Module to manage AWS Backup with Terraform.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

172 lines
4.2KB

  1. #####
  2. # Locals
  3. #####
  4. locals {
  5. tags = {
  6. "Terraform" = "true"
  7. }
  8. }
  9. ####
  10. # Vault
  11. ####
  12. resource "aws_backup_vault" "this" {
  13. count = var.enabled && var.vault_create ? 1 : 0
  14. name = var.vault_name
  15. kms_key_arn = var.vault_kms_key_create ? element(concat(aws_kms_key.this.*.arn, [""]), 0) : var.vault_kms_key_arn
  16. tags = merge(
  17. local.tags,
  18. var.tags,
  19. var.vault_tags,
  20. {
  21. "Name" = var.vault_name
  22. },
  23. )
  24. }
  25. resource "aws_kms_key" "this" {
  26. count = var.enabled && var.vault_create && var.vault_kms_key_create ? 1 : 0
  27. description = "KMS Key for '${var.vault_name}' vault encryption."
  28. tags = merge(
  29. local.tags,
  30. var.tags,
  31. var.vault_kms_tags,
  32. {
  33. "Name" = var.vault_kms_key_name
  34. },
  35. )
  36. }
  37. resource "aws_kms_alias" "this" {
  38. count = var.enabled && var.vault_create && var.vault_kms_key_create ? 1 : 0
  39. name = var.vault_kms_key_alias_name
  40. target_key_id = aws_kms_key.this[0].key_id
  41. }
  42. ####
  43. # Plan
  44. ####
  45. resource "aws_backup_plan" "this" {
  46. count = var.enabled && var.plan_create ? 1 : 0
  47. name = var.plan_name
  48. rule {
  49. rule_name = var.plan_rule_name
  50. target_vault_name = var.vault_create ? element(concat(aws_backup_vault.this.*.name, [""]), 0) : var.vault_name
  51. schedule = var.plan_rule_schedule
  52. start_window = var.plan_rule_start_window
  53. completion_window = var.plan_rule_completion_window
  54. recovery_point_tags = var.plan_rule_recovery_point_tags
  55. lifecycle {
  56. cold_storage_after = var.plan_rule_lifecycle_cold_storage_after
  57. delete_after = var.plan_rule_lifecycle_delete_after
  58. }
  59. }
  60. tags = merge(
  61. local.tags,
  62. var.tags,
  63. var.plan_tags,
  64. {
  65. "Name" = var.plan_name
  66. },
  67. )
  68. }
  69. ####
  70. # Selection
  71. ####
  72. data "aws_iam_policy_document" "this" {
  73. count = var.enabled && var.selection_create && var.selection_role_create ? 1 : 0
  74. statement {
  75. effect = "Allow"
  76. actions = [
  77. "sts:AssumeRole",
  78. ]
  79. principals {
  80. identifiers = ["backup.amazonaws.com"]
  81. type = "Service"
  82. }
  83. }
  84. }
  85. resource "aws_iam_role" "this" {
  86. count = var.enabled && var.selection_create && var.selection_role_create ? 1 : 0
  87. name = var.selection_iam_role_name
  88. assume_role_policy = data.aws_iam_policy_document.this[0].json
  89. }
  90. resource "aws_iam_role_policy_attachment" "this" {
  91. count = var.enabled && var.selection_create && var.selection_role_create ? 1 : 0
  92. policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
  93. role = aws_iam_role.this[0].name
  94. # NOTE: While this is ugly, without it we have a lot of failures with AWS. Probably a race condition.
  95. provisioner "local-exec" {
  96. command = "sleep 10"
  97. }
  98. }
  99. resource "aws_backup_selection" "by_tags" {
  100. count = var.enabled && var.selection_create && var.selection_by_tags ? 1 : 0
  101. iam_role_arn = var.selection_role_create ? element(concat(aws_iam_role.this.*.arn, [""]), 0) : var.selection_role_arn
  102. name = var.selection_tag_name
  103. plan_id = var.plan_create ? element(concat(aws_backup_plan.this.*.id, [""]), 0) : var.selection_plan_id
  104. selection_tag {
  105. type = var.selection_tag_type
  106. key = var.selection_tag_key
  107. value = var.selection_tag_value
  108. }
  109. depends_on = [
  110. aws_backup_plan.this,
  111. aws_iam_role_policy_attachment.this
  112. ]
  113. # NOTE: While this is ugly, without it we have a lot of failures with AWS. Probably a race condition.
  114. provisioner "local-exec" {
  115. when = "destroy"
  116. command = "sleep 10"
  117. }
  118. }
  119. resource "aws_backup_selection" "by_resources" {
  120. count = var.enabled && var.selection_create && var.selection_by_ressources ? 1 : 0
  121. iam_role_arn = var.selection_role_create ? element(concat(aws_iam_role.this.*.arn, [""]), 0) : var.selection_role_arn
  122. name = var.selection_resource_name
  123. plan_id = var.plan_create ? element(concat(aws_backup_plan.this.*.id, [""]), 0) : var.selection_plan_id
  124. resources = var.selection_resources
  125. depends_on = [
  126. aws_backup_plan.this,
  127. aws_iam_role_policy_attachment.this
  128. ]
  129. # NOTE: While this is ugly, without it we have a lot of failures with AWS. Probably a race condition.
  130. provisioner "local-exec" {
  131. when = "destroy"
  132. command = "sleep 10"
  133. }
  134. }