diff --git a/terraform/aws/data-lifecycle-manager.tf b/terraform/aws/data-lifecycle-manager.tf new file mode 100644 index 000000000..285f74bc6 --- /dev/null +++ b/terraform/aws/data-lifecycle-manager.tf @@ -0,0 +1,89 @@ +# ref: https://docs.aws.amazon.com/ebs/latest/userguide/snapshot-lifecycle.html +# Data Lifecycle Manager (DLM) is used to automate backup of EBS volumes. + +resource "aws_iam_role" "dlm_lifecycle_role" { + count = var.enable_nfs_backup ? 1 : 0 + name = "dlm-lifecycle-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "dlm.amazonaws.com" + } + } + ] + }) +} + +# Attach required policy to the IAM role +resource "aws_iam_role_policy" "dlm_lifecycle" { + count = var.enable_nfs_backup ? 1 : 0 + name = "dlm-lifecycle-policy" + role = aws_iam_role.dlm_lifecycle_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "ec2:CreateSnapshot", + "ec2:CreateSnapshots", + "ec2:DeleteSnapshot", + "ec2:DescribeVolumes", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots" + ] + Resource = "*" + }, + { + Effect = "Allow" + Action = [ + "ec2:CreateTags" + ] + Resource = "arn:aws:ec2:*::snapshot/*" + } + ] + }) +} + +# Create the DLM lifecycle policy for NFS home directories backup +resource "aws_dlm_lifecycle_policy" "nfs_backup" { + count = var.enable_nfs_backup ? 1 : 0 + description = "DLM lifecycle policy for NFS home directories backup" + execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn + state = "ENABLED" + + policy_details { + resource_types = ["VOLUME"] + + schedule { + name = "Daily backup" + + create_rule { + interval = 24 + interval_unit = "HOURS" + times = ["23:45"] + } + + retain_rule { + count = 5 # Keep last 5 daily backups + } + + tags_to_add = { + SnapshotCreator = "DLM" + Purpose = "NFS-Backup" + } + + copy_tags = true + } + + target_tags = { + NFSBackup = "true" # Tag to identify volumes to backup + } + } +} \ No newline at end of file diff --git a/terraform/aws/ebs-volumes.tf b/terraform/aws/ebs-volumes.tf index 565d37bf7..2760542e5 100644 --- a/terraform/aws/ebs-volumes.tf +++ b/terraform/aws/ebs-volumes.tf @@ -7,7 +7,8 @@ resource "aws_ebs_volume" "nfs_home_dirs" { encrypted = true tags = merge(each.value.tags, { - Name = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}" + Name = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}" + NFSBackup = var.enable_nfs_backup ? "true" : "false" # Tag to identify volumes to backup by Data Lifecycle Manager (DLM) }) lifecycle { diff --git a/terraform/aws/projects/nasa-veda.tfvars b/terraform/aws/projects/nasa-veda.tfvars index 0f465c223..480c63257 100644 --- a/terraform/aws/projects/nasa-veda.tfvars +++ b/terraform/aws/projects/nasa-veda.tfvars @@ -226,4 +226,6 @@ ebs_volumes = { } } +enable_nfs_backup = true + original_single_efs_tags = { "2i2c:hub-name" : "prod" } diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 2f27ed993..6411b74e1 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -308,3 +308,11 @@ variable "ebs_volumes" { server to store home directories for users. EOT } + +variable "enable_nfs_backup" { + type = bool + default = false + description = <<-EOT + Enable backup of NFS home directories using Data Lifecycle Manager (DLM). + EOT +}