "Enabled"
    priority = 1000

    delete_marker_replication {
      status = "Enabled"
    }

    destination {
      account = data.aws_caller_identity.source_primary.account_id # account id of the destination account.
      bucket  = aws_s3_bucket.source_secondary.arn
      access_control_translation { # We want to make the destination bucket the owner
        owner = "Destination"
      }

      encryption_configuration {
        replica_kms_key_id = aws_kms_replica_key.source_replica.arn
      }

      metrics {
        event_threshold {
          minutes = 15
        }
        status = "Enabled"
      }

      replication_time {
        status = "Enabled"
        time {
          minutes = 15
        }
      }
    }

    source_selection_criteria {
      replica_modifications {
        status = "Enabled"
      }
      sse_kms_encrypted_objects {
        status = "Enabled"
      }
    }
  }
}

When I run terraform apply -auto-approve multiple times, it’ll have perpetual configuration changes in module.prod-to-backup.aws_s3_bucket_replication_configuration.replication_source_to_destination and module.prod-to-backup.aws_s3_bucket_replication_configuration.replication_source_primary_to_secondary. The web console shows, that there’s only one (1) configuration attached.

Why is that?

I have read the Resource: aws_s3_bucket_replication_configuration documentation and am aware about the note:

S3 Buckets only support a single replication configuration. Declaring multiple aws_s3_bucket_replication_configuration resources to the same S3 Bucket will cause a perpetual difference in configuration.

I have configured rulepriority and it is unique for the two configurations (it’s set to 100 and 1000).

Thanks for your help :slight_smile:

I think you only want one resource with multiple rule {} blocks.

1 Like

Ah, yeah, sure. THAT is how they meant it :slight_smile:

Makes sense.

And it also works that way.

Thanks a lot, @stuart-c , saved my day :smiley: