data "aws_caller_identity" "this" {}

resource "aws_backup_vault" "AbVault" {
  for_each    = var.vaults
  name        = each.key
  kms_key_arn = each.value.kms_key_arn
}

resource "aws_backup_vault_policy" "AbPolicy" {
  for_each          = aws_backup_vault.AbVault
  backup_vault_name = each.value
  policy = var.policy != null ? var.policy : jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Sid" : "DefaultAwsBackupPolicy"
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : data.aws_caller_identity.this.account_id
        },
        "Action" : [
          "backup:*"
        ],
        "Resource" : "*"
      }
    ]
  })
}

resource "aws_backup_plan" "plan" {
  for_each = var.plans
  name     = each.key
  dynamic "rule" {
    for_each = var.plans
    content {
      rule_name         = rule.value.rule.rule_name
      schedule          = rule.value.rule.schedule
      target_vault_name = rule.value.rule.target_vault_name
      dynamic "lifecycle" {
        for_each = rule.value.rule.lifecycle
        content {
          cold_storage_after = lifecycle.value.cold_storage_after
          delete_after       = lifecycle.value.delete_after
        }
      }
    }
  }
}

resource "aws_backup_selection" "AbSelection" {
  for_each     = var.selections
  name         = each.key
  iam_role_arn = each.value.iam_role_arn
  plan_id      = each.value.plan_id

  dynamic "selection_tag" {
    for_each = each.value.selection_tags
    content {
      type  = selection_tag.value.type
      key   = selection_tag.value.key
      value = selection_tag.value.value
    }
  }
}