From 0a643181fb0da1ff4aa7fd3cee1e437179c9fd06 Mon Sep 17 00:00:00 2001 From: Sarhad Date: Tue, 3 Dec 2024 13:35:12 +0400 Subject: [PATCH 1/6] fix(DMVP-5908): fixes --- main.tf | 6 +----- monitoring.tf | 6 ------ provider.tf | 24 ------------------------ variables.tf | 22 +++++++++++++++++----- 4 files changed, 18 insertions(+), 40 deletions(-) delete mode 100644 provider.tf diff --git a/main.tf b/main.tf index 3c4a33f..ccc2f30 100644 --- a/main.tf +++ b/main.tf @@ -55,10 +55,6 @@ resource "aws_backup_selection" "tagged_daily" { } } - selection_tag { - type = "STRINGEQUALS" - key = "backup:rule:efs" - value = "daily-${var.env}" - } + iam_role_arn = aws_iam_role.backup.arn } diff --git a/monitoring.tf b/monitoring.tf index 14acfa2..ed3ce3c 100644 --- a/monitoring.tf +++ b/monitoring.tf @@ -1,8 +1,4 @@ data "aws_iam_policy_document" "kms" { - # Copy of default KMS policy that lets you manage it - #checkov:skip=CKV_AWS_111: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint) - #checkov:skip=CKV_AWS_109: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint) - #checkov:skip=CKV_AWS_356: ignoring asterisk for policies statement { sid = "Enable IAM User Permissions" actions = ["kms:*"] @@ -52,7 +48,6 @@ data "aws_iam_policy_document" "kms" { } data "aws_iam_policy_document" "backup_notifications" { - #checkov:skip=CKV_AWS_356: ignoring asterisk for policies policy_id = "aws_backup_${var.env}" statement { @@ -96,7 +91,6 @@ resource "aws_kms_alias" "backup_sns" { } module "sns_topic" { - #checkov:skip=CKV_TF_1: https://github.com/bridgecrewio/checkov/issues/5286 source = "terraform-aws-modules/sns/aws" version = "~> 3.0" diff --git a/provider.tf b/provider.tf deleted file mode 100644 index bb1e4d2..0000000 --- a/provider.tf +++ /dev/null @@ -1,24 +0,0 @@ -provider "aws" { - region = var.region - default_tags { - tags = { - environment = var.env - component = var.component - } - } -} - -terraform { - required_version = ">= 1.3.0" - required_providers { - aws = { - version = "4.27.0" - } - } - cloud { - organization = "dasmeta" - workspaces { - tags = ["component:aws_backup"] - } - } -} diff --git a/variables.tf b/variables.tf index 90707ac..9e9b9ef 100644 --- a/variables.tf +++ b/variables.tf @@ -9,11 +9,6 @@ variable "region" { default = "eu-central-1" } -variable "component" { - description = "The component to which the resources deployed in this module belong to. This can be an application or a part of the overall infrastructure." - type = string -} - variable "backup_retention_days" { description = "Number of days recovery points should be kept." type = number @@ -65,5 +60,22 @@ variable "plan_selection_tag" { value = "" } ] +} +variable "rules" { + description = "List of rules to attach to the plan" + type = list(map) + default = [ + { + name = "daily" + schedule = "cron(0 12 * * ? *)" + continuous_backup = true + vault = local.vault_namexw + + recovery_point_tags = { + Environment = var.env + Plan = var.backup_plan_name + } + } + ] } \ No newline at end of file From 0aa88525fef325fdccd9b9ea46182aa74f8dea4a Mon Sep 17 00:00:00 2001 From: Sarhad Date: Tue, 3 Dec 2024 14:08:41 +0400 Subject: [PATCH 2/6] fix(DMVP-5908): fixes --- .pre-commit-config.yaml | 2 +- README.md | 66 +++++++++++++++++++++++++++++++++++++++++ githooks/commit-msg | 2 +- githooks/pre-commit | 2 +- main.tf | 2 +- variables.tf | 20 ++++++------- 6 files changed, 80 insertions(+), 14 deletions(-) create mode 100644 README.md mode change 100644 => 100755 githooks/commit-msg mode change 100644 => 100755 githooks/pre-commit diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1e2bb60..7007749 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,7 +18,7 @@ repos: args: ['--allow-missing-credentials'] - id: detect-private-key - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.64.1 + rev: v1.96.2 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/README.md b/README.md new file mode 100644 index 0000000..bed065a --- /dev/null +++ b/README.md @@ -0,0 +1,66 @@ +# terraform-aws-backup + + +## Requirements + +| Name | Version | +|------|---------| +| [aws](#requirement\_aws) | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [sns\_topic](#module\_sns\_topic) | terraform-aws-modules/sns/aws | ~> 3.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_backup_plan.daily](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource | +| [aws_backup_selection.tagged_daily](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource | +| [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource | +| [aws_backup_vault_notifications.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_notifications) | resource | +| [aws_iam_role.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.s3_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.s3_restore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_alias.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.backup_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_lambda_permission.with_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_sns_topic_subscription.email](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sns_topic_subscription.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.assume_backup_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.backup_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.backup_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alarm\_email\_addresses](#input\_alarm\_email\_addresses) | E-Mail addresses that should be subscribed to monitoring notifications | `list(string)` | `[]` | no | +| [alarm\_lambda\_arn](#input\_alarm\_lambda\_arn) | ARN of a lambda function that should be subscribed to monitoring notifications | `string` | `""` | no | +| [backup\_plan\_name](#input\_backup\_plan\_name) | Initial part of the plan name to which will be appended the env | `string` | `""` | no | +| [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days recovery points should be kept. | `number` | `7` | no | +| [backup\_schedule](#input\_backup\_schedule) | Schedule of aws backup plan | `string` | `"cron(0 1 * * ? *)"` | no | +| [enable\_continuous\_backup](#input\_enable\_continuous\_backup) | Flag to enable continuos backup | `bool` | `false` | no | +| [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `true` | no | +| [env](#input\_env) | Deployment environment | `string` | n/a | yes | +| [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map)` | 
[
  {
    "key": "",
    "value": ""
  }
]
| no | +| [region](#input\_region) | The region where resources should be managed. | `string` | `"eu-central-1"` | no | +| [rules](#input\_rules) | List of rules to attach to the plan | `list(map)` | 
[
  {
    "continuous_backup": true,
    "name": "daily",
    "recovery_point_tags": {
      "Environment": "dev",
      "Plan": "plan name"
    },
    "schedule": "cron(0 12 * * ? *)",
    "vault": "Backup"
  }
]
| no | + +## Outputs + +No outputs. + diff --git a/githooks/commit-msg b/githooks/commit-msg old mode 100644 new mode 100755 index cd8f9cb..83b05aa --- a/githooks/commit-msg +++ b/githooks/commit-msg @@ -17,4 +17,4 @@ elif [ -x "$INSTALL_PYTHON" ]; then else echo '`pre-commit` not found. Did you forget to activate your virtualenv?' 1>&2 exit 1a -fi \ No newline at end of file +fi diff --git a/githooks/pre-commit b/githooks/pre-commit old mode 100644 new mode 100755 index 9b3c4dc..c3aacd8 --- a/githooks/pre-commit +++ b/githooks/pre-commit @@ -1,4 +1,4 @@ #!/bin/bash set -e -pre-commit run --show-diff-on-failure --color=always --all-files \ No newline at end of file +pre-commit run --show-diff-on-failure --color=always --all-files diff --git a/main.tf b/main.tf index ccc2f30..758b8bd 100644 --- a/main.tf +++ b/main.tf @@ -55,6 +55,6 @@ resource "aws_backup_selection" "tagged_daily" { } } - + iam_role_arn = aws_iam_role.backup.arn } diff --git a/variables.tf b/variables.tf index 9e9b9ef..d3d1e4a 100644 --- a/variables.tf +++ b/variables.tf @@ -64,18 +64,18 @@ variable "plan_selection_tag" { variable "rules" { description = "List of rules to attach to the plan" - type = list(map) - default = [ + type = list(map) + default = [ { - name = "daily" - schedule = "cron(0 12 * * ? *)" + name = "daily" + schedule = "cron(0 12 * * ? *)" continuous_backup = true - vault = local.vault_namexw - + vault = "Backup" + recovery_point_tags = { - Environment = var.env - Plan = var.backup_plan_name + Environment = "dev" + Plan = "plan name" } } - ] -} \ No newline at end of file + ] +} From 080159c0562eb57af9353d5823c4bdd099f8ea63 Mon Sep 17 00:00:00 2001 From: Sarhad Date: Wed, 4 Dec 2024 17:39:43 +0400 Subject: [PATCH 3/6] fix(DMVP-5908): fix and test --- README.md | 8 ++++---- iam.tf | 2 +- locals.tf | 3 --- main.tf | 30 ++++++++++++++---------------- monitoring.tf | 20 ++++++++++---------- tests/example.tf | 22 ++++++++++++++++++++++ variables.tf | 22 ++++++++++++---------- 7 files changed, 63 insertions(+), 44 deletions(-) delete mode 100644 locals.tf create mode 100644 tests/example.tf diff --git a/README.md b/README.md index bed065a..30ee543 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,6 @@ | [aws_backup_plan.daily](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource | | [aws_backup_selection.tagged_daily](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource | | [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource | -| [aws_backup_vault_notifications.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_notifications) | resource | | [aws_iam_role.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.s3_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -55,10 +54,11 @@ | [backup\_schedule](#input\_backup\_schedule) | Schedule of aws backup plan | `string` | `"cron(0 1 * * ? *)"` | no | | [enable\_continuous\_backup](#input\_enable\_continuous\_backup) | Flag to enable continuos backup | `bool` | `false` | no | | [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `true` | no | -| [env](#input\_env) | Deployment environment | `string` | n/a | yes | -| [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map)` | 
[
  {
    "key": "",
    "value": ""
  }
]
| no | +| [env](#input\_env) | Envrionment for the plan | `string` | `"prod"` | no | +| [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map(string))` | 
[
  {
    "key": "Environment",
    "value": "Production"
  }
]
| no | | [region](#input\_region) | The region where resources should be managed. | `string` | `"eu-central-1"` | no | -| [rules](#input\_rules) | List of rules to attach to the plan | `list(map)` | 
[
  {
    "continuous_backup": true,
    "name": "daily",
    "recovery_point_tags": {
      "Environment": "dev",
      "Plan": "plan name"
    },
    "schedule": "cron(0 12 * * ? *)",
    "vault": "Backup"
  }
]
| no | +| [rules](#input\_rules) | List of rules to attach to the plan | `list(any)` | 
[
  {
    "continuous_backup": true,
    "name": "daily",
    "schedule": "cron(0 12 * * ? *)",
    "vault": "Backup"
  }
]
| no | +| [vault\_name](#input\_vault\_name) | Backup vault name | `string` | `"backup_vault"` | no | ## Outputs diff --git a/iam.tf b/iam.tf index 9285788..5e141cb 100644 --- a/iam.tf +++ b/iam.tf @@ -39,7 +39,7 @@ data "aws_iam_policy_document" "assume_backup_role" { } resource "aws_iam_role" "backup" { - name = local.vault_name + name = var.vault_name assume_role_policy = data.aws_iam_policy_document.assume_backup_role.json } diff --git a/locals.tf b/locals.tf deleted file mode 100644 index 1a7329e..0000000 --- a/locals.tf +++ /dev/null @@ -1,3 +0,0 @@ -locals { - vault_name = "backup-${var.env}" -} diff --git a/main.tf b/main.tf index 758b8bd..c212eb7 100644 --- a/main.tf +++ b/main.tf @@ -8,34 +8,34 @@ resource "aws_kms_key" "backup" { } resource "aws_kms_alias" "backup" { - name = "alias/aws_backup-${var.env}" + name = "alias/aws_backup-${var.vault_name}" target_key_id = aws_kms_key.backup.arn } resource "aws_backup_vault" "this" { - name = local.vault_name + name = var.vault_name kms_key_arn = aws_kms_key.backup.arn lifecycle { - prevent_destroy = true + prevent_destroy = false } } resource "aws_backup_plan" "daily" { name = "daily-${var.env}" - rule { - rule_name = "daily" - target_vault_name = aws_backup_vault.this.name - schedule = var.backup_schedule - enable_continuous_backup = var.enable_continuous_backup + dynamic "rule" { + for_each = var.rules + content { + rule_name = rule.value.name + target_vault_name = aws_backup_vault.this.name + schedule = rule.value.schedule + enable_continuous_backup = rule.value.continuous_backup - lifecycle { - delete_after = var.backup_retention_days - } + lifecycle { + delete_after = var.backup_retention_days + } - recovery_point_tags = { - Environment = var.env } } } @@ -44,16 +44,14 @@ resource "aws_backup_selection" "tagged_daily" { name = "daily-tagged-${var.env}" plan_id = aws_backup_plan.daily.id - # selection rules + # Selection rules dynamic "selection_tag" { for_each = var.plan_selection_tag content { type = "STRINGEQUALS" key = selection_tag.value["key"] value = selection_tag.value["value"] - } - } iam_role_arn = aws_iam_role.backup.arn diff --git a/monitoring.tf b/monitoring.tf index ed3ce3c..6899d46 100644 --- a/monitoring.tf +++ b/monitoring.tf @@ -129,13 +129,13 @@ locals { EOT } -resource "aws_backup_vault_notifications" "this" { - count = var.enable_sns_notifications ? 1 : 0 - backup_vault_name = local.vault_name - sns_topic_arn = module.sns_topic.sns_topic_arn - backup_vault_events = [ - "BACKUP_JOB_COMPLETED", # filter successful backups on sns subscription! - "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", - "S3_BACKUP_OBJECT_FAILED", "S3_RESTORE_OBJECT_FAILED" - ] -} +# resource "aws_backup_vault_notifications" "this" { +# count = var.enable_sns_notifications ? 1 : 0 +# backup_vault_name = var.vault_name +# sns_topic_arn = module.sns_topic.sns_topic_arn +# backup_vault_events = [ +# "BACKUP_JOB_COMPLETED", # filter successful backups on sns subscription! +# "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", +# "S3_BACKUP_OBJECT_FAILED", "S3_RESTORE_OBJECT_FAILED" +# ] +# } diff --git a/tests/example.tf b/tests/example.tf new file mode 100644 index 0000000..c4a8dfc --- /dev/null +++ b/tests/example.tf @@ -0,0 +1,22 @@ +provider "aws" { + region = "eu-central-1" +} + +module "aws_backup" { + source = "./.." + + plan_selection_tag = [ + { + key = "Environment" + value = "dev" + } + ] + + rules = [ + { + name = "rule1" + schedule = "cron(0 12 * * ? *)" + continuous_backup = true + } + ] +} diff --git a/variables.tf b/variables.tf index d3d1e4a..593d305 100644 --- a/variables.tf +++ b/variables.tf @@ -1,8 +1,14 @@ -variable "env" { - description = "Deployment environment" +variable "vault_name" { + description = "Backup vault name" type = string + default = "backup_vault" } +variable "env" { + description = "Envrionment for the plan" + type = string + default = "prod" +} variable "region" { description = "The region where resources should be managed." type = string @@ -53,18 +59,18 @@ variable "backup_plan_name" { variable "plan_selection_tag" { description = "Resource selection for the plan" - type = list(map) + type = list(map(string)) default = [ { - key = "" - value = "" + key = "Environment" + value = "Production" } ] } variable "rules" { description = "List of rules to attach to the plan" - type = list(map) + type = list(any) default = [ { name = "daily" @@ -72,10 +78,6 @@ variable "rules" { continuous_backup = true vault = "Backup" - recovery_point_tags = { - Environment = "dev" - Plan = "plan name" - } } ] } From 77e74fa578b7c55003c1f1bfc1c9f1d1ef2f51f6 Mon Sep 17 00:00:00 2001 From: Sarhad Date: Thu, 5 Dec 2024 15:25:35 +0400 Subject: [PATCH 4/6] fix(DMVP-5908): naming fix --- README.md | 4 ++-- main.tf | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 30ee543..0d0a301 100644 --- a/README.md +++ b/README.md @@ -23,8 +23,8 @@ | Name | Type | |------|------| -| [aws_backup_plan.daily](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource | -| [aws_backup_selection.tagged_daily](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource | +| [aws_backup_plan.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource | +| [aws_backup_selection.selection_tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource | | [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource | | [aws_iam_role.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | diff --git a/main.tf b/main.tf index c212eb7..b59788c 100644 --- a/main.tf +++ b/main.tf @@ -21,8 +21,8 @@ resource "aws_backup_vault" "this" { } } -resource "aws_backup_plan" "daily" { - name = "daily-${var.env}" +resource "aws_backup_plan" "this" { + name = "${var.backup_plan_name}-${var.env}" dynamic "rule" { for_each = var.rules @@ -40,9 +40,9 @@ resource "aws_backup_plan" "daily" { } } -resource "aws_backup_selection" "tagged_daily" { - name = "daily-tagged-${var.env}" - plan_id = aws_backup_plan.daily.id +resource "aws_backup_selection" "selection_tag" { + name = "${var.backup_plan_name}-${var.env}-selection" + plan_id = aws_backup_plan.this.id # Selection rules dynamic "selection_tag" { From 3fb7d251a57b1b957cfee34e0d314ba27a8fb48d Mon Sep 17 00:00:00 2001 From: Sarhad Date: Thu, 5 Dec 2024 15:42:16 +0400 Subject: [PATCH 5/6] fix(DMVP-5908): documentation --- README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/README.md b/README.md index 0d0a301..9e019ee 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,29 @@ # terraform-aws-backup +# This module is used to create and configure AWS Backup service together with related sns service and accesses + +# basic example +```hcl +module "backup" { + source = "dasmeta/backup/aws" + version = "x.y.z" + + plan_selection_tag = [ + { + key = "Environment" + value = "dev" + } + ] + + rules = [ + { + name = "rule1" + schedule = "cron(0 12 * * ? *)" + continuous_backup = true + } + ] +} +``` ## Requirements From 70154efd7a999baac86bb9686a51fcea9995eef2 Mon Sep 17 00:00:00 2001 From: Sarhad Date: Thu, 5 Dec 2024 18:56:49 +0400 Subject: [PATCH 6/6] fix(DMVP-5908): fixes --- README.md | 3 +-- monitoring.tf | 20 ++++++++++---------- variables.tf | 12 ------------ 3 files changed, 11 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 9e019ee..6637cda 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,7 @@ module "backup" { | [aws_backup_plan.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource | | [aws_backup_selection.selection_tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource | | [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource | +| [aws_backup_vault_notifications.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_notifications) | resource | | [aws_iam_role.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.s3_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -75,8 +76,6 @@ module "backup" { | [alarm\_lambda\_arn](#input\_alarm\_lambda\_arn) | ARN of a lambda function that should be subscribed to monitoring notifications | `string` | `""` | no | | [backup\_plan\_name](#input\_backup\_plan\_name) | Initial part of the plan name to which will be appended the env | `string` | `""` | no | | [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days recovery points should be kept. | `number` | `7` | no | -| [backup\_schedule](#input\_backup\_schedule) | Schedule of aws backup plan | `string` | `"cron(0 1 * * ? *)"` | no | -| [enable\_continuous\_backup](#input\_enable\_continuous\_backup) | Flag to enable continuos backup | `bool` | `false` | no | | [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `true` | no | | [env](#input\_env) | Envrionment for the plan | `string` | `"prod"` | no | | [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map(string))` | 
[
  {
    "key": "Environment",
    "value": "Production"
  }
]
| no | diff --git a/monitoring.tf b/monitoring.tf index 6899d46..ce9f671 100644 --- a/monitoring.tf +++ b/monitoring.tf @@ -129,13 +129,13 @@ locals { EOT } -# resource "aws_backup_vault_notifications" "this" { -# count = var.enable_sns_notifications ? 1 : 0 -# backup_vault_name = var.vault_name -# sns_topic_arn = module.sns_topic.sns_topic_arn -# backup_vault_events = [ -# "BACKUP_JOB_COMPLETED", # filter successful backups on sns subscription! -# "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", -# "S3_BACKUP_OBJECT_FAILED", "S3_RESTORE_OBJECT_FAILED" -# ] -# } +resource "aws_backup_vault_notifications" "this" { + count = var.enable_sns_notifications ? 1 : 0 + backup_vault_name = var.vault_name + sns_topic_arn = module.sns_topic.sns_topic_arn + backup_vault_events = [ + "BACKUP_JOB_COMPLETED", # filter successful backups on sns subscription! + "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", + "S3_BACKUP_OBJECT_FAILED", "S3_RESTORE_OBJECT_FAILED" + ] +} diff --git a/variables.tf b/variables.tf index 593d305..678ce7b 100644 --- a/variables.tf +++ b/variables.tf @@ -39,18 +39,6 @@ variable "alarm_email_addresses" { default = [] } -variable "backup_schedule" { - description = "Schedule of aws backup plan" - type = string - default = "cron(0 1 * * ? *)" -} - -variable "enable_continuous_backup" { - description = "Flag to enable continuos backup" - type = bool - default = false -} - variable "backup_plan_name" { description = "Initial part of the plan name to which will be appended the env" type = string