xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

fix: updated aws-backup layer to correct role permission and making monthly backup optional

Browse Source
This commit is contained in:
xpk
2026-03-06 17:50:33 +08:00
parent f3573b320d
commit c8443b3b6b
4 changed files with 45 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/storage/aws-backup/main.tf
+26 -15
View File
@@ -1,5 +1,7 @@
# build local data structure
data "aws_caller_identity" "this" {}
locals {
backup-config = {
"Aurora" : {
@@ -62,7 +64,7 @@ resource "aws_backup_vault" "ab-vault" {
if v.enabled
])
name = "BackupVault-${each.value}"
kms_key_arn = aws_kms_key.ab-kms-key.arn
kms_key_arn = var.backup_kms_key
}
resource "aws_backup_vault_policy" "ab-vault-policy" {
@@ -119,21 +121,24 @@ resource "aws_backup_plan" "ab-plan" {
# monthly backup (when overlap with daily, only monthly backup will be created.
# see https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-backup-plan.html)
rule {
rule_name = "Monthly"
target_vault_name = each.value.name
schedule = var.monthly-backup-cron
start_window = 60
completion_window = 240
dynamic "rule" {
for_each = var.enable-monthly-backup ? [1] : []
content {
rule_name = "Monthly"
target_vault_name = each.value.name
schedule = var.monthly-backup-cron
start_window = 60
completion_window = 240
lifecycle {
delete_after = var.monthly-backup-retention
cold_storage_after = var.daily-backup-retention # move to cold storage after daily retention, supported on a few services only
}
lifecycle {
delete_after = var.monthly-backup-retention
cold_storage_after = var.daily-backup-retention # move to cold storage after daily retention, supported on a few services only
}
recovery_point_tags = {
"CreatedBy" : "AWSBackup"
"AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}-Monthly"
recovery_point_tags = {
"CreatedBy" : "AWSBackup"
"AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}-Monthly"
}
}
}
@@ -163,7 +168,13 @@ resource "aws_iam_role" "ab-iam-role" {
}
resource "aws_iam_role_policy_attachment" "ab-iam-role-policy" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
for_each = toset([
"arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup",
"arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores",
"arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup",
"arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore"
])
policy_arn = each.value
role = aws_iam_role.ab-iam-role.name
}