在 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securitylake_data_lake 上的示例用法中 ,下面的
region
设置为"eu-west-1"
。该文档不清楚该区域参数到底是什么。文档指出:
configuration - (Required) Specify the Region or Regions that will contribute data to the rollup region.
然后接着说:
region - (Required) The AWS Regions where Security Lake is automatically enabled.
阅读文档后我的理解https://docs.aws.amazon.com/security-lake/latest/userguide/manage-regions.html#add-rollup-region是您定义多个区域然后滚动-直到特定区域,即您可以将所有美国区域滚动到
us-east-1
,将所有欧盟区域滚动到 eu-west-1
。 terraform 提供商实际上能够做到这一点吗?考虑到可用的参数,我不知道这是如何工作的,或者这就是 replication_configuration
的类似内容吗?如果是这样,您将如何编写 terraform 将所有欧盟区域纳入 eu-west-1
以遵守 GDPR 要求?
您需要为要管理的每个区域创建一个 AWS 提供商,然后为每个资源使用该提供商
我举个例子吧
假设您想要将 us-east-1、eu-west-1、eu-west-2 和 eu-west-3 汇总到 eu-west-1
您需要编写以下代码,您可以复制粘贴相同的内容并更改区域,另请注意,我配置的是最低限度,在最佳实践场景中,您需要配置生命周期和加密配置
# eu-west-1
provider "aws" {
region = "eu-west-1"
}
resource "aws_securitylake_data_lake" "eu_west_1" {
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "eu-west-1"
# No need to do replication for the eu-west-1 region
}
}
# eu-west-2
provider "aws" {
region = "eu-west-2"
alias = "eu_west_2"
}
resource "aws_securitylake_data_lake" "eu_west_2" {
provider = aws.eu_west_2
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "eu-west-2"
replication_configuration {
regions = ["eu-west-1"]
}
}
}
# eu-west-3
provider "aws" {
region = "eu-west-3"
alias = "eu_west_3"
}
resource "aws_securitylake_data_lake" "eu_west_3" {
provider = aws.eu_west_3
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "eu-west-3"
replication_configuration {
regions = ["eu-west-1"]
}
}
}
# us-east-1
provider "aws" {
region = "us-east-1"
alias = "us_east_1"
}
resource "aws_securitylake_data_lake" "us_east_1" {
provider = aws.us_east_1
meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn
configuration {
region = "us-east-1"
replication_configuration {
regions = ["eu-west-1"]
}
}
}