Browse Source

breaking: terraform 0.12 upgrade & best practices

Upgrade of the module to be terraform 0.12 compatible, addition of
authors and changelog files, improved gitignore, and on delete
provisioner on selections becasue of race condition, fix examples
tags/1.0.0
parent
commit
873d15d08c
Signed by: christophe.vkerchove <christophe.vkerchove@fxinnovation.com> GPG Key ID: 4D89B3BBD1603CB8
25 changed files with 288 additions and 149 deletions
  1. +26
    -0
      .gitignore
  2. +2
    -0
      AUTHORS
  3. +39
    -0
      CHANGELOG.md
  4. +0
    -3
      Jenkinsfile
  5. +1
    -1
      README.md
  6. +4
    -4
      examples/default/main.tf
  7. +14
    -13
      examples/default/outputs.tf
  8. +3
    -2
      examples/default/variables.tf
  9. +4
    -0
      examples/default/versions.tf
  10. +3
    -2
      examples/disabled/main.tf
  11. +14
    -13
      examples/disabled/outputs.tf
  12. +3
    -2
      examples/disabled/variables.tf
  13. +4
    -0
      examples/disabled/versions.tf
  14. +7
    -5
      examples/with-external-kms/main.tf
  15. +14
    -13
      examples/with-external-kms/outputs.tf
  16. +3
    -2
      examples/with-external-kms/variables.tf
  17. +4
    -0
      examples/with-external-kms/versions.tf
  18. +9
    -7
      examples/with-external-vault/main.tf
  19. +14
    -13
      examples/with-external-vault/outputs.tf
  20. +3
    -2
      examples/with-external-vault/variables.tf
  21. +4
    -0
      examples/with-external-vault/versions.tf
  22. +92
    -52
      main.tf
  23. +14
    -13
      outputs.tf
  24. +4
    -2
      variables.tf
  25. +3
    -0
      versions.tf

+ 26
- 0
.gitignore View File

@@ -1 +1,27 @@
# ---> Terraform
# Local .terraform directories
**/.terraform/*

# .tfstate files
*.tfstate
*.tfstate.*

# Crash log files
crash.log

# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
# .tfvars files are managed as part of configuration and so should be included in
# version control.
#
# example.tfvars

# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json

# Include override files you do wish to add to version control using negated pattern
#
# !example_override.tf

+ 2
- 0
AUTHORS View File

@@ -0,0 +1,2 @@
Guillaume DONVAL <guillaume.donval@fxinnovation.com>
Christophe van de Kerchove <christophe.vkerchove@fxinnovation.com>

+ 39
- 0
CHANGELOG.md View File

@@ -0,0 +1,39 @@

1.0.0 / 2019-11-21
==================

* breaking: terraform 0.12 upgrade & best practices

0.1.0 / 2019-10-10
==================

* Merge branch 'feature/module' of fxinnovation-public/terraform-module-aws-backup into master
* feat: adds depends_on
* refactor: removes all the >0
* fix: fixes condition for backup plan
* fix: fixes conditions for Selection Role
* fix: fixes conditions for KMS key
* test: adds example with external vault
* fix: fixes outputs
* test: fixes outputs for some examples
* test: adds test with External KMS key
* fix: fixes main.tf
* fix: fixes variable type
* fix: uses ARN for selection by ressource
* test: adds disabled example
* fix: makes sure resources is a list
* fix: changes outputs without splat syntaw
* fix: fixes variable type
* test: adds outputs & readme for default example
* test: adds default example
* doc: fixes comment header in variable
* tech: adds outputs for the module
* feat: adds main module & variables
* doc: adds limitations on documentation
* Merge branch 'feature/init' of fxinnovation-public/terraform-module-aws-backup into master
* refactor: fixes style
* tech: adds variables.tf and outputs.tf
* tech: adds empty main.tf
* test: adds Jenkinsfile
* tech: initial files for the module
* Initial commit

+ 0
- 3
Jenkinsfile View File

@@ -1,6 +1,3 @@
fxTerraformWithUsernamePassword(
testEnvironmentCredentialId: 'itoa-application-awscollectors-awscred',
commonOptions: [
dockerImage: 'fxinnovation/terraform:2.5.0'
]
)

+ 1
- 1
README.md View File

@@ -38,7 +38,7 @@ Module to manage AWS Backup with Terraform.
| tags | Tags to be shared among all resources of this module. | map | `{}` | no |
| vault\_create | Whether or not to create a vault for AWS Backup. | string | `"true"` | no |
| vault\_kms\_key\_alias\_name | Alias for the KMS key of the Backup vault. Will be merged with tags. | string | `""` | no |
| vault\_kms\_key\_arn | ARN of the KMS key to use for the vault for AWS Backup. Use only if vault_kms_key_create is 'false'. | string | `""` | no |
| vault\_kms\_key\_arn | ARN of the KMS key to use for the vault for AWS Backup. Do not specify if you want to let the module create it own key. | string | `"null"` | no |
| vault\_kms\_key\_create | Whether or not to create a KMS key for the vault for AWS Backup. | string | `"true"` | no |
| vault\_kms\_key\_name | Name of the KMS key to use for the vault for AWS Backup. | string | `""` | no |
| vault\_kms\_tags | Tags for the KMS key of the Backup vault. Will be merged with tags. | map | `{}` | no |


+ 4
- 4
examples/default/main.tf View File

@@ -1,8 +1,8 @@
provider "aws" {
version = "~> 2.19.0"
region = "eu-west-2"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
access_key = var.access_key
secret_key = var.secret_key
}

resource "random_string" "this" {
@@ -35,7 +35,6 @@ module "default" {

vault_create = true
vault_name = "tftest${random_string.this.result}Vault"
vault_kms_key_create = true
vault_kms_key_name = "tftest${random_string.this.result}KMSKeyName"
vault_kms_key_alias_name = "alias/tftest/${random_string.this.result}"
vault_tags = {
@@ -78,6 +77,7 @@ module "default" {
selection_tag_value = 1
selection_resource_name = "tftest${random_string.this.result}SelectionResource"
selection_resources = [
"${aws_ebs_volume.example.arn}",
aws_ebs_volume.example.arn,
]
}


+ 14
- 13
examples/default/outputs.tf View File

@@ -3,27 +3,27 @@
####

output "vault_id" {
value = "${module.default.vault_id}"
value = module.default.vault_id
}

output "vault_arn" {
value = "${module.default.vault_arn}"
value = module.default.vault_arn
}

output "vault_recovery_points" {
value = "${module.default.vault_recovery_points}"
value = module.default.vault_recovery_points
}

output "vault_kms_key_arn" {
value = "${module.default.vault_kms_key_arn}"
value = module.default.vault_kms_key_arn
}

output "vault_kms_key_id" {
value = "${module.default.vault_kms_key_id}"
value = module.default.vault_kms_key_id
}

output "vault_kms_key_alias_arn" {
value = "${module.default.vault_kms_key_alias_arn}"
value = module.default.vault_kms_key_alias_arn
}

####
@@ -31,23 +31,23 @@ output "vault_kms_key_alias_arn" {
####

output "plan_arns" {
value = "${module.default.plan_arns}"
value = module.default.plan_arns
}

output "plan_versions" {
value = "${module.default.plan_versions}"
value = module.default.plan_versions
}

output "plan_iam_role_arn" {
value = "${module.default.plan_iam_role_arn}"
value = module.default.plan_iam_role_arn
}

output "plan_iam_role_name" {
value = "${module.default.plan_iam_role_name}"
value = module.default.plan_iam_role_name
}

output "plan_iam_role_unique_id" {
value = "${module.default.plan_iam_role_unique_id}"
value = module.default.plan_iam_role_unique_id
}

####
@@ -55,9 +55,10 @@ output "plan_iam_role_unique_id" {
####

output "selection_tag_ids" {
value = "${module.default.selection_tag_ids}"
value = module.default.selection_tag_ids
}

output "selection_resources_ids" {
value = "${module.default.selection_resources_ids}"
value = module.default.selection_resources_ids
}


+ 3
- 2
examples/default/variables.tf View File

@@ -1,7 +1,8 @@
variable "access_key" {
type = "string"
type = string
}

variable "secret_key" {
type = "string"
type = string
}


+ 4
- 0
examples/default/versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

+ 3
- 2
examples/disabled/main.tf View File

@@ -1,8 +1,8 @@
provider "aws" {
version = "~> 2.19.0"
region = "eu-west-2"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
access_key = var.access_key
secret_key = var.secret_key
}

module "disabled" {
@@ -10,3 +10,4 @@ module "disabled" {

enabled = false
}


+ 14
- 13
examples/disabled/outputs.tf View File

@@ -3,27 +3,27 @@
####

output "vault_id" {
value = "${module.disabled.vault_id}"
value = module.disabled.vault_id
}

output "vault_arn" {
value = "${module.disabled.vault_arn}"
value = module.disabled.vault_arn
}

output "vault_recovery_points" {
value = "${module.disabled.vault_recovery_points}"
value = module.disabled.vault_recovery_points
}

output "vault_kms_key_arn" {
value = "${module.disabled.vault_kms_key_arn}"
value = module.disabled.vault_kms_key_arn
}

output "vault_kms_key_id" {
value = "${module.disabled.vault_kms_key_id}"
value = module.disabled.vault_kms_key_id
}

output "vault_kms_key_alias_arn" {
value = "${module.disabled.vault_kms_key_alias_arn}"
value = module.disabled.vault_kms_key_alias_arn
}

####
@@ -31,23 +31,23 @@ output "vault_kms_key_alias_arn" {
####

output "plan_arns" {
value = "${module.disabled.plan_arns}"
value = module.disabled.plan_arns
}

output "plan_versions" {
value = "${module.disabled.plan_versions}"
value = module.disabled.plan_versions
}

output "plan_iam_role_arn" {
value = "${module.disabled.plan_iam_role_arn}"
value = module.disabled.plan_iam_role_arn
}

output "plan_iam_role_name" {
value = "${module.disabled.plan_iam_role_name}"
value = module.disabled.plan_iam_role_name
}

output "plan_iam_role_unique_id" {
value = "${module.disabled.plan_iam_role_unique_id}"
value = module.disabled.plan_iam_role_unique_id
}

####
@@ -55,9 +55,10 @@ output "plan_iam_role_unique_id" {
####

output "selection_tag_ids" {
value = "${module.disabled.selection_tag_ids}"
value = module.disabled.selection_tag_ids
}

output "selection_resources_ids" {
value = "${module.disabled.selection_resources_ids}"
value = module.disabled.selection_resources_ids
}


+ 3
- 2
examples/disabled/variables.tf View File

@@ -1,7 +1,8 @@
variable "access_key" {
type = "string"
type = string
}

variable "secret_key" {
type = "string"
type = string
}


+ 4
- 0
examples/disabled/versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

+ 7
- 5
examples/with-external-kms/main.tf View File

@@ -1,8 +1,8 @@
provider "aws" {
version = "~> 2.19.0"
region = "eu-west-2"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
access_key = var.access_key
secret_key = var.secret_key
}

resource "random_string" "this" {
@@ -11,7 +11,8 @@ resource "random_string" "this" {
special = false
}

resource "aws_kms_key" "example" {}
resource "aws_kms_key" "example" {
}

resource "aws_ebs_volume" "example" {
availability_zone = "eu-west-2a"
@@ -37,8 +38,8 @@ module "with_external_kms" {

vault_create = true
vault_name = "tftest${random_string.this.result}Vault"
vault_kms_key_arn = aws_kms_key.example.arn
vault_kms_key_create = false
vault_kms_key_arn = "${aws_kms_key.example.arn}"
vault_kms_key_name = "tftest${random_string.this.result}KMSKeyName"
vault_kms_key_alias_name = "alias/tftest/${random_string.this.result}"
vault_tags = {
@@ -81,6 +82,7 @@ module "with_external_kms" {
selection_tag_value = 1
selection_resource_name = "tftest${random_string.this.result}SelectionResource"
selection_resources = [
"${aws_ebs_volume.example.arn}",
aws_ebs_volume.example.arn,
]
}


+ 14
- 13
examples/with-external-kms/outputs.tf View File

@@ -3,27 +3,27 @@
####

output "vault_id" {
value = "${module.with_external_kms.vault_id}"
value = module.with_external_kms.vault_id
}

output "vault_arn" {
value = "${module.with_external_kms.vault_arn}"
value = module.with_external_kms.vault_arn
}

output "vault_recovery_points" {
value = "${module.with_external_kms.vault_recovery_points}"
value = module.with_external_kms.vault_recovery_points
}

output "vault_kms_key_arn" {
value = "${module.with_external_kms.vault_kms_key_arn}"
value = module.with_external_kms.vault_kms_key_arn
}

output "vault_kms_key_id" {
value = "${module.with_external_kms.vault_kms_key_id}"
value = module.with_external_kms.vault_kms_key_id
}

output "vault_kms_key_alias_arn" {
value = "${module.with_external_kms.vault_kms_key_alias_arn}"
value = module.with_external_kms.vault_kms_key_alias_arn
}

####
@@ -31,23 +31,23 @@ output "vault_kms_key_alias_arn" {
####

output "plan_arns" {
value = "${module.with_external_kms.plan_arns}"
value = module.with_external_kms.plan_arns
}

output "plan_versions" {
value = "${module.with_external_kms.plan_versions}"
value = module.with_external_kms.plan_versions
}

output "plan_iam_role_arn" {
value = "${module.with_external_kms.plan_iam_role_arn}"
value = module.with_external_kms.plan_iam_role_arn
}

output "plan_iam_role_name" {
value = "${module.with_external_kms.plan_iam_role_name}"
value = module.with_external_kms.plan_iam_role_name
}

output "plan_iam_role_unique_id" {
value = "${module.with_external_kms.plan_iam_role_unique_id}"
value = module.with_external_kms.plan_iam_role_unique_id
}

####
@@ -55,9 +55,10 @@ output "plan_iam_role_unique_id" {
####

output "selection_tag_ids" {
value = "${module.with_external_kms.selection_tag_ids}"
value = module.with_external_kms.selection_tag_ids
}

output "selection_resources_ids" {
value = "${module.with_external_kms.selection_resources_ids}"
value = module.with_external_kms.selection_resources_ids
}


+ 3
- 2
examples/with-external-kms/variables.tf View File

@@ -1,7 +1,8 @@
variable "access_key" {
type = "string"
type = string
}

variable "secret_key" {
type = "string"
type = string
}


+ 4
- 0
examples/with-external-kms/versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

+ 9
- 7
examples/with-external-vault/main.tf View File

@@ -1,8 +1,8 @@
provider "aws" {
version = "~> 2.19.0"
region = "eu-west-2"
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
access_key = var.access_key
secret_key = var.secret_key
}

resource "random_string" "this" {
@@ -11,11 +11,12 @@ resource "random_string" "this" {
special = false
}

resource "aws_kms_key" "example" {}
resource "aws_kms_key" "example" {
}

resource "aws_backup_vault" "example" {
name = "example_backup_vault"
kms_key_arn = "${aws_kms_key.example.arn}"
name = random_string.this.result
kms_key_arn = aws_kms_key.example.arn
}

resource "aws_ebs_volume" "example" {
@@ -41,7 +42,7 @@ module "with_external_vault" {
####

vault_create = false
vault_name = "${aws_backup_vault.example.name}"
vault_name = aws_backup_vault.example.name

####
# Plan
@@ -76,6 +77,7 @@ module "with_external_vault" {
selection_tag_value = 1
selection_resource_name = "tftest${random_string.this.result}SelectionResource"
selection_resources = [
"${aws_ebs_volume.example.arn}",
aws_ebs_volume.example.arn,
]
}


+ 14
- 13
examples/with-external-vault/outputs.tf View File

@@ -3,27 +3,27 @@
####

output "vault_id" {
value = "${module.with_external_vault.vault_id}"
value = module.with_external_vault.vault_id
}

output "vault_arn" {
value = "${module.with_external_vault.vault_arn}"
value = module.with_external_vault.vault_arn
}

output "vault_recovery_points" {
value = "${module.with_external_vault.vault_recovery_points}"
value = module.with_external_vault.vault_recovery_points
}

output "vault_kms_key_arn" {
value = "${module.with_external_vault.vault_kms_key_arn}"
value = module.with_external_vault.vault_kms_key_arn
}

output "vault_kms_key_id" {
value = "${module.with_external_vault.vault_kms_key_id}"
value = module.with_external_vault.vault_kms_key_id
}

output "vault_kms_key_alias_arn" {
value = "${module.with_external_vault.vault_kms_key_alias_arn}"
value = module.with_external_vault.vault_kms_key_alias_arn
}

####
@@ -31,23 +31,23 @@ output "vault_kms_key_alias_arn" {
####

output "plan_arns" {
value = "${module.with_external_vault.plan_arns}"
value = module.with_external_vault.plan_arns
}

output "plan_versions" {
value = "${module.with_external_vault.plan_versions}"
value = module.with_external_vault.plan_versions
}

output "plan_iam_role_arn" {
value = "${module.with_external_vault.plan_iam_role_arn}"
value = module.with_external_vault.plan_iam_role_arn
}

output "plan_iam_role_name" {
value = "${module.with_external_vault.plan_iam_role_name}"
value = module.with_external_vault.plan_iam_role_name
}

output "plan_iam_role_unique_id" {
value = "${module.with_external_vault.plan_iam_role_unique_id}"
value = module.with_external_vault.plan_iam_role_unique_id
}

####
@@ -55,9 +55,10 @@ output "plan_iam_role_unique_id" {
####

output "selection_tag_ids" {
value = "${module.with_external_vault.selection_tag_ids}"
value = module.with_external_vault.selection_tag_ids
}

output "selection_resources_ids" {
value = "${module.with_external_vault.selection_resources_ids}"
value = module.with_external_vault.selection_resources_ids
}


+ 3
- 2
examples/with-external-vault/variables.tf View File

@@ -1,7 +1,8 @@
variable "access_key" {
type = "string"
type = string
}

variable "secret_key" {
type = "string"
type = string
}


+ 4
- 0
examples/with-external-vault/versions.tf View File

@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}

+ 92
- 52
main.tf View File

@@ -1,39 +1,53 @@
#####
# Locals
#####

locals {
tags = {
"Terraform" = "true"
}
}

####
# Vault
####

resource "aws_backup_vault" "this" {
count = "${var.enabled && var.vault_create ? 1 : 0}"
count = var.enabled && var.vault_create ? 1 : 0

name = "${var.vault_name}"
kms_key_arn = "${var.vault_kms_key_create ? element(concat(aws_kms_key.this.*.arn, list("")), 0) : var.vault_kms_key_arn}"
name = var.vault_name
kms_key_arn = var.vault_kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.vault_kms_key_arn

tags = "${merge(
map("Terraform", "true"),
map("Name", var.vault_name),
tags = merge(
local.tags,
var.tags,
var.vault_tags
)}"
var.vault_tags,
{
"Name" = var.vault_name
},
)
}

resource "aws_kms_key" "this" {
count = "${var.enabled && var.vault_create && var.vault_kms_key_create ? 1 : 0}"
count = var.enabled && var.vault_create && var.vault_kms_key_create ? 1 : 0

description = "KMS Key for '${var.vault_name}' vault encryption."

tags = "${merge(
map("Terraform", "true"),
map("Name", var.vault_kms_key_name),
tags = merge(
local.tags,
var.tags,
var.vault_kms_tags
)}"
var.vault_kms_tags,
{
"Name" = var.vault_kms_key_name
},
)
}

resource "aws_kms_alias" "this" {
count = "${var.enabled && var.vault_create && var.vault_kms_key_create ? 1 : 0}"
count = var.enabled && var.vault_create && var.vault_kms_key_create ? 1 : 0

name = "${var.vault_kms_key_alias_name}"
target_key_id = "${aws_kms_key.this.key_id}"
name = var.vault_kms_key_alias_name
target_key_id = aws_kms_key.this[0].key_id
}

####
@@ -41,30 +55,32 @@ resource "aws_kms_alias" "this" {
####

resource "aws_backup_plan" "this" {
count = "${var.enabled && var.plan_create ? 1 : 0}"
count = var.enabled && var.plan_create ? 1 : 0

name = "${var.plan_name}"
name = var.plan_name

rule {
rule_name = "${var.plan_rule_name}"
target_vault_name = "${var.vault_create ? element(concat(aws_backup_vault.this.*.name, list("")), 0) : var.vault_name}"
schedule = "${var.plan_rule_schedule}"
start_window = "${var.plan_rule_start_window}"
completion_window = "${var.plan_rule_completion_window}"
recovery_point_tags = "${var.plan_rule_recovery_point_tags}"
rule_name = var.plan_rule_name
target_vault_name = var.vault_create ? element(concat(aws_backup_vault.this.*.name, [""]), 0) : var.vault_name
schedule = var.plan_rule_schedule
start_window = var.plan_rule_start_window
completion_window = var.plan_rule_completion_window
recovery_point_tags = var.plan_rule_recovery_point_tags

lifecycle {
cold_storage_after = "${var.plan_rule_lifecycle_cold_storage_after}"
delete_after = "${var.plan_rule_lifecycle_delete_after}"
cold_storage_after = var.plan_rule_lifecycle_cold_storage_after
delete_after = var.plan_rule_lifecycle_delete_after
}
}

tags = "${merge(
map("Terraform", "true"),
map("Name", var.plan_name),
tags = merge(
local.tags,
var.tags,
var.plan_tags
)}"
var.plan_tags,
{
"Name" = var.plan_name
},
)
}

####
@@ -72,7 +88,7 @@ resource "aws_backup_plan" "this" {
####

data "aws_iam_policy_document" "this" {
count = "${var.enabled && var.selection_create && var.selection_role_create ? 1 : 0}"
count = var.enabled && var.selection_create && var.selection_role_create ? 1 : 0

statement {
effect = "Allow"
@@ -89,43 +105,67 @@ data "aws_iam_policy_document" "this" {
}

resource "aws_iam_role" "this" {
count = "${var.enabled && var.selection_create && var.selection_role_create ? 1 : 0}"
count = var.enabled && var.selection_create && var.selection_role_create ? 1 : 0

name = "${var.selection_iam_role_name}"
assume_role_policy = "${data.aws_iam_policy_document.this.json}"
name = var.selection_iam_role_name
assume_role_policy = data.aws_iam_policy_document.this[0].json
}

resource "aws_iam_role_policy_attachment" "this" {
count = "${var.enabled && var.selection_create && var.selection_role_create ? 1 : 0}"
count = var.enabled && var.selection_create && var.selection_role_create ? 1 : 0

policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
role = "${aws_iam_role.this.name}"
role = aws_iam_role.this[0].name

# NOTE: While this is ugly, without it we have a lot of failures with AWS. Probably a race condition.
provisioner "local-exec" {
command = "sleep 10"
}
}

resource "aws_backup_selection" "by_tags" {
count = "${var.enabled && var.selection_create && var.selection_by_tags ? 1 : 0}"
count = var.enabled && var.selection_create && var.selection_by_tags ? 1 : 0

iam_role_arn = "${var.selection_role_create ? element(concat(aws_iam_role.this.*.arn, list("")), 0) : var.selection_role_arn}"
name = "${var.selection_tag_name}"
plan_id = "${var.plan_create ? element(concat(aws_backup_plan.this.*.id, list("")), 0) : var.selection_plan_id}"
iam_role_arn = var.selection_role_create ? element(concat(aws_iam_role.this.*.arn, [""]), 0) : var.selection_role_arn
name = var.selection_tag_name
plan_id = var.plan_create ? element(concat(aws_backup_plan.this.*.id, [""]), 0) : var.selection_plan_id

selection_tag {
type = "${var.selection_tag_type}"
key = "${var.selection_tag_key}"
value = "${var.selection_tag_value}"
type = var.selection_tag_type
key = var.selection_tag_key
value = var.selection_tag_value
}

depends_on = ["aws_backup_plan.this"]
depends_on = [
aws_backup_plan.this,
aws_iam_role_policy_attachment.this
]

# NOTE: While this is ugly, without it we have a lot of failures with AWS. Probably a race condition.
provisioner "local-exec" {
when = "destroy"
command = "sleep 10"
}
}

resource "aws_backup_selection" "by_resources" {
count = "${var.enabled && var.selection_create && var.selection_by_ressources ? 1 : 0}"
count = var.enabled && var.selection_create && var.selection_by_ressources ? 1 : 0

iam_role_arn = var.selection_role_create ? element(concat(aws_iam_role.this.*.arn, [""]), 0) : var.selection_role_arn
name = var.selection_resource_name
plan_id = var.plan_create ? element(concat(aws_backup_plan.this.*.id, [""]), 0) : var.selection_plan_id

iam_role_arn = "${var.selection_role_create ? element(concat(aws_iam_role.this.*.arn, list("")), 0) : var.selection_role_arn}"
name = "${var.selection_resource_name}"
plan_id = "${var.plan_create ? element(concat(aws_backup_plan.this.*.id, list("")), 0) : var.selection_plan_id}"
resources = var.selection_resources

resources = ["${var.selection_resources}"]
depends_on = [
aws_backup_plan.this,
aws_iam_role_policy_attachment.this
]

depends_on = ["aws_backup_plan.this"]
# NOTE: While this is ugly, without it we have a lot of failures with AWS. Probably a race condition.
provisioner "local-exec" {
when = "destroy"
command = "sleep 10"
}
}


+ 14
- 13
outputs.tf View File

@@ -4,32 +4,32 @@

output "vault_id" {
description = "The name of the vault."
value = "${element(concat(aws_backup_vault.this.*.id, list("")), 0)}"
value = element(concat(aws_backup_vault.this.*.id, [""]), 0)
}

output "vault_arn" {
description = "ARN of the vault."
value = "${element(concat(aws_backup_vault.this.*.arn, list("")), 0)}"
value = element(concat(aws_backup_vault.this.*.arn, [""]), 0)
}

output "vault_recovery_points" {
description = "The number of recovery points that are stored in a backup vault."
value = "${element(concat(aws_backup_vault.this.*.recovery_points, list("")), 0)}"
value = element(concat(aws_backup_vault.this.*.recovery_points, [""]), 0)
}

output "vault_kms_key_arn" {
description = "ARN of the KMS key for the backup vault."
value = "${element(concat(aws_kms_key.this.*.arn, list("")), 0)}"
value = element(concat(aws_kms_key.this.*.arn, [""]), 0)
}

output "vault_kms_key_id" {
description = "Globally unique identifier of the KMS key for the backup vault."
value = "${element(concat(aws_kms_key.this.*.key_id, list("")), 0)}"
value = element(concat(aws_kms_key.this.*.key_id, [""]), 0)
}

output "vault_kms_key_alias_arn" {
description = "ARN of the KMS key alias for the backup vault."
value = "${element(concat(aws_kms_alias.this.*.arn, list("")), 0)}"
value = element(concat(aws_kms_alias.this.*.arn, [""]), 0)
}

####
@@ -38,27 +38,27 @@ output "vault_kms_key_alias_arn" {

output "plan_arns" {
description = "ARNs of the backup plans."
value = "${compact(concat(aws_backup_plan.this.*.arn, list("")))}"
value = compact(concat(aws_backup_plan.this.*.arn, [""]))
}

output "plan_versions" {
description = "Unique, randomly generated, Unicode, UTF-8 encoded strings that serves as the version ID of the backup plans."
value = "${compact(concat(aws_backup_plan.this.*.version, list("")))}"
value = compact(concat(aws_backup_plan.this.*.version, [""]))
}

output "plan_iam_role_arn" {
description = "ARN of the role for the backup plans."
value = "${element(concat(aws_iam_role.this.*.arn, list("")), 0)}"
value = element(concat(aws_iam_role.this.*.arn, [""]), 0)
}

output "plan_iam_role_name" {
description = "Name of the role for the backup plans."
value = "${element(concat(aws_iam_role.this.*.name, list("")), 0)}"
value = element(concat(aws_iam_role.this.*.name, [""]), 0)
}

output "plan_iam_role_unique_id" {
description = "Stable and unique string identifying the role for the backup plans."
value = "${element(concat(aws_iam_role.this.*.unique_id, list("")), 0)}"
value = element(concat(aws_iam_role.this.*.unique_id, [""]), 0)
}

####
@@ -67,10 +67,11 @@ output "plan_iam_role_unique_id" {

output "selection_tag_ids" {
description = "Backup Selection identifiers (by tags)."
value = "${compact(concat(aws_backup_selection.by_tags.*.id, list("")))}"
value = compact(concat(aws_backup_selection.by_tags.*.id, [""]))
}

output "selection_resources_ids" {
description = "Backup Selection identifiers (by ressources)."
value = "${compact(concat(aws_backup_selection.by_resources.*.id, list("")))}"
value = compact(concat(aws_backup_selection.by_resources.*.id, [""]))
}


+ 4
- 2
variables.tf View File

@@ -27,8 +27,9 @@ variable "vault_name" {
}

variable "vault_kms_key_arn" {
description = "ARN of the KMS key to use for the vault for AWS Backup. Use only if vault_kms_key_create is 'false'."
default = ""
description = "ARN of the KMS key to use for the vault for AWS Backup. Do not specify if you want to let the module create it own key."
default = null
type = string
}

variable "vault_kms_key_create" {
@@ -178,3 +179,4 @@ variable "selection_resources" {
description = "An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan."
default = []
}


+ 3
- 0
versions.tf View File

@@ -0,0 +1,3 @@
terraform {
required_version = ">= 0.12"
}

Loading…
Cancel
Save