Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(DMVP-5908): fix kms key alias #7

Merged
merged 4 commits into from
Dec 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,13 @@ module "backup" {

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.81.0 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_sns_topic"></a> [sns\_topic](#module\_sns\_topic) | terraform-aws-modules/sns/aws | ~> 3.0 |
| <a name="module_sns_topic"></a> [sns\_topic](#module\_sns\_topic) | terraform-aws-modules/sns/aws | 6.1.1 |

## Resources

Expand Down Expand Up @@ -76,8 +76,9 @@ module "backup" {
| <a name="input_alarm_lambda_arn"></a> [alarm\_lambda\_arn](#input\_alarm\_lambda\_arn) | ARN of a lambda function that should be subscribed to monitoring notifications | `string` | `""` | no |
| <a name="input_backup_plan_name"></a> [backup\_plan\_name](#input\_backup\_plan\_name) | Initial part of the plan name to which will be appended the env | `string` | `""` | no |
| <a name="input_backup_retention_days"></a> [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days recovery points should be kept. | `number` | `7` | no |
| <a name="input_enable_sns_notifications"></a> [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `true` | no |
| <a name="input_enable_sns_notifications"></a> [enable\_sns\_notifications](#input\_enable\_sns\_notifications) | Create an SNS topic where backup notifications go | `bool` | `false` | no |
| <a name="input_env"></a> [env](#input\_env) | Envrionment for the plan | `string` | `"prod"` | no |
| <a name="input_kms_key_alias"></a> [kms\_key\_alias](#input\_kms\_key\_alias) | kms key alias | `string` | `null` | no |
| <a name="input_plan_selection_tag"></a> [plan\_selection\_tag](#input\_plan\_selection\_tag) | Resource selection for the plan | `list(map(string))` | <pre>[<br/> {<br/> "key": "Environment",<br/> "value": "Production"<br/> }<br/>]</pre> | no |
| <a name="input_region"></a> [region](#input\_region) | The region where resources should be managed. | `string` | `"eu-central-1"` | no |
| <a name="input_rules"></a> [rules](#input\_rules) | List of rules to attach to the plan | `list(any)` | <pre>[<br/> {<br/> "continuous_backup": true,<br/> "name": "daily",<br/> "schedule": "cron(0 12 * * ? *)",<br/> "vault": "Backup"<br/> }<br/>]</pre> | no |
Expand Down
2 changes: 1 addition & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ resource "aws_kms_key" "backup" {
}

resource "aws_kms_alias" "backup" {
name = "alias/aws_backup-${var.vault_name}"
name = var.kms_key_alias != null ? var.kms_key_alias : "alias/aws_backup-${var.vault_name}-${var.env}"
target_key_id = aws_kms_key.backup.arn
}

Expand Down
27 changes: 16 additions & 11 deletions monitoring.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
data "aws_iam_policy_document" "kms" {
count = var.enable_sns_notifications != "" ? 1 : 0
statement {
sid = "Enable IAM User Permissions"
actions = ["kms:*"]
Expand Down Expand Up @@ -48,6 +49,7 @@ data "aws_iam_policy_document" "kms" {
}

data "aws_iam_policy_document" "backup_notifications" {
count = var.enable_sns_notifications != "" ? 1 : 0
policy_id = "aws_backup_${var.env}"

statement {
Expand Down Expand Up @@ -75,43 +77,46 @@ resource "aws_lambda_permission" "with_sns" {
action = "lambda:InvokeFunction"
function_name = var.alarm_lambda_arn
principal = "sns.amazonaws.com"
source_arn = module.sns_topic.sns_topic_arn
source_arn = module.sns_topic[0].topic_arn
}

resource "aws_kms_key" "this" {
count = var.enable_sns_notifications != "" ? 1 : 0
description = "KMS key is used to encrypt this sns topic"
deletion_window_in_days = 7
enable_key_rotation = true
policy = data.aws_iam_policy_document.kms.json
policy = data.aws_iam_policy_document.kms[0].json
}

resource "aws_kms_alias" "backup_sns" {
count = var.enable_sns_notifications ? 1 : 0
name = "alias/aws_backup-sns-${var.env}"
target_key_id = aws_kms_key.this.arn
target_key_id = aws_kms_key.this[0].arn
}

module "sns_topic" {
count = var.enable_sns_notifications ? 1 : 0
mrdntgrn marked this conversation as resolved.
Show resolved Hide resolved
source = "terraform-aws-modules/sns/aws"
version = "~> 3.0"
mrdntgrn marked this conversation as resolved.
Show resolved Hide resolved
version = "6.1.1"


name = "backups_${var.env}"
display_name = "Backups in ${var.env}"
kms_master_key_id = aws_kms_key.this.arn
policy = data.aws_iam_policy_document.backup_notifications.json
kms_master_key_id = aws_kms_key.this[0].arn
topic_policy = data.aws_iam_policy_document.backup_notifications[0].json
}

resource "aws_sns_topic_subscription" "lambda" {
count = var.alarm_lambda_arn != "" ? 1 : 0
topic_arn = module.sns_topic.sns_topic_arn
count = var.alarm_lambda_arn != "" && var.enable_sns_notifications ? 1 : 0
topic_arn = module.sns_topic[0].topic_arn
protocol = "lambda"
endpoint = var.alarm_lambda_arn
filter_policy = local.filter_completed_backups
}

resource "aws_sns_topic_subscription" "email" {
for_each = length(var.alarm_email_addresses) > 0 ? toset(var.alarm_email_addresses) : toset([])
topic_arn = module.sns_topic.sns_topic_arn
for_each = length(var.alarm_email_addresses) > 0 && var.enable_sns_notifications ? toset(var.alarm_email_addresses) : toset([])
topic_arn = module.sns_topic[0].topic_arn
protocol = "email"
endpoint = each.key
filter_policy = local.filter_completed_backups
Expand All @@ -132,7 +137,7 @@ EOT
resource "aws_backup_vault_notifications" "this" {
count = var.enable_sns_notifications ? 1 : 0
backup_vault_name = var.vault_name
sns_topic_arn = module.sns_topic.sns_topic_arn
sns_topic_arn = module.sns_topic[0].topic_arn
backup_vault_events = [
"BACKUP_JOB_COMPLETED", # filter successful backups on sns subscription!
"RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED",
Expand Down
8 changes: 7 additions & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ variable "backup_retention_days" {
variable "enable_sns_notifications" {
description = "Create an SNS topic where backup notifications go"
type = bool
default = true
default = false
}

variable "alarm_lambda_arn" {
Expand All @@ -45,6 +45,12 @@ variable "backup_plan_name" {
default = ""
}

variable "kms_key_alias" {
description = "kms key alias"
type = string
default = null
}

variable "plan_selection_tag" {
description = "Resource selection for the plan"
type = list(map(string))
Expand Down
Loading