AWS SecurityLake roll-up regions in Terraform

Question

In the example usage on https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securitylake_data_lake , the following region is set to "eu-west-1". The documentation is not clear on what this region argument is exactly. The documentation states:

configuration - (Required) Specify the Region or Regions that will contribute data to the rollup region.

and then later states:

region - (Required) The AWS Regions where Security Lake is automatically enabled.

My understanding after reading the docs https://docs.aws.amazon.com/security-lake/latest/userguide/manage-regions.html#add-rollup-region is that you define multiple regions to then roll-up to a specific region, i.e. you could roll all US regions into us-east-1, and all EU Regions in to eu-west-1. Is the terraform provider able to actually do this? I'm not seeing how this would work given the available arguments, or is this what the replication_configuration is akin to? If so, how would you write the terraform to roll all EU regions into eu-west-1 to adhere to GDPR requirements?

Answer 1

You would need to create an AWS provider for each of the region that you want to manage, then use that provider for each of the resources

Let me give you some example

Let's say you want to rollup us-east-1, eu-west-1, eu-west-2 and eu-west-3 to eu-west-1

You would need to write the following code, you can copy paste the same thing and change the region, also do note that what I'm configuring is the bare minimum, on a best practice scenario you would want to configure lifecycle and encryption configuration

# eu-west-1
provider "aws" {
  region = "eu-west-1"
}

resource "aws_securitylake_data_lake" "eu_west_1" {
  meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn

  configuration {
    region = "eu-west-1"
    # No need to do replication for the eu-west-1 region
  }
}

# eu-west-2
provider "aws" {
  region = "eu-west-2"
  alias  = "eu_west_2"
}

resource "aws_securitylake_data_lake" "eu_west_2" {
  provider                    = aws.eu_west_2
  meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn

  configuration {
    region = "eu-west-2"

    replication_configuration {
      regions = ["eu-west-1"]
    }
  }
}

# eu-west-3
provider "aws" {
  region = "eu-west-3"
  alias  = "eu_west_3"
}

resource "aws_securitylake_data_lake" "eu_west_3" {
  provider                    = aws.eu_west_3
  meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn

  configuration {
    region = "eu-west-3"

    replication_configuration {
      regions = ["eu-west-1"]
    }
  }
}

# us-east-1
provider "aws" {
  region = "us-east-1"
  alias  = "us_east_1"
}

resource "aws_securitylake_data_lake" "us_east_1" {
  provider                    = aws.us_east_1
  meta_store_manager_role_arn = aws_iam_role.meta_store_manager.arn

  configuration {
    region = "us-east-1"

    replication_configuration {
      regions = ["eu-west-1"]
    }
  }
}