From 2399b0dc42f754f58bfece7ec101dd91a1c83d46 Mon Sep 17 00:00:00 2001
From: Vladyslav Hlushchenko <90847704+VHlushchen@users.noreply.github.com>
Date: Mon, 6 May 2024 09:43:51 +0300
Subject: [PATCH] GROK-12453: AWS Backup (#91)

* aws backup module

* add module for aws backup

* add data.tf

* extra line

* tf fmt

* GitHub Actions: Refactor: Automated formatting of terraform code (#95)

Co-authored-by: VHlushchen <VHlushchen@users.noreply.github.com>

* RDS backup: Align code style with the terraform module

---------

Co-authored-by: Vladyslav Hlushchenko <vhlushchenko@datagrok.ai>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: VHlushchen <VHlushchen@users.noreply.github.com>
Co-authored-by: Sofia Podolsky <spodolskaya@datagrok.ai>
---
 aws/common.tf     | 22 ++++++++++++----------
 aws/db.tf         | 31 +++++++++++++++++++++++++++++++
 aws/ecs.tf        |  1 -
 aws/monitoring.tf |  4 ++--
 aws/variables.tf  | 14 ++++++++++++++
 5 files changed, 59 insertions(+), 13 deletions(-)

diff --git a/aws/common.tf b/aws/common.tf
index ee83a7b..8f1435b 100644
--- a/aws/common.tf
+++ b/aws/common.tf
@@ -5,16 +5,18 @@ locals {
     Environment = var.environment
     Terraform   = "true"
   })
-  full_name      = "${var.name}-${var.environment}"
-  vpc_name       = coalesce(var.vpc_name, "${var.name}-${var.environment}")
-  rds_name       = coalesce(var.rds_name, "${var.name}-${var.environment}")
-  s3_name        = coalesce(var.s3_name, "${var.name}-${var.environment}")
-  ecs_name       = coalesce(var.ecs_name, "${var.name}-${var.environment}")
-  lb_name        = coalesce(var.lb_name, "${var.name}-${var.environment}")
-  ec2_name       = coalesce(var.ec2_name, "${var.name}-${var.environment}")
-  sns_topic_name = coalesce(var.sns_topic_name, "${var.name}-${var.environment}")
-  r53_record     = var.route53_enabled ? try("${var.route53_record_name}.${var.domain_name}", "${var.name}-${var.environment}.${var.domain_name}") : ""
-  create_kms     = var.custom_kms_key && !try(length(var.kms_key) > 0, false)
+  full_name       = "${var.name}-${var.environment}"
+  vpc_name        = coalesce(var.vpc_name, "${var.name}-${var.environment}")
+  rds_name        = coalesce(var.rds_name, "${var.name}-${var.environment}")
+  s3_name         = coalesce(var.s3_name, "${var.name}-${var.environment}")
+  ecs_name        = coalesce(var.ecs_name, "${var.name}-${var.environment}")
+  lb_name         = coalesce(var.lb_name, "${var.name}-${var.environment}")
+  ec2_name        = coalesce(var.ec2_name, "${var.name}-${var.environment}")
+  sns_topic_name  = coalesce(var.sns_topic_name, "${var.name}-${var.environment}")
+  rds_backup_name = coalesce(var.rds_backup_name, "${var.name}-${var.environment}-rds-backup")
+
+  r53_record = var.route53_enabled ? try("${var.route53_record_name}.${var.domain_name}", "${var.name}-${var.environment}.${var.domain_name}") : ""
+  create_kms = var.custom_kms_key && !try(length(var.kms_key) > 0, false)
   images = {
     datagrok = {
       image = var.docker_datagrok_image
diff --git a/aws/db.tf b/aws/db.tf
index ea42d23..62b2ac6 100644
--- a/aws/db.tf
+++ b/aws/db.tf
@@ -89,3 +89,34 @@ resource "aws_route53_record" "db_private_dns" {
   ttl     = 60
   records = [split(":", module.db.db_instance_endpoint)[0]]
 }
+
+data "aws_iam_policy" "backup_default_policy" {
+  name = "AWSBackupServiceRolePolicyForBackup"
+}
+
+resource "aws_iam_role" "db_backup_role" {
+  name = "${local.rds_backup_name}-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "db_attach_default_backup_policy" {
+  role       = aws_iam_role.db_backup_role.name
+  policy_arn = data.aws_iam_policy.backup_default_policy.arn
+}
+
+resource "aws_backup_vault" "db_backup_vault" {
+  name        = "${local.rds_backup_name}-vault"
+  kms_key_arn = local.create_kms ? module.kms[0].key_id : null
+}
diff --git a/aws/ecs.tf b/aws/ecs.tf
index fdabc38..7cfbdbf 100644
--- a/aws/ecs.tf
+++ b/aws/ecs.tf
@@ -323,7 +323,6 @@ resource "aws_service_discovery_private_dns_namespace" "datagrok" {
 
 resource "aws_ecs_task_definition" "datagrok" {
   family = "${local.ecs_name}_datagrok"
-
   container_definitions = jsonencode(concat(
     var.ecs_launch_type == "FARGATE" ? [{
       name = "resolv_conf"
diff --git a/aws/monitoring.tf b/aws/monitoring.tf
index 038ad3a..2f37475 100644
--- a/aws/monitoring.tf
+++ b/aws/monitoring.tf
@@ -297,7 +297,7 @@ resource "aws_cloudwatch_metric_alarm" "high_ram" {
   dimensions = {
     ClusterName = module.ecs.cluster_name
   }
-  alarm_actions = compact([
+  alarm_actions = compact(concat([
     var.monitoring.slack_alerts ?
     module.notify_slack.slack_topic_arn :
     "",
@@ -307,7 +307,7 @@ resource "aws_cloudwatch_metric_alarm" "high_ram" {
     !var.monitoring.create_sns_topic ?
     var.monitoring.sns_topic_arn :
     ""
-  ])
+  ], var.monitoring_high_ram_custom_actions))
   tags = local.tags
 }
 
diff --git a/aws/variables.tf b/aws/variables.tf
index df591c2..d9e2f52 100644
--- a/aws/variables.tf
+++ b/aws/variables.tf
@@ -792,3 +792,17 @@ variable "task_iam_policies" {
   nullable    = false
   default     = []
 }
+
+variable "rds_backup_name" {
+  default     = null
+  type        = string
+  nullable    = true
+  description = "Name of AWS backup resources for RDS backups"
+}
+
+variable "monitoring_high_ram_custom_actions" {
+  default     = []
+  type        = list(string)
+  nullable    = false
+  description = "Custom actions to perform upon high_ram alert"
+}