From c9b3bbe46ad500dc6e31fb404688c9cf499ee883 Mon Sep 17 00:00:00 2001 From: Abdul Wahid Date: Fri, 14 Jul 2023 11:18:03 +0100 Subject: [PATCH] New 'not_resources' feature + version compatibility (#17) * Set minimum provider version to 4.26.0 to allow use of 'force_destroy' * Add new 'not_resources' feature * Lint fixes --- .gitignore | 2 ++ .pre-commit-config.yaml | 4 +-- README.md | 9 +++-- examples/exclusions/README.md | 8 +++++ examples/exclusions/main.tf | 54 +++++++++++++++++++++++++++++ examples/exclusions/outputs.tf | 44 +++++++++++++++++++++++ examples/exclusions/variables.tf | 5 +++ examples/exclusions/versions.tf | 10 ++++++ examples/external-vault/versions.tf | 6 ++-- examples/multiple-dbs/versions.tf | 6 ++-- examples/one-db/versions.tf | 6 ++-- examples/vault/outputs.tf | 2 +- examples/vault/versions.tf | 6 ++-- main.tf | 16 ++++++++- variables.tf | 6 ++++ versions.tf | 4 +-- 16 files changed, 167 insertions(+), 21 deletions(-) create mode 100644 examples/exclusions/README.md create mode 100644 examples/exclusions/main.tf create mode 100644 examples/exclusions/outputs.tf create mode 100644 examples/exclusions/variables.tf create mode 100644 examples/exclusions/versions.tf diff --git a/.gitignore b/.gitignore index 77a4fad..5506e44 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,5 @@ override.tf.json # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* + +**/.infracost \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b9f4dc5..6b1867e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.4.0 hooks: - id: check-added-large-files args: ['--maxkb=500'] @@ -18,7 +18,7 @@ repos: args: ['--allow-missing-credentials'] - id: trailing-whitespace - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.76.0 + rev: v1.81.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/README.md b/README.md index 07ef443..05f7465 100644 --- a/README.md +++ b/README.md @@ -86,14 +86,14 @@ Module managed by: | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.11 | -| [aws](#requirement\_aws) | >= 4.0.0 | +| [terraform](#requirement\_terraform) | >= 1.5.0 | +| [aws](#requirement\_aws) | >= 4.26.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.35.0 | +| [aws](#provider\_aws) | >= 4.26.0 | ## Modules @@ -112,6 +112,8 @@ No modules. | [aws_iam_role_policy_attachment.main_custom_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.main_role_backup_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.main_role_restore_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.main_role_s3_backup_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.main_role_s3_restore_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_sns_topic.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | | [aws_sns_topic_policy.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | | [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -131,6 +133,7 @@ No modules. | [plan\_name](#input\_plan\_name) | The display name of a backup plan | `string` | n/a | yes | | [rules](#input\_rules) | A list of rules mapping rule configurations for a backup plan | `any` | `[]` | no | | [selection\_name](#input\_selection\_name) | The display name of a resource selection document | `string` | `null` | no | +| [selection\_not\_resources](#input\_selection\_not\_resources) | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan. | `list(string)` | `[]` | no | | [selection\_resources](#input\_selection\_resources) | A list of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan | `list(string)` | `[]` | no | | [selection\_tags](#input\_selection\_tags) | A list of selection tags map | `list(any)` | `[]` | no | | [sns\_topic\_arn](#input\_sns\_topic\_arn) | The Amazon Resource Name (ARN) that specifies the topic for a backup vault’s events | `string` | `null` | no | diff --git a/examples/exclusions/README.md b/examples/exclusions/README.md new file mode 100644 index 0000000..878683f --- /dev/null +++ b/examples/exclusions/README.md @@ -0,0 +1,8 @@ +## Example deployment flow + +```bash +terraform init +terraform validate +terraform plan +terraform apply --auto-approve +``` diff --git a/examples/exclusions/main.tf b/examples/exclusions/main.tf new file mode 100644 index 0000000..51962a0 --- /dev/null +++ b/examples/exclusions/main.tf @@ -0,0 +1,54 @@ +###### +# KMS +###### +data "aws_kms_key" "backup" { + key_id = "alias/aws/backup" +} + +resource "aws_s3_bucket" "example" { + bucket = "umotif-test-bucket" + + tags = { + Environment = "test" + } +} + +######### +# Backup +######### +module "backup" { + source = "../.." + + # Create a vault + vault_name = "${var.name_prefix}-vault-exclusions" + vault_kms_key_arn = data.aws_kms_key.backup.arn + + # Create a backup plan + plan_name = "${var.name_prefix}-backup-plan" + + rules = [ + { + name = "${var.name_prefix}-backup-rule" + schedule = "cron(0 12 * * ? *)" + start_window = "65" + completion_window = "180" + recovery_point_tags = { + Project = "test" + Region = "eu-west-1" + } + + lifecycle = { + delete_after = 90 + } + } + ] + + selection_name = "${var.name_prefix}-backup-selection" + + selection_resources = ["*"] + selection_not_resources = [aws_s3_bucket.example.arn] + + tags = { + Environment = "test" + } +} diff --git a/examples/exclusions/outputs.tf b/examples/exclusions/outputs.tf new file mode 100644 index 0000000..892ae99 --- /dev/null +++ b/examples/exclusions/outputs.tf @@ -0,0 +1,44 @@ +output "backup_vault_id" { + description = "The name of the AWS Backup Vault" + value = module.backup.backup_vault_id +} + +output "backup_vault_arn" { + description = "The Amazon Resource Name (ARN) that identifies the AWS Backup Vault" + value = module.backup.backup_vault_arn +} + +output "backup_vault_recovery_points" { + description = "The number of recovery points that are stored in a backup vault" + value = module.backup.backup_vault_recovery_points +} + +output "backup_plan_id" { + description = "The name of the backup plan" + value = module.backup.backup_plan_id +} + +output "backup_plan_arn" { + description = "The Amazon Resource Name (ARN) that identifies the backup plan" + value = module.backup.backup_plan_arn +} + +output "backup_plan_version" { + description = "Unique, randomly generated, Unicode, UTF-8 encoded string that serves as the version ID of the backup plan." + value = module.backup.backup_plan_version +} + +output "backup_selection_id" { + description = "The identifier of the backup selection" + value = module.backup.backup_selection_id +} + +output "backup_vault_iam_role_name" { + description = "The name of the backup IAM role" + value = module.backup.backup_vault_iam_role_name +} + +output "backup_vault_iam_role_arn" { + description = "The ARN of the backup IAM role" + value = module.backup.backup_vault_iam_role_arn +} \ No newline at end of file diff --git a/examples/exclusions/variables.tf b/examples/exclusions/variables.tf new file mode 100644 index 0000000..0519052 --- /dev/null +++ b/examples/exclusions/variables.tf @@ -0,0 +1,5 @@ +variable "name_prefix" { + description = "A prefix used for naming resources." + type = string + default = "example" +} diff --git a/examples/exclusions/versions.tf b/examples/exclusions/versions.tf new file mode 100644 index 0000000..3e08687 --- /dev/null +++ b/examples/exclusions/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.5.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.26.0" + } + } +} diff --git a/examples/external-vault/versions.tf b/examples/external-vault/versions.tf index 40f827e..0de2e8e 100644 --- a/examples/external-vault/versions.tf +++ b/examples/external-vault/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0.11" + required_version = ">= 1.5.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 4.26.0" } } -} +} \ No newline at end of file diff --git a/examples/multiple-dbs/versions.tf b/examples/multiple-dbs/versions.tf index 40f827e..0de2e8e 100644 --- a/examples/multiple-dbs/versions.tf +++ b/examples/multiple-dbs/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0.11" + required_version = ">= 1.5.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 4.26.0" } } -} +} \ No newline at end of file diff --git a/examples/one-db/versions.tf b/examples/one-db/versions.tf index 40f827e..0de2e8e 100644 --- a/examples/one-db/versions.tf +++ b/examples/one-db/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0.11" + required_version = ">= 1.5.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 4.26.0" } } -} +} \ No newline at end of file diff --git a/examples/vault/outputs.tf b/examples/vault/outputs.tf index 50f6f09..6b3a821 100644 --- a/examples/vault/outputs.tf +++ b/examples/vault/outputs.tf @@ -39,5 +39,5 @@ output "backup_vault_iam_role_name" { } output "backup_vault_iam_role_arn" { - output = module.backup.backup_vault_iam_role_name.arn + value = module.backup.backup_vault_iam_role_name.arn } \ No newline at end of file diff --git a/examples/vault/versions.tf b/examples/vault/versions.tf index 40f827e..0de2e8e 100644 --- a/examples/vault/versions.tf +++ b/examples/vault/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0.11" + required_version = ">= 1.5.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 4.26.0" } } -} +} \ No newline at end of file diff --git a/main.tf b/main.tf index a85e148..419cc8b 100644 --- a/main.tf +++ b/main.tf @@ -18,6 +18,7 @@ resource "aws_backup_plan" "main" { dynamic "rule" { for_each = var.rules + content { rule_name = lookup(rule.value, "name") target_vault_name = var.vault_name != null ? aws_backup_vault.main[0].name : lookup(rule.value, "target_vault_name", "Default") @@ -29,6 +30,7 @@ resource "aws_backup_plan" "main" { dynamic "lifecycle" { for_each = length(lookup(rule.value, "lifecycle")) == 0 ? [] : [lookup(rule.value, "lifecycle", {})] + content { cold_storage_after = lookup(lifecycle.value, "cold_storage_after", 0) delete_after = lookup(lifecycle.value, "delete_after", 90) @@ -37,6 +39,7 @@ resource "aws_backup_plan" "main" { dynamic "copy_action" { for_each = length(lookup(rule.value, "copy_action", {})) == 0 ? [] : [lookup(rule.value, "copy_action", {})] + content { destination_vault_arn = lookup(copy_action.value, "destination_vault_arn", null) @@ -71,7 +74,8 @@ resource "aws_backup_selection" "main" { name = var.selection_name plan_id = aws_backup_plan.main.id - resources = var.selection_resources + resources = var.selection_resources + not_resources = var.selection_not_resources dynamic "selection_tag" { for_each = var.selection_tags @@ -128,6 +132,16 @@ resource "aws_iam_role_policy_attachment" "main_role_restore_policy_attach" { role = aws_iam_role.main.name } +resource "aws_iam_role_policy_attachment" "main_role_s3_backup_policy_attach" { + policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup" + role = aws_iam_role.main.name +} + +resource "aws_iam_role_policy_attachment" "main_role_s3_restore_policy_attach" { + policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore" + role = aws_iam_role.main.name +} + resource "aws_iam_policy" "main_custom_policy" { description = "AWS Backup Tag policy" policy = data.aws_iam_policy_document.main_custom_policy.json diff --git a/variables.tf b/variables.tf index 5d7c63d..4911a54 100644 --- a/variables.tf +++ b/variables.tf @@ -30,6 +30,12 @@ variable "selection_resources" { default = [] } +variable "selection_not_resources" { + description = "An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan." + type = list(string) + default = [] +} + variable "selection_tags" { description = "A list of selection tags map" type = list(any) diff --git a/versions.tf b/versions.tf index 40f827e..d27d27b 100644 --- a/versions.tf +++ b/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0.11" + required_version = ">= 1.5.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 4.26.0" } } }