Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(DMVP-5908): fix rules #4

Merged
merged 6 commits into from
Dec 6, 2024
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ repos:
args: ['--allow-missing-credentials']
- id: detect-private-key
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.64.1
rev: v1.96.2
hooks:
- id: terraform_fmt
- id: terraform_docs
Expand Down
90 changes: 90 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
# terraform-aws-backup
mrdntgrn marked this conversation as resolved.
Show resolved Hide resolved

# This module is used to create and configure AWS Backup service together with related sns service and accesses

# basic example
```hcl
module "backup" {
source = "dasmeta/backup/aws"
version = "x.y.z"

plan_selection_tag = [
{
key = "Environment"
value = "dev"
}
]

rules = [
{
name = "rule1"
schedule = "cron(0 12 * * ? *)"
continuous_backup = true
}
]
}
```
<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_sns_topic"></a> [sns\_topic](#module\_sns\_topic) | terraform-aws-modules/sns/aws | ~> 3.0 |

## Resources

| Name | Type |
|------|------|
| [aws_backup_plan.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
| [aws_backup_selection.selection_tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
| [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
| [aws_iam_role.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.s3_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.s3_restore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_kms_alias.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_alias.backup_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_lambda_permission.with_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_sns_topic_subscription.email](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [aws_sns_topic_subscription.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_backup_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.backup_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.backup_notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_alarm_email_addresses"></a> [alarm\_email\_addresses](#input\_alarm\_email\_addresses) | E-Mail addresses that should be subscribed to monitoring notifications | `list(string)` | `[]` | no |
| <a name="input_alarm_lambda_arn"></a> [alarm\_lambda\_arn](#input\_alarm\_lambda\_arn) | ARN of a lambda function that should be subscribed to monitoring notifications | `string` | `""` | no |
| <a name="input_backup_plan_name"></a> [backup\_plan\_name](#input\_backup\_plan\_name) | Initial part of the plan name to which will be appended the env | `string` | `""` | no |
| <a name="input_backup_retention_days"></a> [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days recovery points should be kept. | `number` | `7` | no |
| <a name="input_backup_schedule"></a> [backup\_schedule](#input\_backup\_schedule) | Schedule of aws backup plan | `string` | `"cron(0 1 * * ? *)"` | no |
| <a name="input_enable_continuous_backup"></a> [enable\_continuous\_backup](#input\_enable\_continuous\_backup) | Flag to enable continuos backup | `bool` | `false` | no |
| <a name="input_enable_sns_notifications"></a> [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `true` | no |
| <a name="input_env"></a> [env](#input\_env) | Envrionment for the plan | `string` | `"prod"` | no |
| <a name="input_plan_selection_tag"></a> [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map(string))` | <pre>[<br/> {<br/> "key": "Environment",<br/> "value": "Production"<br/> }<br/>]</pre> | no |
| <a name="input_region"></a> [region](#input\_region) | The region where resources should be managed. | `string` | `"eu-central-1"` | no |
| <a name="input_rules"></a> [rules](#input\_rules) | List of rules to attach to the plan | `list(any)` | <pre>[<br/> {<br/> "continuous_backup": true,<br/> "name": "daily",<br/> "schedule": "cron(0 12 * * ? *)",<br/> "vault": "Backup"<br/> }<br/>]</pre> | no |
| <a name="input_vault_name"></a> [vault\_name](#input\_vault\_name) | Backup vault name | `string` | `"backup_vault"` | no |

## Outputs

No outputs.
<!-- END_TF_DOCS -->
2 changes: 1 addition & 1 deletion githooks/commit-msg
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ elif [ -x "$INSTALL_PYTHON" ]; then
else
echo '`pre-commit` not found. Did you forget to activate your virtualenv?' 1>&2
exit 1a
fi
fi
2 changes: 1 addition & 1 deletion githooks/pre-commit
100644 → 100755
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash

set -e
pre-commit run --show-diff-on-failure --color=always --all-files
pre-commit run --show-diff-on-failure --color=always --all-files
2 changes: 1 addition & 1 deletion iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ data "aws_iam_policy_document" "assume_backup_role" {
}

resource "aws_iam_role" "backup" {
name = local.vault_name
name = var.vault_name
assume_role_policy = data.aws_iam_policy_document.assume_backup_role.json
}

Expand Down
3 changes: 0 additions & 3 deletions locals.tf

This file was deleted.

46 changes: 20 additions & 26 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,57 +8,51 @@ resource "aws_kms_key" "backup" {
}

resource "aws_kms_alias" "backup" {
name = "alias/aws_backup-${var.env}"
name = "alias/aws_backup-${var.vault_name}"
target_key_id = aws_kms_key.backup.arn
}

resource "aws_backup_vault" "this" {
name = local.vault_name
name = var.vault_name
kms_key_arn = aws_kms_key.backup.arn

lifecycle {
prevent_destroy = true
prevent_destroy = false
}
}

resource "aws_backup_plan" "daily" {
name = "daily-${var.env}"
resource "aws_backup_plan" "this" {
name = "${var.backup_plan_name}-${var.env}"

rule {
rule_name = "daily"
target_vault_name = aws_backup_vault.this.name
schedule = var.backup_schedule
enable_continuous_backup = var.enable_continuous_backup
dynamic "rule" {
for_each = var.rules
content {
rule_name = rule.value.name
target_vault_name = aws_backup_vault.this.name
schedule = rule.value.schedule
enable_continuous_backup = rule.value.continuous_backup

lifecycle {
delete_after = var.backup_retention_days
}
lifecycle {
delete_after = var.backup_retention_days
}

recovery_point_tags = {
Environment = var.env
}
}
}

resource "aws_backup_selection" "tagged_daily" {
name = "daily-tagged-${var.env}"
plan_id = aws_backup_plan.daily.id
resource "aws_backup_selection" "selection_tag" {
name = "${var.backup_plan_name}-${var.env}-selection"
plan_id = aws_backup_plan.this.id

# selection rules
# Selection rules
dynamic "selection_tag" {
for_each = var.plan_selection_tag
content {
type = "STRINGEQUALS"
key = selection_tag.value["key"]
value = selection_tag.value["value"]

}

}
selection_tag {
type = "STRINGEQUALS"
key = "backup:rule:efs"
value = "daily-${var.env}"
}

iam_role_arn = aws_iam_role.backup.arn
}
26 changes: 10 additions & 16 deletions monitoring.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
data "aws_iam_policy_document" "kms" {
# Copy of default KMS policy that lets you manage it
#checkov:skip=CKV_AWS_111: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint)
#checkov:skip=CKV_AWS_109: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint)
#checkov:skip=CKV_AWS_356: ignoring asterisk for policies
statement {
sid = "Enable IAM User Permissions"
actions = ["kms:*"]
Expand Down Expand Up @@ -52,7 +48,6 @@ data "aws_iam_policy_document" "kms" {
}

data "aws_iam_policy_document" "backup_notifications" {
#checkov:skip=CKV_AWS_356: ignoring asterisk for policies
policy_id = "aws_backup_${var.env}"

statement {
Expand Down Expand Up @@ -96,7 +91,6 @@ resource "aws_kms_alias" "backup_sns" {
}

module "sns_topic" {
#checkov:skip=CKV_TF_1: https://github.com/bridgecrewio/checkov/issues/5286
source = "terraform-aws-modules/sns/aws"
version = "~> 3.0"

Expand Down Expand Up @@ -135,13 +129,13 @@ locals {
EOT
}

resource "aws_backup_vault_notifications" "this" {
count = var.enable_sns_notifications ? 1 : 0
backup_vault_name = local.vault_name
sns_topic_arn = module.sns_topic.sns_topic_arn
backup_vault_events = [
"BACKUP_JOB_COMPLETED", # filter successful backups on sns subscription!
"RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED",
"S3_BACKUP_OBJECT_FAILED", "S3_RESTORE_OBJECT_FAILED"
]
}
# resource "aws_backup_vault_notifications" "this" {
mrdntgrn marked this conversation as resolved.
Show resolved Hide resolved
# count = var.enable_sns_notifications ? 1 : 0
# backup_vault_name = var.vault_name
# sns_topic_arn = module.sns_topic.sns_topic_arn
# backup_vault_events = [
# "BACKUP_JOB_COMPLETED", # filter successful backups on sns subscription!
# "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED",
# "S3_BACKUP_OBJECT_FAILED", "S3_RESTORE_OBJECT_FAILED"
# ]
# }
24 changes: 0 additions & 24 deletions provider.tf

This file was deleted.

22 changes: 22 additions & 0 deletions tests/example.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
provider "aws" {
region = "eu-central-1"
}

module "aws_backup" {
source = "./.."

plan_selection_tag = [
{
key = "Environment"
value = "dev"
}
]

rules = [
{
name = "rule1"
schedule = "cron(0 12 * * ? *)"
continuous_backup = true
}
]
}
36 changes: 25 additions & 11 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@
variable "env" {
description = "Deployment environment"
variable "vault_name" {
description = "Backup vault name"
type = string
default = "backup_vault"
}

variable "env" {
description = "Envrionment for the plan"
type = string
default = "prod"
}
variable "region" {
description = "The region where resources should be managed."
type = string
default = "eu-central-1"
}

variable "component" {
description = "The component to which the resources deployed in this module belong to. This can be an application or a part of the overall infrastructure."
type = string
}

variable "backup_retention_days" {
description = "Number of days recovery points should be kept."
type = number
Expand Down Expand Up @@ -58,12 +59,25 @@ variable "backup_plan_name" {

variable "plan_selection_tag" {
description = "Resource selection for the plan"
type = list(map)
type = list(map(string))
default = [
{
key = ""
value = ""
key = "Environment"
value = "Production"
}
]
}

variable "rules" {
description = "List of rules to attach to the plan"
type = list(any)
default = [
{
name = "daily"
schedule = "cron(0 12 * * ? *)"
continuous_backup = true
vault = "Backup"

mrdntgrn marked this conversation as resolved.
Show resolved Hide resolved
}
}
]
}
Loading