Skip to content

Commit

Permalink
Merge pull request #4 from dasmeta/DMVP-5908
Browse files Browse the repository at this point in the history
fix(DMVP-5908): fix rules
  • Loading branch information
sophie-dasmeta-com authored Dec 6, 2024
2 parents 66f46c3 + 70154ef commit 7cb4e06
Show file tree
Hide file tree
Showing 11 changed files with 161 additions and 87 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ repos:
args: ['--allow-missing-credentials']
- id: detect-private-key
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.64.1
rev: v1.96.2
hooks:
- id: terraform_fmt
- id: terraform_docs
Expand Down
89 changes: 89 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
# terraform-aws-backup

# This module is used to create and configure AWS Backup service together with related sns service and accesses

# basic example
```hcl
module "backup" {
source = "dasmeta/backup/aws"
version = "x.y.z"
plan_selection_tag = [
{
key = "Environment"
value = "dev"
}
]
rules = [
{
name = "rule1"
schedule = "cron(0 12 * * ? *)"
continuous_backup = true
}
]
}
```
<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_sns_topic"></a> [sns\_topic](#module\_sns\_topic) | terraform-aws-modules/sns/aws | ~> 3.0 |

## Resources

| Name | Type |
|------|------|
| [aws_backup_plan.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
| [aws_backup_selection.selection_tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
| [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
| [aws_backup_vault_notifications.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_notifications) | resource |
| [aws_iam_role.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.s3_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.s3_restore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_kms_alias.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_alias.backup_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_lambda_permission.with_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_sns_topic_subscription.email](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [aws_sns_topic_subscription.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_backup_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.backup_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.backup_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_alarm_email_addresses"></a> [alarm\_email\_addresses](#input\_alarm\_email\_addresses) | E-Mail addresses that should be subscribed to monitoring notifications | `list(string)` | `[]` | no |
| <a name="input_alarm_lambda_arn"></a> [alarm\_lambda\_arn](#input\_alarm\_lambda\_arn) | ARN of a lambda function that should be subscribed to monitoring notifications | `string` | `""` | no |
| <a name="input_backup_plan_name"></a> [backup\_plan\_name](#input\_backup\_plan\_name) | Initial part of the plan name to which will be appended the env | `string` | `""` | no |
| <a name="input_backup_retention_days"></a> [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days recovery points should be kept. | `number` | `7` | no |
| <a name="input_enable_sns_notifications"></a> [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `true` | no |
| <a name="input_env"></a> [env](#input\_env) | Envrionment for the plan | `string` | `"prod"` | no |
| <a name="input_plan_selection_tag"></a> [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map(string))` | <pre>[<br/> {<br/> "key": "Environment",<br/> "value": "Production"<br/> }<br/>]</pre> | no |
| <a name="input_region"></a> [region](#input\_region) | The region where resources should be managed. | `string` | `"eu-central-1"` | no |
| <a name="input_rules"></a> [rules](#input\_rules) | List of rules to attach to the plan | `list(any)` | <pre>[<br/> {<br/> "continuous_backup": true,<br/> "name": "daily",<br/> "schedule": "cron(0 12 * * ? *)",<br/> "vault": "Backup"<br/> }<br/>]</pre> | no |
| <a name="input_vault_name"></a> [vault\_name](#input\_vault\_name) | Backup vault name | `string` | `"backup_vault"` | no |

## Outputs

No outputs.
<!-- END_TF_DOCS -->
2 changes: 1 addition & 1 deletion githooks/commit-msg
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ elif [ -x "$INSTALL_PYTHON" ]; then
else
echo '`pre-commit` not found. Did you forget to activate your virtualenv?' 1>&2
exit 1a
fi
fi
2 changes: 1 addition & 1 deletion githooks/pre-commit
100644 → 100755
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash

set -e
pre-commit run --show-diff-on-failure --color=always --all-files
pre-commit run --show-diff-on-failure --color=always --all-files
2 changes: 1 addition & 1 deletion iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ data "aws_iam_policy_document" "assume_backup_role" {
}

resource "aws_iam_role" "backup" {
name = local.vault_name
name = var.vault_name
assume_role_policy = data.aws_iam_policy_document.assume_backup_role.json
}

Expand Down
3 changes: 0 additions & 3 deletions locals.tf

This file was deleted.

46 changes: 20 additions & 26 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,57 +8,51 @@ resource "aws_kms_key" "backup" {
}

resource "aws_kms_alias" "backup" {
name = "alias/aws_backup-${var.env}"
name = "alias/aws_backup-${var.vault_name}"
target_key_id = aws_kms_key.backup.arn
}

resource "aws_backup_vault" "this" {
name = local.vault_name
name = var.vault_name
kms_key_arn = aws_kms_key.backup.arn

lifecycle {
prevent_destroy = true
prevent_destroy = false
}
}

resource "aws_backup_plan" "daily" {
name = "daily-${var.env}"
resource "aws_backup_plan" "this" {
name = "${var.backup_plan_name}-${var.env}"

rule {
rule_name = "daily"
target_vault_name = aws_backup_vault.this.name
schedule = var.backup_schedule
enable_continuous_backup = var.enable_continuous_backup
dynamic "rule" {
for_each = var.rules
content {
rule_name = rule.value.name
target_vault_name = aws_backup_vault.this.name
schedule = rule.value.schedule
enable_continuous_backup = rule.value.continuous_backup

lifecycle {
delete_after = var.backup_retention_days
}
lifecycle {
delete_after = var.backup_retention_days
}

recovery_point_tags = {
Environment = var.env
}
}
}

resource "aws_backup_selection" "tagged_daily" {
name = "daily-tagged-${var.env}"
plan_id = aws_backup_plan.daily.id
resource "aws_backup_selection" "selection_tag" {
name = "${var.backup_plan_name}-${var.env}-selection"
plan_id = aws_backup_plan.this.id

# selection rules
# Selection rules
dynamic "selection_tag" {
for_each = var.plan_selection_tag
content {
type = "STRINGEQUALS"
key = selection_tag.value["key"]
value = selection_tag.value["value"]

}

}
selection_tag {
type = "STRINGEQUALS"
key = "backup:rule:efs"
value = "daily-${var.env}"
}

iam_role_arn = aws_iam_role.backup.arn
}
8 changes: 1 addition & 7 deletions monitoring.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
data "aws_iam_policy_document" "kms" {
# Copy of default KMS policy that lets you manage it
#checkov:skip=CKV_AWS_111: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint)
#checkov:skip=CKV_AWS_109: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint)
#checkov:skip=CKV_AWS_356: ignoring asterisk for policies
statement {
sid = "Enable IAM User Permissions"
actions = ["kms:*"]
Expand Down Expand Up @@ -52,7 +48,6 @@ data "aws_iam_policy_document" "kms" {
}

data "aws_iam_policy_document" "backup_notifications" {
#checkov:skip=CKV_AWS_356: ignoring asterisk for policies
policy_id = "aws_backup_${var.env}"

statement {
Expand Down Expand Up @@ -96,7 +91,6 @@ resource "aws_kms_alias" "backup_sns" {
}

module "sns_topic" {
#checkov:skip=CKV_TF_1: https://github.com/bridgecrewio/checkov/issues/5286
source = "terraform-aws-modules/sns/aws"
version = "~> 3.0"

Expand Down Expand Up @@ -137,7 +131,7 @@ EOT

resource "aws_backup_vault_notifications" "this" {
count = var.enable_sns_notifications ? 1 : 0
backup_vault_name = local.vault_name
backup_vault_name = var.vault_name
sns_topic_arn = module.sns_topic.sns_topic_arn
backup_vault_events = [
"BACKUP_JOB_COMPLETED", # filter successful backups on sns subscription!
Expand Down
24 changes: 0 additions & 24 deletions provider.tf

This file was deleted.

22 changes: 22 additions & 0 deletions tests/example.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
provider "aws" {
region = "eu-central-1"
}

module "aws_backup" {
source = "./.."

plan_selection_tag = [
{
key = "Environment"
value = "dev"
}
]

rules = [
{
name = "rule1"
schedule = "cron(0 12 * * ? *)"
continuous_backup = true
}
]
}
48 changes: 25 additions & 23 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@
variable "env" {
description = "Deployment environment"
variable "vault_name" {
description = "Backup vault name"
type = string
default = "backup_vault"
}

variable "env" {
description = "Envrionment for the plan"
type = string
default = "prod"
}
variable "region" {
description = "The region where resources should be managed."
type = string
default = "eu-central-1"
}

variable "component" {
description = "The component to which the resources deployed in this module belong to. This can be an application or a part of the overall infrastructure."
type = string
}

variable "backup_retention_days" {
description = "Number of days recovery points should be kept."
type = number
Expand All @@ -38,18 +39,6 @@ variable "alarm_email_addresses" {
default = []
}

variable "backup_schedule" {
description = "Schedule of aws backup plan"
type = string
default = "cron(0 1 * * ? *)"
}

variable "enable_continuous_backup" {
description = "Flag to enable continuos backup"
type = bool
default = false
}

variable "backup_plan_name" {
description = "Initial part of the plan name to which will be appended the env"
type = string
Expand All @@ -58,12 +47,25 @@ variable "backup_plan_name" {

variable "plan_selection_tag" {
description = "Resource selection for the plan"
type = list(map)
type = list(map(string))
default = [
{
key = ""
value = ""
key = "Environment"
value = "Production"
}
]
}

variable "rules" {
description = "List of rules to attach to the plan"
type = list(any)
default = [
{
name = "daily"
schedule = "cron(0 12 * * ? *)"
continuous_backup = true
vault = "Backup"

}
}
]
}

0 comments on commit 7cb4e06

Please sign in to comment.