fix: updated aws-backup layer to correct role permission and making monthly backup optional

modules/storage/aws-backup/README.md

@@ -24,19 +24,19 @@ No modules.
 | [aws_backup_vault_policy.ab-vault-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
 | [aws_iam_role.ab-iam-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.ab-iam-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_kms_alias.ab-kms-key-alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
-| [aws_kms_key.ab-kms-key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| backup\_kms\_key | KMS key arn for AWS Backup | `string` | `null` | no |
 | daily-backup-cron | Daily backup rule cron expression | `string` | n/a | yes |
 | daily-backup-retention | Daily backup retention period | `number` | n/a | yes |
-| monthly-backup-cron | Monthly backup rule cron expression | `string` | n/a | yes |
+| enable-monthly-backup | Enable monthly backup plan | `bool` | `false` | no |
-| monthly-backup-retention | Monthly backup retention period | `number` | n/a | yes |
+| monthly-backup-cron | Monthly backup rule cron expression | `string` | `null` | no |
-| service-opt-in | n/a | <pre>map(object({<br>    enabled = bool<br>  }))</pre> | <pre>{<br>  "Aurora": {<br>    "enabled": false<br>  },<br>  "DynamoDB": {<br>    "enabled": true<br>  },<br>  "EBS": {<br>    "enabled": false<br>  },<br>  "EC2": {<br>    "enabled": true<br>  },<br>  "EFS": {<br>    "enabled": true<br>  },<br>  "FSx": {<br>    "enabled": false<br>  },<br>  "RDS": {<br>    "enabled": true<br>  },<br>  "Redshift": {<br>    "enabled": true<br>  },<br>  "S3": {<br>    "enabled": false<br>  },<br>  "VirtualMachine": {<br>    "enabled": false<br>  }<br>}</pre> | no |
+| monthly-backup-retention | Monthly backup retention period | `number` | `null` | no |
+| service-opt-in | n/a | <pre>map(object({<br/>    enabled = bool<br/>  }))</pre> | <pre>{<br/>  "Aurora": {<br/>    "enabled": false<br/>  },<br/>  "DynamoDB": {<br/>    "enabled": true<br/>  },<br/>  "EBS": {<br/>    "enabled": false<br/>  },<br/>  "EC2": {<br/>    "enabled": true<br/>  },<br/>  "EFS": {<br/>    "enabled": true<br/>  },<br/>  "FSx": {<br/>    "enabled": false<br/>  },<br/>  "RDS": {<br/>    "enabled": true<br/>  },<br/>  "Redshift": {<br/>    "enabled": true<br/>  },<br/>  "S3": {<br/>    "enabled": false<br/>  },<br/>  "VirtualMachine": {<br/>    "enabled": false<br/>  }<br/>}</pre> | no |
 
 ## Outputs
 

modules/storage/aws-backup/kms-key.tf

@@ -1,43 +0,0 @@
-data "aws_caller_identity" "this" {}
-
-resource "aws_kms_key" "ab-kms-key" {
-  description             = "KMS key for aws backup"
-  deletion_window_in_days = 10
-  policy = jsonencode(
-    {
-      "Version" : "2012-10-17",
-      "Id" : "awsbackup-service",
-      "Statement" : [
-        {
-          "Sid" : "Enable IAM User Permissions",
-          "Effect" : "Allow",
-          "Principal" : {
-            "AWS" : "arn:aws:iam::${data.aws_caller_identity.this.id}:root"
-          },
-          "Action" : "kms:*",
-          "Resource" : "*"
-        },
-        {
-          "Sid" : "Allow attachment of persistent resources",
-          "Effect" : "Allow",
-          "Principal" : "*",
-          "Action" : [
-            "kms:CreateGrant",
-            "kms:ListGrants",
-            "kms:RevokeGrant"
-          ],
-          "Resource" : "*",
-          "Condition" : {
-            "Bool" : {
-              "kms:GrantIsForAWSResource" : "true"
-            }
-          }
-        }
-      ]
-  })
-}
-
-resource "aws_kms_alias" "ab-kms-key-alias" {
-  name          = "alias/awsbackup-kms-key"
-  target_key_id = aws_kms_key.ab-kms-key.id
-}

modules/storage/aws-backup/main.tf

@@ -1,5 +1,7 @@
 # build local data structure
 
+data "aws_caller_identity" "this" {}
+
 locals {
   backup-config = {
     "Aurora" : {
@@ -62,7 +64,7 @@ resource "aws_backup_vault" "ab-vault" {
     if v.enabled
   ])
   name        = "BackupVault-${each.value}"
-  kms_key_arn = aws_kms_key.ab-kms-key.arn
+  kms_key_arn = var.backup_kms_key
 }
 
 resource "aws_backup_vault_policy" "ab-vault-policy" {
@@ -119,21 +121,24 @@ resource "aws_backup_plan" "ab-plan" {
 
   # monthly backup (when overlap with daily, only monthly backup will be created.
   # see https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-backup-plan.html)
-  rule {
+  dynamic "rule" {
-    rule_name         = "Monthly"
+    for_each = var.enable-monthly-backup ? [1] : []
-    target_vault_name = each.value.name
+    content {
-    schedule          = var.monthly-backup-cron
+      rule_name         = "Monthly"
-    start_window      = 60
+      target_vault_name = each.value.name
-    completion_window = 240
+      schedule          = var.monthly-backup-cron
+      start_window      = 60
+      completion_window = 240
 
-    lifecycle {
+      lifecycle {
-      delete_after = var.monthly-backup-retention
+        delete_after       = var.monthly-backup-retention
-      cold_storage_after = var.daily-backup-retention # move to cold storage after daily retention, supported on a few services only
+        cold_storage_after = var.daily-backup-retention # move to cold storage after daily retention, supported on a few services only
-    }
+      }
 
-    recovery_point_tags = {
+      recovery_point_tags = {
-      "CreatedBy" : "AWSBackup"
+        "CreatedBy" : "AWSBackup"
-      "AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}-Monthly"
+        "AWSBackupPlan" : "BackupPlan-${replace(each.value.name, "BackupVault-", "")}-Monthly"
+      }
     }
   }
 
@@ -163,7 +168,13 @@ resource "aws_iam_role" "ab-iam-role" {
 }
 
 resource "aws_iam_role_policy_attachment" "ab-iam-role-policy" {
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
+  for_each = toset([
+    "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup",
+    "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores",
+    "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup",
+    "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore"
+  ])
+  policy_arn = each.value
   role       = aws_iam_role.ab-iam-role.name
 }
 

modules/storage/aws-backup/variables.tf

@@ -6,6 +6,7 @@ variable "daily-backup-cron" {
 variable "monthly-backup-cron" {
   type        = string
   description = "Monthly backup rule cron expression"
+  default     = null
 }
 
 variable "daily-backup-retention" {
@@ -16,6 +17,7 @@ variable "daily-backup-retention" {
 variable "monthly-backup-retention" {
   type        = number
   description = "Monthly backup retention period"
+  default     = null
 }
 
 variable "service-opt-in" {
@@ -55,3 +57,15 @@ variable "service-opt-in" {
     }
   }
 }
+
+variable "backup_kms_key" {
+  description = "KMS key arn for AWS Backup"
+  type        = string
+  default     = null
+}
+
+variable "enable-monthly-backup" {
+  description = "Enable monthly backup plan"
+  type        = bool
+  default     = false
+}