-
Notifications
You must be signed in to change notification settings - Fork 7
/
main.tf
100 lines (86 loc) · 3.69 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
resource "aws_backup_vault" "backup_vault" {
name = "${var.name}-vault"
kms_key_arn = var.vault_kms_key_arn
tags = {
Name = "${var.name}-vault"
}
}
resource "aws_backup_vault_policy" "backup_vault" {
count = var.vault_policy != "" ? 1 : 0
backup_vault_name = aws_backup_vault.backup_vault.name
policy = var.vault_policy
}
resource "aws_backup_vault_lock_configuration" "backup_vault_lock" {
count = try(var.min_retention_days != null ? 1 : 0, 0)
backup_vault_name = aws_backup_vault.backup_vault.name
min_retention_days = var.min_retention_days
max_retention_days = var.max_retention_days
changeable_for_days = var.changeable_for_days
}
# AWS Backup plan
resource "aws_backup_plan" "backup_plan" {
count = var.enabled ? 1 : 0
name = var.name
dynamic "rule" {
for_each = var.rules
content {
rule_name = rule.value.rule_name
target_vault_name = aws_backup_vault.backup_vault.name
schedule = try(rule.value.schedule, null)
start_window = try(rule.value.start_window, null)
completion_window = try(rule.value.completion_window, null)
enable_continuous_backup = try(rule.value.enable_continuous_backup, null)
# Lifecycle
dynamic "lifecycle" {
for_each = try(rule.value.lifecycle != null ? [rule.value.lifecycle] : [], [])
content {
cold_storage_after = try(rule.value.enable_continuous_backup, false) ? null : try(lifecycle.value.cold_storage_after, 7)
delete_after = try(lifecycle.value.delete_after, 35)
}
}
# Copy action
dynamic "copy_action" {
for_each = try(rule.value.copy_actions, [])
content {
destination_vault_arn = lookup(copy_action.value, "destination_vault_arn", aws_backup_vault.backup_vault.arn)
# Copy Action Lifecycle
dynamic "lifecycle" {
for_each = try(copy_action.value.lifecycle != null ? [copy_action.value.lifecycle] : [], [])
content {
cold_storage_after = try(rule.value.enable_continuous_backup, false) ? null : try(lifecycle.value.cold_storage_after, 7)
delete_after = try(lifecycle.value.delete_after, 35)
}
}
}
}
}
}
}
# AWS Backup selection - tag
resource "aws_backup_selection" "tag" {
count = var.enabled ? length(var.selection_resources) == 0 && var.account_type == local.account_type.workload ? 1 : 0 : 0
name = "${var.name}-backup-tag"
iam_role_arn = aws_iam_role.backup_role[0].arn
plan_id = aws_backup_plan.backup_plan[0].id
selection_tag {
type = var.selection_tag_type
key = var.selection_tag_key
value = var.selection_tag_value
}
condition {}
}
# AWS Backup selection - resources arn
resource "aws_backup_selection" "resources" {
count = var.enabled ? length(var.selection_resources) > 0 && var.account_type == local.account_type.workload ? length(var.selection_resources) : 0 : 0
name = "${element(split(":", var.selection_resources[count.index]), 2)}-${element(split(":", var.selection_resources[count.index]), length(var.selection_resources[count.index]))}-${count.index}"
iam_role_arn = aws_iam_role.backup_role[0].arn
plan_id = aws_backup_plan.backup_plan[0].id
resources = var.selection_resources
}
# AWS Backup vault notification
resource "aws_backup_vault_notifications" "default" {
count = try(var.enable_aws_backup_vault_notifications, false) ? 1 : 0
backup_vault_name = aws_backup_vault.backup_vault.name
sns_topic_arn = var.vault_notification_sns_topic_arn
backup_vault_events = var.backup_vault_events
}