From ae31ace351d8531ae395111fc7e727b440d332d9 Mon Sep 17 00:00:00 2001 From: Sarhad Date: Mon, 16 Dec 2024 11:50:18 +0400 Subject: [PATCH 1/4] fix(DMVP-5908): fix kms alias default --- README.md | 3 ++- main.tf | 2 +- variables.tf | 6 ++++++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6637cda..8d932d3 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ module "backup" { | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 5.0 | +| [aws](#provider\_aws) | 5.81.0 | ## Modules @@ -78,6 +78,7 @@ module "backup" { | [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days recovery points should be kept. | `number` | `7` | no | | [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `true` | no | | [env](#input\_env) | Envrionment for the plan | `string` | `"prod"` | no | +| [kms\_key\_alias](#input\_kms\_key\_alias) | kms key alias | `string` | `""` | no | | [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map(string))` |
[
{
"key": "Environment",
"value": "Production"
}
]
| no | | [region](#input\_region) | The region where resources should be managed. | `string` | `"eu-central-1"` | no | | [rules](#input\_rules) | List of rules to attach to the plan | `list(any)` |
[
{
"continuous_backup": true,
"name": "daily",
"schedule": "cron(0 12 * * ? *)",
"vault": "Backup"
}
]
| no | diff --git a/main.tf b/main.tf index b59788c..860e2f4 100644 --- a/main.tf +++ b/main.tf @@ -8,7 +8,7 @@ resource "aws_kms_key" "backup" { } resource "aws_kms_alias" "backup" { - name = "alias/aws_backup-${var.vault_name}" + name = var.kms_key_alias == null ? var.kms_key_alias : "alias/aws_backup-${var.vault_name}-${var.env}" target_key_id = aws_kms_key.backup.arn } diff --git a/variables.tf b/variables.tf index 678ce7b..145955c 100644 --- a/variables.tf +++ b/variables.tf @@ -45,6 +45,12 @@ variable "backup_plan_name" { default = "" } +variable "kms_key_alias" { + description = "kms key alias" + type = string + default = "" +} + variable "plan_selection_tag" { description = "Resource selection for the plan" type = list(map(string)) From 6e7e301d4d29afe1e689499d3108c9d3faad7af6 Mon Sep 17 00:00:00 2001 From: Sarhad Date: Mon, 16 Dec 2024 12:26:15 +0400 Subject: [PATCH 2/4] fix(DMVP-5908): update sns module version --- README.md | 2 +- monitoring.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8d932d3..12e9496 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ module "backup" { | Name | Source | Version | |------|--------|---------| -| [sns\_topic](#module\_sns\_topic) | terraform-aws-modules/sns/aws | ~> 3.0 | +| [sns\_topic](#module\_sns\_topic) | terraform-aws-modules/sns/aws | ~> 6.0 | ## Resources diff --git a/monitoring.tf b/monitoring.tf index ce9f671..318c4db 100644 --- a/monitoring.tf +++ b/monitoring.tf @@ -92,7 +92,7 @@ resource "aws_kms_alias" "backup_sns" { module "sns_topic" { source = "terraform-aws-modules/sns/aws" - version = "~> 3.0" + version = "~> 6.0" name = "backups_${var.env}" From 91cb865bdb8dbfed43fa57be3fe94285596bc332 Mon Sep 17 00:00:00 2001 From: Sarhad Date: Mon, 16 Dec 2024 14:16:59 +0400 Subject: [PATCH 3/4] fix(DMVP-5908): update sns module version --- README.md | 4 ++-- monitoring.tf | 8 +++++++- variables.tf | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 12e9496..82e7594 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ module "backup" { | Name | Source | Version | |------|--------|---------| -| [sns\_topic](#module\_sns\_topic) | terraform-aws-modules/sns/aws | ~> 6.0 | +| [sns\_topic](#module\_sns\_topic) | terraform-aws-modules/sns/aws | 6.1.1 | ## Resources @@ -78,7 +78,7 @@ module "backup" { | [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days recovery points should be kept. | `number` | `7` | no | | [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `true` | no | | [env](#input\_env) | Envrionment for the plan | `string` | `"prod"` | no | -| [kms\_key\_alias](#input\_kms\_key\_alias) | kms key alias | `string` | `""` | no | +| [kms\_key\_alias](#input\_kms\_key\_alias) | kms key alias | `string` | `null` | no | | [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map(string))` |
[
{
"key": "Environment",
"value": "Production"
}
]
| no | | [region](#input\_region) | The region where resources should be managed. | `string` | `"eu-central-1"` | no | | [rules](#input\_rules) | List of rules to attach to the plan | `list(any)` |
[
{
"continuous_backup": true,
"name": "daily",
"schedule": "cron(0 12 * * ? *)",
"vault": "Backup"
}
]
| no | diff --git a/monitoring.tf b/monitoring.tf index 318c4db..f7f40ac 100644 --- a/monitoring.tf +++ b/monitoring.tf @@ -1,4 +1,5 @@ data "aws_iam_policy_document" "kms" { + count = var.alarm_lambda_arn != "" ? 1 : 0 statement { sid = "Enable IAM User Permissions" actions = ["kms:*"] @@ -48,6 +49,7 @@ data "aws_iam_policy_document" "kms" { } data "aws_iam_policy_document" "backup_notifications" { + count = var.alarm_lambda_arn != "" ? 1 : 0 policy_id = "aws_backup_${var.env}" statement { @@ -79,6 +81,7 @@ resource "aws_lambda_permission" "with_sns" { } resource "aws_kms_key" "this" { + count = var.alarm_lambda_arn != "" ? 1 : 0 description = "KMS key is used to encrypt this sns topic" deletion_window_in_days = 7 enable_key_rotation = true @@ -86,13 +89,15 @@ resource "aws_kms_key" "this" { } resource "aws_kms_alias" "backup_sns" { + count = var.enable_sns_notifications ? 1 : 0 name = "alias/aws_backup-sns-${var.env}" target_key_id = aws_kms_key.this.arn } module "sns_topic" { + count = var.enable_sns_notifications ? 1 : 0 source = "terraform-aws-modules/sns/aws" - version = "~> 6.0" + version = "6.1.1" name = "backups_${var.env}" @@ -110,6 +115,7 @@ resource "aws_sns_topic_subscription" "lambda" { } resource "aws_sns_topic_subscription" "email" { + count = var.alarm_lambda_arn != "" ? 1 : 0 for_each = length(var.alarm_email_addresses) > 0 ? toset(var.alarm_email_addresses) : toset([]) topic_arn = module.sns_topic.sns_topic_arn protocol = "email" diff --git a/variables.tf b/variables.tf index 145955c..e7dcbf4 100644 --- a/variables.tf +++ b/variables.tf @@ -48,7 +48,7 @@ variable "backup_plan_name" { variable "kms_key_alias" { description = "kms key alias" type = string - default = "" + default = null } variable "plan_selection_tag" { From da92bf074264891371dfaed19f3a58fd72f9b6de Mon Sep 17 00:00:00 2001 From: Sarhad Date: Tue, 17 Dec 2024 11:23:16 +0400 Subject: [PATCH 4/4] fix(DMVP-5908): update sns module version --- README.md | 2 +- main.tf | 2 +- monitoring.tf | 27 +++++++++++++-------------- variables.tf | 2 +- 4 files changed, 16 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 82e7594..b680381 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ module "backup" { | [alarm\_lambda\_arn](#input\_alarm\_lambda\_arn) | ARN of a lambda function that should be subscribed to monitoring notifications | `string` | `""` | no | | [backup\_plan\_name](#input\_backup\_plan\_name) | Initial part of the plan name to which will be appended the env | `string` | `""` | no | | [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days recovery points should be kept. | `number` | `7` | no | -| [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `true` | no | +| [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `false` | no | | [env](#input\_env) | Envrionment for the plan | `string` | `"prod"` | no | | [kms\_key\_alias](#input\_kms\_key\_alias) | kms key alias | `string` | `null` | no | | [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map(string))` |
[
{
"key": "Environment",
"value": "Production"
}
]
| no | diff --git a/main.tf b/main.tf index 860e2f4..2bcb379 100644 --- a/main.tf +++ b/main.tf @@ -8,7 +8,7 @@ resource "aws_kms_key" "backup" { } resource "aws_kms_alias" "backup" { - name = var.kms_key_alias == null ? var.kms_key_alias : "alias/aws_backup-${var.vault_name}-${var.env}" + name = var.kms_key_alias != null ? var.kms_key_alias : "alias/aws_backup-${var.vault_name}-${var.env}" target_key_id = aws_kms_key.backup.arn } diff --git a/monitoring.tf b/monitoring.tf index f7f40ac..b378d84 100644 --- a/monitoring.tf +++ b/monitoring.tf @@ -1,5 +1,5 @@ data "aws_iam_policy_document" "kms" { - count = var.alarm_lambda_arn != "" ? 1 : 0 + count = var.enable_sns_notifications != "" ? 1 : 0 statement { sid = "Enable IAM User Permissions" actions = ["kms:*"] @@ -49,7 +49,7 @@ data "aws_iam_policy_document" "kms" { } data "aws_iam_policy_document" "backup_notifications" { - count = var.alarm_lambda_arn != "" ? 1 : 0 + count = var.enable_sns_notifications != "" ? 1 : 0 policy_id = "aws_backup_${var.env}" statement { @@ -77,21 +77,21 @@ resource "aws_lambda_permission" "with_sns" { action = "lambda:InvokeFunction" function_name = var.alarm_lambda_arn principal = "sns.amazonaws.com" - source_arn = module.sns_topic.sns_topic_arn + source_arn = module.sns_topic[0].topic_arn } resource "aws_kms_key" "this" { - count = var.alarm_lambda_arn != "" ? 1 : 0 + count = var.enable_sns_notifications != "" ? 1 : 0 description = "KMS key is used to encrypt this sns topic" deletion_window_in_days = 7 enable_key_rotation = true - policy = data.aws_iam_policy_document.kms.json + policy = data.aws_iam_policy_document.kms[0].json } resource "aws_kms_alias" "backup_sns" { count = var.enable_sns_notifications ? 1 : 0 name = "alias/aws_backup-sns-${var.env}" - target_key_id = aws_kms_key.this.arn + target_key_id = aws_kms_key.this[0].arn } module "sns_topic" { @@ -102,22 +102,21 @@ module "sns_topic" { name = "backups_${var.env}" display_name = "Backups in ${var.env}" - kms_master_key_id = aws_kms_key.this.arn - policy = data.aws_iam_policy_document.backup_notifications.json + kms_master_key_id = aws_kms_key.this[0].arn + topic_policy = data.aws_iam_policy_document.backup_notifications[0].json } resource "aws_sns_topic_subscription" "lambda" { - count = var.alarm_lambda_arn != "" ? 1 : 0 - topic_arn = module.sns_topic.sns_topic_arn + count = var.alarm_lambda_arn != "" && var.enable_sns_notifications ? 1 : 0 + topic_arn = module.sns_topic[0].topic_arn protocol = "lambda" endpoint = var.alarm_lambda_arn filter_policy = local.filter_completed_backups } resource "aws_sns_topic_subscription" "email" { - count = var.alarm_lambda_arn != "" ? 1 : 0 - for_each = length(var.alarm_email_addresses) > 0 ? toset(var.alarm_email_addresses) : toset([]) - topic_arn = module.sns_topic.sns_topic_arn + for_each = length(var.alarm_email_addresses) > 0 && var.enable_sns_notifications ? toset(var.alarm_email_addresses) : toset([]) + topic_arn = module.sns_topic[0].topic_arn protocol = "email" endpoint = each.key filter_policy = local.filter_completed_backups @@ -138,7 +137,7 @@ EOT resource "aws_backup_vault_notifications" "this" { count = var.enable_sns_notifications ? 1 : 0 backup_vault_name = var.vault_name - sns_topic_arn = module.sns_topic.sns_topic_arn + sns_topic_arn = module.sns_topic[0].topic_arn backup_vault_events = [ "BACKUP_JOB_COMPLETED", # filter successful backups on sns subscription! "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", diff --git a/variables.tf b/variables.tf index e7dcbf4..1bb38c2 100644 --- a/variables.tf +++ b/variables.tf @@ -24,7 +24,7 @@ variable "backup_retention_days" { variable "enable_sns_notifications" { description = "Create an SNS topic where backup notifications go" type = bool - default = true + default = false } variable "alarm_lambda_arn" {