From 5c657292c32b2317e48b7e2442dbf57445bcc0f9 Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Tue, 26 Nov 2024 09:01:26 +0530 Subject: [PATCH 1/4] Enable automatic backup of EBS volumes using DLM --- terraform/aws/data-lifecycle-manager.tf | 86 +++++++++++++++++++++++++ terraform/aws/ebs-volumes.tf | 1 + 2 files changed, 87 insertions(+) create mode 100644 terraform/aws/data-lifecycle-manager.tf diff --git a/terraform/aws/data-lifecycle-manager.tf b/terraform/aws/data-lifecycle-manager.tf new file mode 100644 index 0000000000..6d058c5f3d --- /dev/null +++ b/terraform/aws/data-lifecycle-manager.tf @@ -0,0 +1,86 @@ +# ref: https://docs.aws.amazon.com/ebs/latest/userguide/snapshot-lifecycle.html +# Data Lifecycle Manager (DLM) is used to automate backup of EBS volumes. + +resource "aws_iam_role" "dlm_lifecycle_role" { + name = "dlm-lifecycle-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "dlm.amazonaws.com" + } + } + ] + }) +} + +# Attach required policy to the IAM role +resource "aws_iam_role_policy" "dlm_lifecycle" { + name = "dlm-lifecycle-policy" + role = aws_iam_role.dlm_lifecycle_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "ec2:CreateSnapshot", + "ec2:CreateSnapshots", + "ec2:DeleteSnapshot", + "ec2:DescribeVolumes", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots" + ] + Resource = "*" + }, + { + Effect = "Allow" + Action = [ + "ec2:CreateTags" + ] + Resource = "arn:aws:ec2:*::snapshot/*" + } + ] + }) +} + +# Create the DLM lifecycle policy for NFS home directories backup +resource "aws_dlm_lifecycle_policy" "nfs_backup" { + description = "DLM lifecycle policy for NFS home directories backup" + execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn + state = "ENABLED" + + policy_details { + resource_types = ["VOLUME"] + + schedule { + name = "Daily backup" + + create_rule { + interval = 24 + interval_unit = "HOURS" + times = ["23:45"] + } + + retain_rule { + count = 5 # Keep last 5 daily backups + } + + tags_to_add = { + SnapshotCreator = "DLM" + Purpose = "NFS-Backup" + } + + copy_tags = true + } + + target_tags = { + NFSBackup = "true" # Tag to identify volumes to backup + } + } +} \ No newline at end of file diff --git a/terraform/aws/ebs-volumes.tf b/terraform/aws/ebs-volumes.tf index 565d37bf78..a4d3c7f714 100644 --- a/terraform/aws/ebs-volumes.tf +++ b/terraform/aws/ebs-volumes.tf @@ -8,6 +8,7 @@ resource "aws_ebs_volume" "nfs_home_dirs" { tags = merge(each.value.tags, { Name = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}" + NFSBackup = "true" # Tag to identify volumes to backup by Data Lifecycle Manager (DLM) }) lifecycle { From 99fa60d30406e8d85c8f0a4ea904da5f6dad5f9c Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 03:34:57 +0000 Subject: [PATCH 2/4] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- terraform/aws/data-lifecycle-manager.tf | 6 +++--- terraform/aws/ebs-volumes.tf | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/aws/data-lifecycle-manager.tf b/terraform/aws/data-lifecycle-manager.tf index 6d058c5f3d..c520253ad2 100644 --- a/terraform/aws/data-lifecycle-manager.tf +++ b/terraform/aws/data-lifecycle-manager.tf @@ -53,7 +53,7 @@ resource "aws_iam_role_policy" "dlm_lifecycle" { resource "aws_dlm_lifecycle_policy" "nfs_backup" { description = "DLM lifecycle policy for NFS home directories backup" execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn - state = "ENABLED" + state = "ENABLED" policy_details { resource_types = ["VOLUME"] @@ -68,7 +68,7 @@ resource "aws_dlm_lifecycle_policy" "nfs_backup" { } retain_rule { - count = 5 # Keep last 5 daily backups + count = 5 # Keep last 5 daily backups } tags_to_add = { @@ -80,7 +80,7 @@ resource "aws_dlm_lifecycle_policy" "nfs_backup" { } target_tags = { - NFSBackup = "true" # Tag to identify volumes to backup + NFSBackup = "true" # Tag to identify volumes to backup } } } \ No newline at end of file diff --git a/terraform/aws/ebs-volumes.tf b/terraform/aws/ebs-volumes.tf index a4d3c7f714..55f51ca271 100644 --- a/terraform/aws/ebs-volumes.tf +++ b/terraform/aws/ebs-volumes.tf @@ -7,8 +7,8 @@ resource "aws_ebs_volume" "nfs_home_dirs" { encrypted = true tags = merge(each.value.tags, { - Name = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}" - NFSBackup = "true" # Tag to identify volumes to backup by Data Lifecycle Manager (DLM) + Name = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}" + NFSBackup = "true" # Tag to identify volumes to backup by Data Lifecycle Manager (DLM) }) lifecycle { From 73e21ee0681ac67a0f7c9edcb4d9b2d91346622c Mon Sep 17 00:00:00 2001 From: Tarashish Mishra Date: Tue, 26 Nov 2024 09:43:44 +0530 Subject: [PATCH 3/4] Make NFS backup through DLM opt-in --- terraform/aws/data-lifecycle-manager.tf | 3 +++ terraform/aws/ebs-volumes.tf | 2 +- terraform/aws/projects/nasa-veda.tfvars | 2 ++ terraform/aws/variables.tf | 8 ++++++++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/terraform/aws/data-lifecycle-manager.tf b/terraform/aws/data-lifecycle-manager.tf index c520253ad2..ad3948af51 100644 --- a/terraform/aws/data-lifecycle-manager.tf +++ b/terraform/aws/data-lifecycle-manager.tf @@ -2,6 +2,7 @@ # Data Lifecycle Manager (DLM) is used to automate backup of EBS volumes. resource "aws_iam_role" "dlm_lifecycle_role" { + count = var.enable_nfs_backup ? 1 : 0 name = "dlm-lifecycle-role" assume_role_policy = jsonencode({ @@ -20,6 +21,7 @@ resource "aws_iam_role" "dlm_lifecycle_role" { # Attach required policy to the IAM role resource "aws_iam_role_policy" "dlm_lifecycle" { + count = var.enable_nfs_backup ? 1 : 0 name = "dlm-lifecycle-policy" role = aws_iam_role.dlm_lifecycle_role.id @@ -51,6 +53,7 @@ resource "aws_iam_role_policy" "dlm_lifecycle" { # Create the DLM lifecycle policy for NFS home directories backup resource "aws_dlm_lifecycle_policy" "nfs_backup" { + count = var.enable_nfs_backup ? 1 : 0 description = "DLM lifecycle policy for NFS home directories backup" execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn state = "ENABLED" diff --git a/terraform/aws/ebs-volumes.tf b/terraform/aws/ebs-volumes.tf index 55f51ca271..2348c918bf 100644 --- a/terraform/aws/ebs-volumes.tf +++ b/terraform/aws/ebs-volumes.tf @@ -8,7 +8,7 @@ resource "aws_ebs_volume" "nfs_home_dirs" { tags = merge(each.value.tags, { Name = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}" - NFSBackup = "true" # Tag to identify volumes to backup by Data Lifecycle Manager (DLM) + NFSBackup = var.enable_nfs_backup ? "true" : "false" # Tag to identify volumes to backup by Data Lifecycle Manager (DLM) }) lifecycle { diff --git a/terraform/aws/projects/nasa-veda.tfvars b/terraform/aws/projects/nasa-veda.tfvars index 0f465c2237..480c632573 100644 --- a/terraform/aws/projects/nasa-veda.tfvars +++ b/terraform/aws/projects/nasa-veda.tfvars @@ -226,4 +226,6 @@ ebs_volumes = { } } +enable_nfs_backup = true + original_single_efs_tags = { "2i2c:hub-name" : "prod" } diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index e7810e1dde..67d3b15bf8 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -308,3 +308,11 @@ variable "ebs_volumes" { server to store home directories for users. EOT } + +variable "enable_nfs_backup" { + type = bool + default = false + description = <<-EOT + Enable backup of NFS home directories using Data Lifecycle Manager (DLM). + EOT +} From 3d031bce93af98a3e70503ce92722b472e32f90b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 26 Nov 2024 04:23:50 +0000 Subject: [PATCH 4/4] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- terraform/aws/data-lifecycle-manager.tf | 8 ++++---- terraform/aws/ebs-volumes.tf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/aws/data-lifecycle-manager.tf b/terraform/aws/data-lifecycle-manager.tf index ad3948af51..285f74bc60 100644 --- a/terraform/aws/data-lifecycle-manager.tf +++ b/terraform/aws/data-lifecycle-manager.tf @@ -3,7 +3,7 @@ resource "aws_iam_role" "dlm_lifecycle_role" { count = var.enable_nfs_backup ? 1 : 0 - name = "dlm-lifecycle-role" + name = "dlm-lifecycle-role" assume_role_policy = jsonencode({ Version = "2012-10-17" @@ -22,8 +22,8 @@ resource "aws_iam_role" "dlm_lifecycle_role" { # Attach required policy to the IAM role resource "aws_iam_role_policy" "dlm_lifecycle" { count = var.enable_nfs_backup ? 1 : 0 - name = "dlm-lifecycle-policy" - role = aws_iam_role.dlm_lifecycle_role.id + name = "dlm-lifecycle-policy" + role = aws_iam_role.dlm_lifecycle_role.id policy = jsonencode({ Version = "2012-10-17" @@ -53,7 +53,7 @@ resource "aws_iam_role_policy" "dlm_lifecycle" { # Create the DLM lifecycle policy for NFS home directories backup resource "aws_dlm_lifecycle_policy" "nfs_backup" { - count = var.enable_nfs_backup ? 1 : 0 + count = var.enable_nfs_backup ? 1 : 0 description = "DLM lifecycle policy for NFS home directories backup" execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn state = "ENABLED" diff --git a/terraform/aws/ebs-volumes.tf b/terraform/aws/ebs-volumes.tf index 2348c918bf..2760542e57 100644 --- a/terraform/aws/ebs-volumes.tf +++ b/terraform/aws/ebs-volumes.tf @@ -8,7 +8,7 @@ resource "aws_ebs_volume" "nfs_home_dirs" { tags = merge(each.value.tags, { Name = each.value.name_suffix == null ? "hub-nfs-home-dirs" : "hub-nfs-home-dirs-${each.value.name_suffix}" - NFSBackup = var.enable_nfs_backup ? "true" : "false" # Tag to identify volumes to backup by Data Lifecycle Manager (DLM) + NFSBackup = var.enable_nfs_backup ? "true" : "false" # Tag to identify volumes to backup by Data Lifecycle Manager (DLM) }) lifecycle {