UPD: updated awsbackup module

modules/storage/aws-backup/README.md

@@ -0,0 +1,58 @@
+<!-- This readme file is generated with terraform-docs -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_backup_plan.ab-plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
+| [aws_backup_region_settings.ab-settings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_region_settings) | resource |
+| [aws_backup_selection.ab-selection-by-service-type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
+| [aws_backup_vault.ab-vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
+| [aws_backup_vault_policy.ab-vault-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
+| [aws_iam_role.ab-iam-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.ab-iam-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_alias.ab-kms-key-alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.ab-kms-key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| backup-plan-cron | n/a | `string` | `"cron(0 20 * * ? *)"` | no |
+| backup-plan-name | n/a | `any` | n/a | yes |
+| backup-plan-retention | n/a | `any` | n/a | yes |
+| opt-in-aurora | Opt in audora backup | `bool` | n/a | yes |
+| opt-in-dynamodb | Opt in dynamodb backup | `bool` | n/a | yes |
+| opt-in-ebs | Opt in ebs backup | `bool` | n/a | yes |
+| opt-in-ec2 | Opt in ec2 backup | `bool` | n/a | yes |
+| opt-in-efs | Opt in efs backup | `bool` | n/a | yes |
+| opt-in-fsx | Opt in fsx backup | `bool` | n/a | yes |
+| opt-in-rds | Opt in rds backup | `bool` | n/a | yes |
+| opt-in-redshift | Opt in redshift backup | `bool` | n/a | yes |
+| opt-in-s3 | Opt in s3 backup | `bool` | n/a | yes |
+| opt-in-storagegateway | Opt in storage gateway backup | `bool` | n/a | yes |
+| opt-in-virtualmachine | Opt in virtualmachine backup | `bool` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| test | n/a |
+ 
+---
+## Authorship
+This module was developed by xpk.

modules/storage/aws-backup/awsbackup.tf

@@ -1,117 +0,0 @@
-resource "aws_backup_vault" "ab-vault" {
-  name        = "BackupVault"
-  kms_key_arn = aws_kms_key.ab-kms-key.arn
-  tags        = var.default-tags
-}
-
-resource "aws_backup_vault_policy" "ab-vault-policy" {
-  backup_vault_name = aws_backup_vault.ab-vault.name
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "default",
-  "Statement": [
-    {
-      "Sid": "default",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "*"
-      },
-      "Action": [
-        "backup:DescribeBackupVault",
-        "backup:DeleteBackupVault",
-        "backup:PutBackupVaultAccessPolicy",
-        "backup:DeleteBackupVaultAccessPolicy",
-        "backup:GetBackupVaultAccessPolicy",
-        "backup:StartBackupJob",
-        "backup:GetBackupVaultNotifications",
-        "backup:PutBackupVaultNotifications"
-      ],
-      "Resource": "${aws_backup_vault.ab-vault.arn}"
-    }
-  ]
-}
-POLICY
-}
-
-resource "aws_backup_region_settings" "ab-settings" {
-  resource_type_opt_in_preference = {
-    "Aurora"          = true
-    # not in ap-east-1 "DocumentDB"      = false
-    "DynamoDB"        = true
-    "EBS"             = true
-    "EC2"             = true
-    "EFS"             = true
-    "FSx"             = true
-    "Neptune"         = false
-    "RDS"             = true
-    "Storage Gateway" = false
-    "VirtualMachine"  = false
-  }
-
-  resource_type_management_preference = {
-    "DynamoDB" = true
-    "EFS"      = true
-  }
-}
-
-resource "aws_backup_plan" "ab-plan" {
-  name = var.backup-plan-name
-
-  rule {
-    rule_name         = var.backup-plan-name
-    target_vault_name = aws_backup_vault.ab-vault.name
-    schedule          = var.backup-plan-cron
-    start_window = 60
-    completion_window = 240
-
-    lifecycle {
-      delete_after = var.backup-plan-retention
-    }
-  }
-
-  advanced_backup_setting {
-    backup_options = {
-      WindowsVSS = "enabled"
-    }
-    resource_type = "EC2"
-  }
-
-  tags = var.default-tags
-}
-
-resource "aws_iam_role" "ab-iam-role" {
-  name               = "AwsBackupRole"
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": ["sts:AssumeRole"],
-      "Effect": "allow",
-      "Principal": {
-        "Service": ["backup.amazonaws.com"]
-      }
-    }
-  ]
-}
-POLICY
-  tags = var.default-tags
-}
-
-resource "aws_iam_role_policy_attachment" "ab-iam-role-policy" {
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
-  role       = aws_iam_role.ab-iam-role.name
-}
-
-resource "aws_backup_selection" "ab-selection-tag" {
-  iam_role_arn = aws_iam_role.ab-iam-role.arn
-  name         = "AwsBackupSelectionByTag"
-  plan_id      = aws_backup_plan.ab-plan.id
-
-  selection_tag {
-    type  = "STRINGEQUALS"
-    key   = "AwsBackup"
-    value = var.backup-plan-name
-  }
-}

modules/storage/aws-backup/kms-key.tf

@@ -1,64 +1,40 @@
-data aws_caller_identity this {}
+data "aws_caller_identity" "this" {}
 
 resource "aws_kms_key" "ab-kms-key" {
   description             = "KMS key for aws backup"
   deletion_window_in_days = 10
-  tags = var.default-tags
+  policy = jsonencode(
-  policy = <<EOD
-{
-    "Version": "2012-10-17",
-    "Id": "key-consolepolicy-3",
-    "Statement": [
     {
-            "Sid": "Enable IAM User Permissions",
+      "Version" : "2012-10-17",
-            "Effect": "Allow",
+      "Id" : "awsbackup-service",
-            "Principal": {
+      "Statement" : [
-                "AWS": "arn:aws:iam::${data.aws_caller_identity.this.id}:root"
+        {
+          "Sid" : "Enable IAM User Permissions",
+          "Effect" : "Allow",
+          "Principal" : {
+            "AWS" : "arn:aws:iam::${data.aws_caller_identity.this.id}:root"
           },
-            "Action": "kms:*",
+          "Action" : "kms:*",
-            "Resource": "*"
+          "Resource" : "*"
         },
         {
-            "Sid": "Allow attachment of persistent resources",
+          "Sid" : "Allow attachment of persistent resources",
-            "Effect": "Allow",
+          "Effect" : "Allow",
-            "Principal": "*",
+          "Principal" : "*",
-            "Action": [
+          "Action" : [
             "kms:CreateGrant",
             "kms:ListGrants",
             "kms:RevokeGrant"
           ],
-            "Resource": "*",
+          "Resource" : "*",
-            "Condition": {
+          "Condition" : {
-                "Bool": {
+            "Bool" : {
-                    "kms:GrantIsForAWSResource": "true"
+              "kms:GrantIsForAWSResource" : "true"
-                }
-            }
-        },
-        {
-            "Sid": "Allow use of the KMS key for organization",
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": [
-                "kms:Decrypt",
-                "kms:DescribeKey",
-                "kms:Encrypt",
-                "kms:ReEncrypt*",
-                "kms:GetKeyPolicy",
-                "kms:CreateGrant",
-                "kms:GenerateDataKey*"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringEquals": {
-                    "aws:PrincipalOrgID": "${var.aws-org-id}"
             }
           }
         }
       ]
-}
+  })
-EOD
 }
 
 resource "aws_kms_alias" "ab-kms-key-alias" {

modules/storage/aws-backup/main.tf

@@ -0,0 +1,137 @@
+resource "aws_backup_region_settings" "ab-settings" {
+  resource_type_opt_in_preference = {
+    "Aurora" = var.opt-in-aurora
+    # not available in all regions "DocumentDB"      = var.opt-in-documentdb
+    "DynamoDB"        = var.opt-in-dynamodb
+    "EBS"             = var.opt-in-ebs
+    "EC2"             = var.opt-in-ec2
+    "EFS"             = var.opt-in-efs
+    "FSx"             = var.opt-in-fsx
+    "Redshift"        = var.opt-in-redshift
+    "RDS"             = var.opt-in-rds
+    "Storage Gateway" = var.opt-in-storagegateway
+    "VirtualMachine"  = var.opt-in-virtualmachine
+    "S3"              = var.opt-in-s3
+  }
+}
+
+
+output "test" {
+  value = [
+    for k, v in aws_backup_region_settings.ab-settings.resource_type_opt_in_preference : k
+    if v
+  ]
+}
+
+resource "aws_backup_vault" "ab-vault" {
+  for_each = toset([
+    for k, v in aws_backup_region_settings.ab-settings.resource_type_opt_in_preference : k
+    if v
+  ])
+  name        = "BackupVault-${each.value}"
+  kms_key_arn = aws_kms_key.ab-kms-key.arn
+}
+
+resource "aws_backup_vault_policy" "ab-vault-policy" {
+  for_each          = aws_backup_vault.ab-vault
+  backup_vault_name = each.value.name
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Id" : "default",
+      "Statement" : [
+        {
+          "Sid" : "default",
+          "Effect" : "Allow",
+          "Principal" : {
+            "AWS" : data.aws_caller_identity.this.account_id
+          },
+          "Action" : [
+            "backup:DescribeBackupVault",
+            "backup:DeleteBackupVault",
+            "backup:PutBackupVaultAccessPolicy",
+            "backup:DeleteBackupVaultAccessPolicy",
+            "backup:GetBackupVaultAccessPolicy",
+            "backup:StartBackupJob",
+            "backup:GetBackupVaultNotifications",
+            "backup:PutBackupVaultNotifications"
+          ],
+          "Resource" : each.value.arn
+        }
+      ]
+  })
+}
+
+resource "aws_backup_plan" "ab-plan" {
+  for_each = aws_backup_vault.ab-vault
+  name     = "BackupPlan-${replace(each.value.name, "BackupVault-", "")}"
+
+  rule {
+    rule_name         = var.backup-plan-name
+    target_vault_name = each.value.name
+    schedule          = var.backup-plan-cron
+    start_window      = 60
+    completion_window = 240
+
+    lifecycle {
+      delete_after = var.backup-plan-retention
+    }
+
+    recovery_point_tags = {
+      "CreatedBy" : "AWSBackup"
+      "AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}"
+    }
+  }
+
+  #   advanced_backup_setting {
+  #     backup_options = {
+  #       WindowsVSS = "enabled"
+  #     }
+  #     resource_type = "EC2"
+  #   }
+}
+#
+resource "aws_iam_role" "ab-iam-role" {
+  name = "AwsBackupRole"
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Action" : ["sts:AssumeRole"],
+          "Effect" : "allow",
+          "Principal" : {
+            "Service" : ["backup.amazonaws.com"]
+          }
+        }
+      ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ab-iam-role-policy" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
+  role       = aws_iam_role.ab-iam-role.name
+}
+
+locals {
+  service-map = {
+    "EC2" : "arn:aws:ec2:*:*:instance/*",
+    "RDS" : "arn:aws:rds:*:*:db:*"
+    "S3" : "arn:aws:s3:::*"
+    "EBS" : "arn:aws:ec2:*:*:volume/*"
+    "DynamoDB" : "arn:aws:dynamodb:*:*:table/*"
+    "EFS" : "arn:aws:elasticfilesystem:*:*:file-system/*"
+    "FSx" : "arn:*:fsx:*"
+    "Redshift" : "arn:aws:redshift:*:*:cluster:*"
+    "Storage Gateway" : "arn:aws:storagegateway:*:*:gateway/*"
+    "VirtualMachine" : "arn:aws:backup-gateway:*:*:vm/*"
+    "Aurora" : "arn:aws:rds:*:*:cluster:*"
+  }
+}
+resource "aws_backup_selection" "ab-selection-by-service-type" {
+  for_each     = aws_backup_plan.ab-plan
+  iam_role_arn = aws_iam_role.ab-iam-role.arn
+  name         = "SelectionByServiceType"
+  plan_id      = each.value.id
+  resources    = [lookup(local.service-map, replace(each.value.name, "BackupPlan-", ""))]
+}

modules/storage/aws-backup/variables.tf

@@ -1,9 +1,64 @@
-variable default-tags {}
+variable "backup-plan-name" {}
-variable aws-org-id {}
+variable "backup-plan-cron" {
-variable backup-plan-name {}
-variable backup-plan-cron {
   type    = string
   default = "cron(0 20 * * ? *)"
   # cron(Minutes Hours Day-of-month Month Day-of-week Year)
 }
-variable backup-plan-retention {}
+variable "backup-plan-retention" {}
+
+
+
+variable "opt-in-aurora" {
+  type        = bool
+  description = "Opt in audora backup"
+}
+
+variable "opt-in-s3" {
+  type        = bool
+  description = "Opt in s3 backup"
+}
+
+variable "opt-in-dynamodb" {
+  type        = bool
+  description = "Opt in dynamodb backup"
+}
+
+variable "opt-in-ebs" {
+  type        = bool
+  description = "Opt in ebs backup"
+}
+
+variable "opt-in-ec2" {
+  type        = bool
+  description = "Opt in ec2 backup"
+}
+
+variable "opt-in-efs" {
+  type        = bool
+  description = "Opt in efs backup"
+}
+
+variable "opt-in-fsx" {
+  type        = bool
+  description = "Opt in fsx backup"
+}
+
+variable "opt-in-rds" {
+  type        = bool
+  description = "Opt in rds backup"
+}
+
+variable "opt-in-storagegateway" {
+  type        = bool
+  description = "Opt in storage gateway backup"
+}
+
+variable "opt-in-virtualmachine" {
+  type        = bool
+  description = "Opt in virtualmachine backup"
+}
+
+variable "opt-in-redshift" {
+  type        = bool
+  description = "Opt in redshift backup"
+}