feat(s3): replicating objects #30966
Conversation
github-actions
bot
added
effort/small
github-actions
bot
added
the
distinguished-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-maintainer-review
shikha372
added
SECURITY
needs-security-review
|
Hi @badmintoncryer , Thank you for submitting this PR, as this feature is adding some additional pemissions for s3, we'll need to have an internal security review while we go through this PR. Will keep you posted !! |
|
Hi @badmintoncryer, to update had the first security review for this PR, currently concern is around populating correct permissions for opt-in regions, will let you know if any changes are required to address it. |
| replicationRules: [ | ||
| { | ||
| // The destination bucket for the replication rule. | ||
| destination: s3.ReplicationDestination.sameAccount(destinationBucket1), |
There was a problem hiding this comment.
Why a ReplicationDestination? Shouldn't the destination just be an IBucket ?
All resources will have a resourceEnv property you can use to get account and region from.
There was a problem hiding this comment.
I have changed it to the IBucket type. Thank you for suggesting the use of ResourceEnv.
| { | ||
| destination: s3.ReplicationDestination.sameAccount(destinationBucket2), | ||
| priority: 2, | ||
| // Whether to specify S3 Replication Time Control (S3 RTC). |
There was a problem hiding this comment.
Please spare a sentence to explain what enabling RTC means.
According to the docs it has something to do with metrics, but metrics is a separate field here, so now I don't understand what this does.
There was a problem hiding this comment.
I've updated like this.
// Whether to specify S3 Replication Time Control (S3 RTC).
// S3 RTC replicates most objects that you upload to Amazon S3 in seconds,
// and 99.99 percent of those objects within specified time.
replicationTimeControl: s3.ReplicationTimeValue.FIFTEEN_MINUTES,
// Whether to enable replication metrics about S3 RTC.
// If set, metrics will be output to indicate whether replication by S3 RTC took longer than the configured time.
metrics: s3.ReplicationTimeValue.FIFTEEN_MINUTES,| * A container specifying replication metrics-related settings enabling replication metrics and events. | ||
| * | ||
| * @default - Replication metrics are not enabled | ||
| */ | ||
| readonly metrics?: ReplicationTimeValue; |
There was a problem hiding this comment.
The 15 minute value is used to log events that say something like "SLA missed", right? Might want to explain that here.
There was a problem hiding this comment.
I've added below description.
When a value is set, metrics will be output to indicate whether the replication took longer than the specified time.
I'm not very confident in writing English, so please feel free to improve my sentences, not just in this context.
| * Specifies whether Amazon S3 replicates delete markers. | ||
| * | ||
| * @default false |
There was a problem hiding this comment.
What's the implication of this being false ? That replicated objects in versioned buckets don't get deleted?
There was a problem hiding this comment.
False means do not replicate delete marker to the destination bucket.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html
I've updated JSDoc.
/**
* Specifies whether Amazon S3 replicates delete markers.
*
* @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html
*
* @default - delete markers in source bucket is not replicated to destination bucket
*/
readonly deleteMarkerReplication?: boolean;| * @param accessControlTransition whether to want to change replica ownership to the AWS account that owns the destination bucket. The replicas are owned by same AWS account that owns the source object by default. | ||
| */ | ||
| public static crossAccount(bucket: IBucket, account: string, accessControlTransition?: boolean): ReplicationDestination { | ||
| return new ReplicationDestination(bucket, account, accessControlTransition); |
There was a problem hiding this comment.
I think I'd also prefer the bucket policy be added automatically. It is the CDK thing to do.
We can add the annotation if addToBucketPolicy(): boolean returns false, indicating that we have a referenced bucket.
aws-cdk-automation
removed
the
pr/needs-maintainer-review
Co-authored-by: Rico Hermans <[email protected]>
mergify
bot
dismissed
rix0rrr’s stale review
Pull request has been modified.
|
@rix0rrr Thank you for your review! I've addressed all of your comments. |
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
Hello @badmintoncryer , |
|
@shikha372 Thank you for your information.
What is the meaning of bidirectional replication? Are you suggesting that we prepare Bucket A and Bucket B, and designate each other as their respective replication destinations?
I don't have two AWS account... Would it be better to create a new account and run the tests? |
|
|
I considered bidirectional replication. First, I added an public addReplicationRules(rules: ReplicationRule[]): void {
this.replicationRules.push(...rules);
}However, it seems that the circular reference between the source and destination buckets cannot be resolved. Do you have any suggestions on the implementation? |
Thanks @badmintoncryer , working on adding cross-account integ test will give it a try at my end for bi-directional. |
|
Thank you very much @shikha372 |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #30966 +/- ##
=======================================
Coverage 77.46% 77.46%
=======================================
Files 105 105
Lines 7168 7168
Branches 1314 1314
=======================================
Hits 5553 5553
Misses 1433 1433
Partials 182 182
Flags with carried forward coverage won't be shown. Click here to find out more.
|
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
Closes #1680.
Reason for this change
AWS S3 supports configuring object replication , but the
s3.Bucketconstruct does not support it.Description of changes
Added
replicationRulestoBucketProps.Replication configuration version
There are two versions of replication configuration. This PR uses only the V2 replication configuration to enable the specification of the Filter element and S3 Replication Time Control (S3 RTC).
To use V2 replication configuration, this PR explicitly specifies Filter.Prefix property.
V2 replication configuration has some restriction:
These restriction is not documented but there are some posts about these points.
To resolve these problems,I made the
priorityrequired and explicitly set thedeleteMarkerReplication.IAM permission
There is a documentation to setup IAM permissions for service role.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Resource":[ "arn:aws:s3:::SRC-BUCKET" ] }, { "Effect":"Allow", "Action":[ "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging" ], "Resource":[ "arn:aws:s3:::SRC-BUCKET/*" ] }, { "Effect":"Allow", "Action":[ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags" ], "Resource":"arn:aws:s3:::DST-BUCKET/*" } ] }However, there are discrepancies between the automatically generated IAM policies in the management console and the IAM policies in the documentation.
Generated Policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging", "s3:GetObjectRetention", "s3:GetObjectLegalHold" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::SRC-BUCKET", "arn:aws:s3:::SRC-BUCKET/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags", "s3:GetObjectVersionTagging", "s3:ObjectOwnerOverrideToBucketOwner" ], "Effect": "Allow", "Condition": { "StringLikeIfExists": { "s3:x-amz-server-side-encryption": [ "aws:kms", "aws:kms:dsse", "AES256" ] } }, "Resource": [ "arn:aws:s3:::DST-BUCKET/*" ] }, { "Action": [ "kms:Decrypt" ], "Effect": "Allow", "Condition": { "StringLike": { "kms:ViaService": "s3.ap-northeast-1.amazonaws.com", "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::SRC-BUCKET/*" ] } }, "Resource": [ "arn:aws:kms:ap-northeast-1:123456789012:key/hogehuga" ] }, { "Action": [ "kms:Encrypt" ], "Effect": "Allow", "Condition": { "StringLike": { "kms:ViaService": [ "s3.ap-northeast-1.amazonaws.com" ], "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::DST-BUCKET*" ] } }, "Resource": [ "arn:aws:kms:ap-northeast-1:123456789012:key/hogefuga" ] } ] }I adopted the policy from the document. I look forward to hearing your thoughts on this matter.
Description of how you validated changes
Added both unit and integ tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license