Merge pull request #5189 from sunu/feature/dlm-nfs-backup

Enable automatic backup of EBS volumes using DLM
2i2c-org · Nov 27, 2024 · 319ccc3 · 319ccc3
2 parents b897a9e + 3d031bc
commit 319ccc3
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 1 deletion.
diff --git a/terraform/aws/data-lifecycle-manager.tf b/terraform/aws/data-lifecycle-manager.tf
@@ -0,0 +1,89 @@
+# ref: https://docs.aws.amazon.com/ebs/latest/userguide/snapshot-lifecycle.html
+# Data Lifecycle Manager (DLM) is used to automate backup of EBS volumes.
+
+resource "aws_iam_role" "dlm_lifecycle_role" {
+  count = var.enable_nfs_backup ? 1 : 0
+  name  = "dlm-lifecycle-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "dlm.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+# Attach required policy to the IAM role
+resource "aws_iam_role_policy" "dlm_lifecycle" {
+  count = var.enable_nfs_backup ? 1 : 0
+  name  = "dlm-lifecycle-policy"
+  role  = aws_iam_role.dlm_lifecycle_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ec2:CreateSnapshot",
+          "ec2:CreateSnapshots",
+          "ec2:DeleteSnapshot",
+          "ec2:DescribeVolumes",
+          "ec2:DescribeInstances",
+          "ec2:DescribeSnapshots"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "ec2:CreateTags"
+        ]
+        Resource = "arn:aws:ec2:*::snapshot/*"
+      }
+    ]
+  })
+}
+
+# Create the DLM lifecycle policy for NFS home directories backup
+resource "aws_dlm_lifecycle_policy" "nfs_backup" {
+  count              = var.enable_nfs_backup ? 1 : 0
+  description        = "DLM lifecycle policy for NFS home directories backup"
+  execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
+  state              = "ENABLED"
+
+  policy_details {
+    resource_types = ["VOLUME"]
+
+    schedule {
+      name = "Daily backup"
+
+      create_rule {
+        interval      = 24
+        interval_unit = "HOURS"
+        times         = ["23:45"]
+      }
+
+      retain_rule {
+        count = 5 # Keep last 5 daily backups
+      }
+
+      tags_to_add = {
+        SnapshotCreator = "DLM"
+        Purpose         = "NFS-Backup"
+      }
+
+      copy_tags = true
+    }
+
+    target_tags = {
+      NFSBackup = "true" # Tag to identify volumes to backup
+    }
+  }
+}
diff --git a/terraform/aws/ebs-volumes.tf b/terraform/aws/ebs-volumes.tf
@@ -7,7 +7,8 @@ resource "aws_ebs_volume" "nfs_home_dirs" {
   encrypted         = true
 
   tags = merge(each.value.tags, {
-    Name = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}"
+    Name      = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}"
+    NFSBackup = var.enable_nfs_backup ? "true" : "false" # Tag to identify volumes to backup by Data Lifecycle Manager (DLM)
   })
 
   lifecycle {

diff --git a/terraform/aws/projects/nasa-veda.tfvars b/terraform/aws/projects/nasa-veda.tfvars
@@ -226,4 +226,6 @@ ebs_volumes = {
   }
 }
 
+enable_nfs_backup = true
+
 original_single_efs_tags = { "2i2c:hub-name" : "prod" }
diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
@@ -308,3 +308,11 @@ variable "ebs_volumes" {
   server to store home directories for users.
   EOT
 }
+
+variable "enable_nfs_backup" {
+  type        = bool
+  default     = false
+  description = <<-EOT
+  Enable backup of NFS home directories using Data Lifecycle Manager (DLM).
+  EOT
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -226,4 +226,6 @@ ebs_volumes = { @@
       }
     }
+    enable_nfs_backup = true
     original_single_efs_tags = { "2i2c:hub-name" : "prod" }