diff --git a/modules/storage/aws-backup/README.md b/modules/storage/aws-backup/README.md
index acaa895..692722c 100644
--- a/modules/storage/aws-backup/README.md
+++ b/modules/storage/aws-backup/README.md
@@ -24,19 +24,19 @@ No modules.
| [aws_backup_vault_policy.ab-vault-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
| [aws_iam_role.ab-iam-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.ab-iam-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_kms_alias.ab-kms-key-alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
-| [aws_kms_key.ab-kms-key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| backup\_kms\_key | KMS key arn for AWS Backup | `string` | `null` | no |
| daily-backup-cron | Daily backup rule cron expression | `string` | n/a | yes |
| daily-backup-retention | Daily backup retention period | `number` | n/a | yes |
-| monthly-backup-cron | Monthly backup rule cron expression | `string` | n/a | yes |
-| monthly-backup-retention | Monthly backup retention period | `number` | n/a | yes |
-| service-opt-in | n/a | map(object({
enabled = bool
})) | {
"Aurora": {
"enabled": false
},
"DynamoDB": {
"enabled": true
},
"EBS": {
"enabled": false
},
"EC2": {
"enabled": true
},
"EFS": {
"enabled": true
},
"FSx": {
"enabled": false
},
"RDS": {
"enabled": true
},
"Redshift": {
"enabled": true
},
"S3": {
"enabled": false
},
"VirtualMachine": {
"enabled": false
}
} | no |
+| enable-monthly-backup | Enable monthly backup plan | `bool` | `false` | no |
+| monthly-backup-cron | Monthly backup rule cron expression | `string` | `null` | no |
+| monthly-backup-retention | Monthly backup retention period | `number` | `null` | no |
+| service-opt-in | n/a | map(object({
enabled = bool
})) | {
"Aurora": {
"enabled": false
},
"DynamoDB": {
"enabled": true
},
"EBS": {
"enabled": false
},
"EC2": {
"enabled": true
},
"EFS": {
"enabled": true
},
"FSx": {
"enabled": false
},
"RDS": {
"enabled": true
},
"Redshift": {
"enabled": true
},
"S3": {
"enabled": false
},
"VirtualMachine": {
"enabled": false
}
} | no |
## Outputs
diff --git a/modules/storage/aws-backup/kms-key.tf b/modules/storage/aws-backup/kms-key.tf
deleted file mode 100644
index 5c07c4e..0000000
--- a/modules/storage/aws-backup/kms-key.tf
+++ /dev/null
@@ -1,43 +0,0 @@
-data "aws_caller_identity" "this" {}
-
-resource "aws_kms_key" "ab-kms-key" {
- description = "KMS key for aws backup"
- deletion_window_in_days = 10
- policy = jsonencode(
- {
- "Version" : "2012-10-17",
- "Id" : "awsbackup-service",
- "Statement" : [
- {
- "Sid" : "Enable IAM User Permissions",
- "Effect" : "Allow",
- "Principal" : {
- "AWS" : "arn:aws:iam::${data.aws_caller_identity.this.id}:root"
- },
- "Action" : "kms:*",
- "Resource" : "*"
- },
- {
- "Sid" : "Allow attachment of persistent resources",
- "Effect" : "Allow",
- "Principal" : "*",
- "Action" : [
- "kms:CreateGrant",
- "kms:ListGrants",
- "kms:RevokeGrant"
- ],
- "Resource" : "*",
- "Condition" : {
- "Bool" : {
- "kms:GrantIsForAWSResource" : "true"
- }
- }
- }
- ]
- })
-}
-
-resource "aws_kms_alias" "ab-kms-key-alias" {
- name = "alias/awsbackup-kms-key"
- target_key_id = aws_kms_key.ab-kms-key.id
-}
diff --git a/modules/storage/aws-backup/main.tf b/modules/storage/aws-backup/main.tf
index 95d923e..58032a6 100644
--- a/modules/storage/aws-backup/main.tf
+++ b/modules/storage/aws-backup/main.tf
@@ -1,5 +1,7 @@
# build local data structure
+data "aws_caller_identity" "this" {}
+
locals {
backup-config = {
"Aurora" : {
@@ -62,7 +64,7 @@ resource "aws_backup_vault" "ab-vault" {
if v.enabled
])
name = "BackupVault-${each.value}"
- kms_key_arn = aws_kms_key.ab-kms-key.arn
+ kms_key_arn = var.backup_kms_key
}
resource "aws_backup_vault_policy" "ab-vault-policy" {
@@ -119,21 +121,24 @@ resource "aws_backup_plan" "ab-plan" {
# monthly backup (when overlap with daily, only monthly backup will be created.
# see https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-backup-plan.html)
- rule {
- rule_name = "Monthly"
- target_vault_name = each.value.name
- schedule = var.monthly-backup-cron
- start_window = 60
- completion_window = 240
+ dynamic "rule" {
+ for_each = var.enable-monthly-backup ? [1] : []
+ content {
+ rule_name = "Monthly"
+ target_vault_name = each.value.name
+ schedule = var.monthly-backup-cron
+ start_window = 60
+ completion_window = 240
- lifecycle {
- delete_after = var.monthly-backup-retention
- cold_storage_after = var.daily-backup-retention # move to cold storage after daily retention, supported on a few services only
- }
+ lifecycle {
+ delete_after = var.monthly-backup-retention
+ cold_storage_after = var.daily-backup-retention # move to cold storage after daily retention, supported on a few services only
+ }
- recovery_point_tags = {
- "CreatedBy" : "AWSBackup"
- "AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}-Monthly"
+ recovery_point_tags = {
+ "CreatedBy" : "AWSBackup"
+ "AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}-Monthly"
+ }
}
}
@@ -163,7 +168,13 @@ resource "aws_iam_role" "ab-iam-role" {
}
resource "aws_iam_role_policy_attachment" "ab-iam-role-policy" {
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
+ for_each = toset([
+ "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup",
+ "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores",
+ "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup",
+ "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore"
+ ])
+ policy_arn = each.value
role = aws_iam_role.ab-iam-role.name
}
diff --git a/modules/storage/aws-backup/variables.tf b/modules/storage/aws-backup/variables.tf
index 22fa4a2..eff7d2b 100644
--- a/modules/storage/aws-backup/variables.tf
+++ b/modules/storage/aws-backup/variables.tf
@@ -6,6 +6,7 @@ variable "daily-backup-cron" {
variable "monthly-backup-cron" {
type = string
description = "Monthly backup rule cron expression"
+ default = null
}
variable "daily-backup-retention" {
@@ -16,6 +17,7 @@ variable "daily-backup-retention" {
variable "monthly-backup-retention" {
type = number
description = "Monthly backup retention period"
+ default = null
}
variable "service-opt-in" {
@@ -54,4 +56,16 @@ variable "service-opt-in" {
enabled = false
}
}
+}
+
+variable "backup_kms_key" {
+ description = "KMS key arn for AWS Backup"
+ type = string
+ default = null
+}
+
+variable "enable-monthly-backup" {
+ description = "Enable monthly backup plan"
+ type = bool
+ default = false
}
\ No newline at end of file