diff --git a/modules/storage/aws-backup/README.md b/modules/storage/aws-backup/README.md index 5742836..8e501e6 100644 --- a/modules/storage/aws-backup/README.md +++ b/modules/storage/aws-backup/README.md @@ -44,9 +44,11 @@ No modules. | opt-in-rds | Opt in rds backup | `bool` | n/a | yes | | opt-in-redshift | Opt in redshift backup | `bool` | n/a | yes | | opt-in-s3 | Opt in s3 backup | `bool` | n/a | yes | -| opt-in-storagegateway | Opt in storage gateway backup | `bool` | n/a | yes | | opt-in-virtualmachine | Opt in virtualmachine backup | `bool` | n/a | yes | +## Outputs + +No outputs. --- ## Authorship diff --git a/modules/storage/aws-backup/main.tf b/modules/storage/aws-backup/main.tf index 4fea1fd..859064d 100644 --- a/modules/storage/aws-backup/main.tf +++ b/modules/storage/aws-backup/main.tf @@ -1,24 +1,76 @@ +# build local data structure + +locals { + backup-config = { + "Aurora" : { + enabled = var.opt-in-aurora + arn-prefix = "arn:aws:rds:*:*:cluster:*" + } + "DynamoDB" : { + enabled = var.opt-in-dynamodb + arn-prefix = "arn:aws:dynamodb:*:*:table/*" + } + "EBS" : { + enabled = var.opt-in-ebs + arn-prefix = "arn:aws:ec2:*:*:volume/*" + } + "EC2" : { + enabled = var.opt-in-ec2 + arn-prefix = "arn:aws:ec2:*:*:instance/*" + } + "EFS" : { + enabled = var.opt-in-efs + arn-prefix = "arn:aws:elasticfilesystem:*:*:file-system/*" + } + "FSx" : { + enabled = var.opt-in-fsx + arn-prefix = "arn:*:fsx:*" + } + "Redshift" : { + enabled = var.opt-in-redshift + arn-prefix = "arn:aws:redshift:*:*:cluster:*" + } + "RDS" : { + enabled = var.opt-in-rds + arn-prefix = "arn:aws:rds:*:*:db:*" + } + # this version can't handle space + # "Storage Gateway" : { + # enabled = var.opt-in-storagegateway + # arn-prefix = "arn:aws:storagegateway:*:*:gateway/*" + # } + "VirtualMachine" : { + enabled = var.opt-in-virtualmachine + arn-prefix = "arn:aws:backup-gateway:*:*:vm/*" + } + "S3" : { + enabled = var.opt-in-s3 + arn-prefix = "arn:aws:s3:::*" + } + } +} + resource "aws_backup_region_settings" "ab-settings" { resource_type_opt_in_preference = { - "Aurora" = var.opt-in-aurora - # not available in all regions "DocumentDB" = var.opt-in-documentdb - "DynamoDB" = var.opt-in-dynamodb - "EBS" = var.opt-in-ebs - "EC2" = var.opt-in-ec2 - "EFS" = var.opt-in-efs - "FSx" = var.opt-in-fsx - "Redshift" = var.opt-in-redshift - "RDS" = var.opt-in-rds - "Storage Gateway" = var.opt-in-storagegateway - "VirtualMachine" = var.opt-in-virtualmachine - "S3" = var.opt-in-s3 + "Aurora" = local.backup-config.Aurora.enabled + "DynamoDB" = local.backup-config.DynamoDB.enabled + "EBS" = local.backup-config.EBS.enabled + "EC2" = local.backup-config.EC2.enabled + "EFS" = local.backup-config.EFS.enabled + "FSx" = local.backup-config.FSx.enabled + "Redshift" = local.backup-config.Redshift.enabled + "RDS" = local.backup-config.RDS.enabled + # "Storage Gateway" = lookup(local.backup-config, "Storage Gateway").enabled + "VirtualMachine" = local.backup-config.VirtualMachine.enabled + "S3" = local.backup-config.S3.enabled + # not available in all regions "DocumentDB" = false } } resource "aws_backup_vault" "ab-vault" { for_each = toset([ - for k, v in aws_backup_region_settings.ab-settings.resource_type_opt_in_preference : k - if v + for k, v in local.backup-config : k + if v.enabled ]) name = "BackupVault-${each.value}" kms_key_arn = aws_kms_key.ab-kms-key.arn @@ -105,25 +157,10 @@ resource "aws_iam_role_policy_attachment" "ab-iam-role-policy" { role = aws_iam_role.ab-iam-role.name } -locals { - service-map = { - "EC2" : "arn:aws:ec2:*:*:instance/*", - "RDS" : "arn:aws:rds:*:*:db:*" - "S3" : "arn:aws:s3:::*" - "EBS" : "arn:aws:ec2:*:*:volume/*" - "DynamoDB" : "arn:aws:dynamodb:*:*:table/*" - "EFS" : "arn:aws:elasticfilesystem:*:*:file-system/*" - "FSx" : "arn:*:fsx:*" - "Redshift" : "arn:aws:redshift:*:*:cluster:*" - "Storage Gateway" : "arn:aws:storagegateway:*:*:gateway/*" - "VirtualMachine" : "arn:aws:backup-gateway:*:*:vm/*" - "Aurora" : "arn:aws:rds:*:*:cluster:*" - } -} resource "aws_backup_selection" "ab-selection-by-service-type" { for_each = aws_backup_plan.ab-plan iam_role_arn = aws_iam_role.ab-iam-role.arn name = "SelectionByServiceType" plan_id = each.value.id - resources = [lookup(local.service-map, replace(each.value.name, "BackupPlan-", ""))] + resources = [lookup(local.backup-config, replace(each.value.name, "BackupPlan-", "")).arn-prefix] } diff --git a/modules/storage/aws-backup/variables.tf b/modules/storage/aws-backup/variables.tf index a49e569..bccd003 100644 --- a/modules/storage/aws-backup/variables.tf +++ b/modules/storage/aws-backup/variables.tf @@ -53,10 +53,11 @@ variable "opt-in-rds" { description = "Opt in rds backup" } -variable "opt-in-storagegateway" { - type = bool - description = "Opt in storage gateway backup" -} +# not supported in this version +# variable "opt-in-storagegateway" { +# type = bool +# description = "Opt in storage gateway backup" +# } variable "opt-in-virtualmachine" { type = bool