From c8443b3b6b36f10b37d2462019162fe4ffc3d41dd051c644d1c176d61a639500 Mon Sep 17 00:00:00 2001 From: xpk Date: Fri, 6 Mar 2026 17:50:33 +0800 Subject: [PATCH] fix: updated aws-backup layer to correct role permission and making monthly backup optional --- modules/storage/aws-backup/README.md | 10 +++--- modules/storage/aws-backup/kms-key.tf | 43 ------------------------- modules/storage/aws-backup/main.tf | 41 ++++++++++++++--------- modules/storage/aws-backup/variables.tf | 14 ++++++++ 4 files changed, 45 insertions(+), 63 deletions(-) delete mode 100644 modules/storage/aws-backup/kms-key.tf diff --git a/modules/storage/aws-backup/README.md b/modules/storage/aws-backup/README.md index acaa895..692722c 100644 --- a/modules/storage/aws-backup/README.md +++ b/modules/storage/aws-backup/README.md @@ -24,19 +24,19 @@ No modules. | [aws_backup_vault_policy.ab-vault-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource | | [aws_iam_role.ab-iam-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.ab-iam-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_kms_alias.ab-kms-key-alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.ab-kms-key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| backup\_kms\_key | KMS key arn for AWS Backup | `string` | `null` | no | | daily-backup-cron | Daily backup rule cron expression | `string` | n/a | yes | | daily-backup-retention | Daily backup retention period | `number` | n/a | yes | -| monthly-backup-cron | Monthly backup rule cron expression | `string` | n/a | yes | -| monthly-backup-retention | Monthly backup retention period | `number` | n/a | yes | -| service-opt-in | n/a | 
map(object({
    enabled = bool
  }))
| 
{
  "Aurora": {
    "enabled": false
  },
  "DynamoDB": {
    "enabled": true
  },
  "EBS": {
    "enabled": false
  },
  "EC2": {
    "enabled": true
  },
  "EFS": {
    "enabled": true
  },
  "FSx": {
    "enabled": false
  },
  "RDS": {
    "enabled": true
  },
  "Redshift": {
    "enabled": true
  },
  "S3": {
    "enabled": false
  },
  "VirtualMachine": {
    "enabled": false
  }
}
| no | +| enable-monthly-backup | Enable monthly backup plan | `bool` | `false` | no | +| monthly-backup-cron | Monthly backup rule cron expression | `string` | `null` | no | +| monthly-backup-retention | Monthly backup retention period | `number` | `null` | no | +| service-opt-in | n/a | 
map(object({
    enabled = bool
  }))
| 
{
  "Aurora": {
    "enabled": false
  },
  "DynamoDB": {
    "enabled": true
  },
  "EBS": {
    "enabled": false
  },
  "EC2": {
    "enabled": true
  },
  "EFS": {
    "enabled": true
  },
  "FSx": {
    "enabled": false
  },
  "RDS": {
    "enabled": true
  },
  "Redshift": {
    "enabled": true
  },
  "S3": {
    "enabled": false
  },
  "VirtualMachine": {
    "enabled": false
  }
}
| no | ## Outputs diff --git a/modules/storage/aws-backup/kms-key.tf b/modules/storage/aws-backup/kms-key.tf deleted file mode 100644 index 5c07c4e..0000000 --- a/modules/storage/aws-backup/kms-key.tf +++ /dev/null @@ -1,43 +0,0 @@ -data "aws_caller_identity" "this" {} - -resource "aws_kms_key" "ab-kms-key" { - description = "KMS key for aws backup" - deletion_window_in_days = 10 - policy = jsonencode( - { - "Version" : "2012-10-17", - "Id" : "awsbackup-service", - "Statement" : [ - { - "Sid" : "Enable IAM User Permissions", - "Effect" : "Allow", - "Principal" : { - "AWS" : "arn:aws:iam::${data.aws_caller_identity.this.id}:root" - }, - "Action" : "kms:*", - "Resource" : "*" - }, - { - "Sid" : "Allow attachment of persistent resources", - "Effect" : "Allow", - "Principal" : "*", - "Action" : [ - "kms:CreateGrant", - "kms:ListGrants", - "kms:RevokeGrant" - ], - "Resource" : "*", - "Condition" : { - "Bool" : { - "kms:GrantIsForAWSResource" : "true" - } - } - } - ] - }) -} - -resource "aws_kms_alias" "ab-kms-key-alias" { - name = "alias/awsbackup-kms-key" - target_key_id = aws_kms_key.ab-kms-key.id -} diff --git a/modules/storage/aws-backup/main.tf b/modules/storage/aws-backup/main.tf index 95d923e..58032a6 100644 --- a/modules/storage/aws-backup/main.tf +++ b/modules/storage/aws-backup/main.tf @@ -1,5 +1,7 @@ # build local data structure +data "aws_caller_identity" "this" {} + locals { backup-config = { "Aurora" : { @@ -62,7 +64,7 @@ resource "aws_backup_vault" "ab-vault" { if v.enabled ]) name = "BackupVault-${each.value}" - kms_key_arn = aws_kms_key.ab-kms-key.arn + kms_key_arn = var.backup_kms_key } resource "aws_backup_vault_policy" "ab-vault-policy" { @@ -119,21 +121,24 @@ resource "aws_backup_plan" "ab-plan" { # monthly backup (when overlap with daily, only monthly backup will be created. # see https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-backup-plan.html) - rule { - rule_name = "Monthly" - target_vault_name = each.value.name - schedule = var.monthly-backup-cron - start_window = 60 - completion_window = 240 + dynamic "rule" { + for_each = var.enable-monthly-backup ? [1] : [] + content { + rule_name = "Monthly" + target_vault_name = each.value.name + schedule = var.monthly-backup-cron + start_window = 60 + completion_window = 240 - lifecycle { - delete_after = var.monthly-backup-retention - cold_storage_after = var.daily-backup-retention # move to cold storage after daily retention, supported on a few services only - } + lifecycle { + delete_after = var.monthly-backup-retention + cold_storage_after = var.daily-backup-retention # move to cold storage after daily retention, supported on a few services only + } - recovery_point_tags = { - "CreatedBy" : "AWSBackup" - "AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}-Monthly" + recovery_point_tags = { + "CreatedBy" : "AWSBackup" + "AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}-Monthly" + } } } @@ -163,7 +168,13 @@ resource "aws_iam_role" "ab-iam-role" { } resource "aws_iam_role_policy_attachment" "ab-iam-role-policy" { - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup" + for_each = toset([ + "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup", + "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores", + "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup", + "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore" + ]) + policy_arn = each.value role = aws_iam_role.ab-iam-role.name } diff --git a/modules/storage/aws-backup/variables.tf b/modules/storage/aws-backup/variables.tf index 22fa4a2..eff7d2b 100644 --- a/modules/storage/aws-backup/variables.tf +++ b/modules/storage/aws-backup/variables.tf @@ -6,6 +6,7 @@ variable "daily-backup-cron" { variable "monthly-backup-cron" { type = string description = "Monthly backup rule cron expression" + default = null } variable "daily-backup-retention" { @@ -16,6 +17,7 @@ variable "daily-backup-retention" { variable "monthly-backup-retention" { type = number description = "Monthly backup retention period" + default = null } variable "service-opt-in" { @@ -54,4 +56,16 @@ variable "service-opt-in" { enabled = false } } +} + +variable "backup_kms_key" { + description = "KMS key arn for AWS Backup" + type = string + default = null +} + +variable "enable-monthly-backup" { + description = "Enable monthly backup plan" + type = bool + default = false } \ No newline at end of file