terraform: s3: enable S3 Glacier backups

This will replicate any incoming data to S3 bucket into
a backup bucket with "Glacier Deep Archive" storage type [1].

This storage type costs $ 0.00099 / GB / month. It's dirt cheap
and it's made for cases where rare access is required, like
once or twice a year.

Only drawback of this storage type is the retriving time. It might
take up to 12 hours to retrive a file storage in Deep Archive mode.

Storing files in standard S3 storage already has a redundancy, so having
a backup is a fall back of a fall back if data ever gets lost at some
point.

[1] https://aws.amazon.com/blogs/aws/new-amazon-s3-storage-class-glacier-deep-archive/

Author: chaws

terraform/roles.tf

@@ -31,3 +31,67 @@ data "template_file" "qareports_role_policy_s3" {
         environment = "${var.environment}"
     }
 }
+
+#
+#   Role needed so S3 can replicate objects in backup bucket
+#
+resource "aws_iam_role" "qareports_s3_replication_role" {
+    name = "QAREPORTS_${title(var.environment)}S3ReplicationRole"
+
+    assume_role_policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Action": "sts:AssumeRole",
+        "Principal": {
+            "Service": "s3.amazonaws.com"
+        },
+        "Effect": "Allow",
+        "Sid": ""
+    }]
+}
+    POLICY
+}
+
+resource "aws_iam_policy" "qareports_s3_replication_role_policy" {
+    name = "QAREPORTS_${title(var.environment)}S3ReplicationRolePolicy"
+
+    policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Action": [
+            "s3:GetReplicationConfiguration",
+            "s3:ListBucket"
+        ],
+        "Effect": "Allow",
+        "Resource": [
+            "${aws_s3_bucket.qareports_s3_bucket.arn}"
+        ]
+    },
+    {
+        "Action": [
+            "s3:GetObjectVersion",
+            "s3:GetObjectVersionAcl"
+        ],
+        "Effect": "Allow",
+        "Resource": [
+            "${aws_s3_bucket.qareports_s3_bucket.arn}/*"
+        ]
+    },
+    {
+        "Action": [
+            "s3:ReplicateObject",
+            "s3:ReplicateDelete"
+        ],
+        "Effect": "Allow",
+        "Resource": "${aws_s3_bucket.qareports_s3_bucket_backup.arn}/*"
+    }]
+}
+    POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "qareports_s3_replication_role_policy_attachment" {
+    role       = "${aws_iam_role.qareports_s3_replication_role.name}"
+    policy_arn = "${aws_iam_policy.qareports_s3_replication_role_policy.arn}"
+}

terraform/s3.tf

@@ -3,4 +3,33 @@ resource "aws_s3_bucket" "qareports_s3_bucket" {
     tags = {
         Name = "${var.environment}-qareports-storage"
     }
+
+    versioning {
+        enabled = true
+    }
+
+    replication_configuration {
+        role = "${aws_iam_role.qareports_s3_replication_role.arn}"
+
+        rules {
+            id     = "${var.environment}-qareports-s3-replication-rule"
+            status = "Enabled"
+
+            destination {
+                bucket = "${aws_s3_bucket.qareports_s3_bucket_backup.arn}"
+
+                # DEEP_ARCHIVE means using AWS S3 Glacier Deep Archive
+                # ref: https://aws.amazon.com/blogs/aws/new-amazon-s3-storage-class-glacier-deep-archive/
+                storage_class = "DEEP_ARCHIVE"
+            }
+        }
+    }
+}
+
+resource "aws_s3_bucket" "qareports_s3_bucket_backup" {
+    bucket = "${var.environment}-qareports-storage-backup"
+
+    versioning {
+        enabled = true
+    }
 }

terraform/templates/role_policy.json.tpl

@@ -14,7 +14,9 @@
             ],
             "Resource": [
                 "arn:aws:s3:::${environment}-qareports-storage",
-                "arn:aws:s3:::${environment}-qareports-storage/*"
+                "arn:aws:s3:::${environment}-qareports-storage/*",
+                "arn:aws:s3:::${environment}-qareports-storage-backup",
+                "arn:aws:s3:::${environment}-qareports-storage-backup/*"
             ]
         }
     ]