-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
161 lines (126 loc) · 4.81 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
/**
* # Terraform AWS Backup
*
* This Terraform module provides a preconfigured solution for setting up
* AWS Backup in your AWS account. With this module, you can easily and
* efficiently create and manage backups for your AWS resources. Our
* team has extensive experience working with AWS Backup and has optimized
* this module to provide the best possible experience for users.
*
* Using this Terraform module, you can save time and effort in setting up
* and managing your backup policies, as well as avoid common mistakes and
* pitfalls. The module encapsulates all necessary configurations, making
* it easy to use and integrate into your existing AWS environment. Whether
* you are looking to add backup protection for your critical resources or
* streamline your existing backup processes, this Terraform module is a
* great choice.
*/
locals {
# Merge predefined rules with the passed rules. If the names of a predefined rule and a passed rule match,
# the passed rule will take precedence and they will be merged.
merged_rules = merge(
{ for rule in local.predefined_rules : rule.name => rule if contains(var.predefined_rules, rule.name) },
{ for rule in var.custom_rules : rule.name => rule }
)
}
data "aws_backup_vault" "main" {
count = var.create_backup_vault ? 0 : 1
name = var.vault_name
}
resource "aws_backup_vault" "main" {
count = var.create_backup_vault ? 1 : 0
name = var.vault_name
force_destroy = var.vault_force_destroy
kms_key_arn = var.enable_customer_managed_kms ? module.kms[0].key_arn : var.kms_key_id
tags = var.tags
}
resource "aws_backup_vault_lock_configuration" "main" {
count = var.enable_vault_lock ? 1 : 0
backup_vault_name = var.vault_name
changeable_for_days = var.changeable_for_days
min_retention_days = var.min_retention_days
max_retention_days = var.max_retention_days
}
resource "aws_backup_plan" "main" {
name = var.plan_name
dynamic "rule" {
for_each = local.merged_rules
content {
target_vault_name = var.vault_name
rule_name = rule.value.name
schedule = rule.value.schedule
start_window = rule.value.start_window
completion_window = rule.value.completion_window
enable_continuous_backup = rule.value.enable_continuous_backup
recovery_point_tags = merge(var.tags, rule.value.recovery_point_tags)
dynamic "lifecycle" {
for_each = rule.value.lifecycle != null ? [rule.value.lifecycle] : []
content {
delete_after = lifecycle.value.delete_after
cold_storage_after = lifecycle.value.cold_storage_after
}
}
dynamic "copy_action" {
for_each = rule.value.copy_action != null ? [rule.value.copy_action] : []
content {
destination_vault_arn = copy_action.value.destination_vault_arn
dynamic "lifecycle" {
for_each = copy_action.value.lifecycle != null ? [copy_action.value.lifecycle] : []
content {
delete_after = lifecycle.value.delete_after
cold_storage_after = lifecycle.value.cold_storage_after
}
}
}
}
}
}
dynamic "advanced_backup_setting" {
for_each = var.enable_windows_vss_backup ? [true] : []
content {
resource_type = "EC2"
backup_options = {
WindowsVSS = "enabled"
}
}
}
depends_on = [aws_backup_vault.main]
tags = var.tags
}
resource "aws_backup_selection" "main" {
for_each = { for sel in var.selections : sel.name => sel }
name = "${var.vault_name}-${each.key}"
plan_id = aws_backup_plan.main.id
iam_role_arn = coalesce(each.value.role_arn, module.iam_role[0].arn)
resources = each.value.arns
dynamic "selection_tag" {
for_each = each.value.tag != null ? [each.value.tag] : []
content {
key = selection_tag.value.key
type = selection_tag.value.type
value = selection_tag.value.value
}
}
}
module "iam_role" {
count = var.role_arn == null ? 1 : 0
source = "geekcell/iam-role/aws"
version = ">= 1.0.0, < 2.0.0"
name = "${var.vault_name}-backup"
description = "This role is responsible for restoring/backing up the resources in the Vault."
assume_roles = { "Service" : { identifiers = ["backup.amazonaws.com"] } }
policy_arns = [
"arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup",
"arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores",
"arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup",
"arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore"
]
tags = var.tags
}
module "kms" {
count = var.enable_customer_managed_kms ? 1 : 0
source = "geekcell/kms/aws"
version = ">= 1.0.0, < 2.0.0"
alias = "/backup/vault/${var.vault_name}"
tags = var.tags
}