resource "aws_backup_region_settings" "ab-settings" {
  resource_type_opt_in_preference = {
    "Aurora" = var.opt-in-aurora
    # not available in all regions "DocumentDB"      = var.opt-in-documentdb
    "DynamoDB"        = var.opt-in-dynamodb
    "EBS"             = var.opt-in-ebs
    "EC2"             = var.opt-in-ec2
    "EFS"             = var.opt-in-efs
    "FSx"             = var.opt-in-fsx
    "Redshift"        = var.opt-in-redshift
    "RDS"             = var.opt-in-rds
    "Storage Gateway" = var.opt-in-storagegateway
    "VirtualMachine"  = var.opt-in-virtualmachine
    "S3"              = var.opt-in-s3
  }
}

resource "aws_backup_vault" "ab-vault" {
  for_each = toset([
    for k, v in aws_backup_region_settings.ab-settings.resource_type_opt_in_preference : k
    if v
  ])
  name        = "BackupVault-${each.value}"
  kms_key_arn = aws_kms_key.ab-kms-key.arn
}

resource "aws_backup_vault_policy" "ab-vault-policy" {
  for_each          = aws_backup_vault.ab-vault
  backup_vault_name = each.value.name
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Id" : "default",
      "Statement" : [
        {
          "Sid" : "default",
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : data.aws_caller_identity.this.account_id
          },
          "Action" : [
            "backup:DescribeBackupVault",
            "backup:DeleteBackupVault",
            "backup:PutBackupVaultAccessPolicy",
            "backup:DeleteBackupVaultAccessPolicy",
            "backup:GetBackupVaultAccessPolicy",
            "backup:StartBackupJob",
            "backup:GetBackupVaultNotifications",
            "backup:PutBackupVaultNotifications"
          ],
          "Resource" : each.value.arn
        }
      ]
  })
}

resource "aws_backup_plan" "ab-plan" {
  for_each = aws_backup_vault.ab-vault
  name     = "BackupPlan-${replace(each.value.name, "BackupVault-", "")}"

  rule {
    rule_name         = var.backup-plan-name
    target_vault_name = each.value.name
    schedule          = var.backup-rule-cron
    start_window      = 60
    completion_window = 240

    lifecycle {
      delete_after = var.backup-plan-retention
    }

    recovery_point_tags = {
      "CreatedBy" : "AWSBackup"
      "AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}"
    }
  }

  #   advanced_backup_setting {
  #     backup_options = {
  #       WindowsVSS = "enabled"
  #     }
  #     resource_type = "EC2"
  #   }
}
#
resource "aws_iam_role" "ab-iam-role" {
  name = "AwsBackupRole"
  assume_role_policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Action" : ["sts:AssumeRole"],
          "Effect" : "allow",
          "Principal" : {
            "Service" : ["backup.amazonaws.com"]
          }
        }
      ]
  })
}

resource "aws_iam_role_policy_attachment" "ab-iam-role-policy" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
  role       = aws_iam_role.ab-iam-role.name
}

locals {
  service-map = {
    "EC2" : "arn:aws:ec2:*:*:instance/*",
    "RDS" : "arn:aws:rds:*:*:db:*"
    "S3" : "arn:aws:s3:::*"
    "EBS" : "arn:aws:ec2:*:*:volume/*"
    "DynamoDB" : "arn:aws:dynamodb:*:*:table/*"
    "EFS" : "arn:aws:elasticfilesystem:*:*:file-system/*"
    "FSx" : "arn:*:fsx:*"
    "Redshift" : "arn:aws:redshift:*:*:cluster:*"
    "Storage Gateway" : "arn:aws:storagegateway:*:*:gateway/*"
    "VirtualMachine" : "arn:aws:backup-gateway:*:*:vm/*"
    "Aurora" : "arn:aws:rds:*:*:cluster:*"
  }
}
resource "aws_backup_selection" "ab-selection-by-service-type" {
  for_each     = aws_backup_plan.ab-plan
  iam_role_arn = aws_iam_role.ab-iam-role.arn
  name         = "SelectionByServiceType"
  plan_id      = each.value.id
  resources    = [lookup(local.service-map, replace(each.value.name, "BackupPlan-", ""))]
}