diff --git a/main.tf b/main.tf index e9644be..f538bd3 100755 --- a/main.tf +++ b/main.tf @@ -455,6 +455,7 @@ module "spoke_backup" { hub_environment = var.hub_environment depends_on = [module.resource_checker] + } ########## Resource Checker ######### diff --git a/modules/aws_backup/main.tf b/modules/aws_backup/main.tf index c499bfc..07cf4ce 100644 --- a/modules/aws_backup/main.tf +++ b/modules/aws_backup/main.tf @@ -1,3 +1,5 @@ + + resource "aws_backup_vault" "spoke" { name = "sas-awsng-${var.spoke_account_id}-backup-vault" kms_key_arn = aws_kms_key.spoke_vault_key.arn @@ -235,16 +237,181 @@ resource "aws_backup_framework" "backup_compliance_framework" { } } - - +# locals { +# location_vault_map = { +# "us-east-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "eu-central-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ca-central-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "eu-west-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ap-southeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ap-northeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ap-south-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "eu-west-3" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "us-west-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# } +# } + +# resource "aws_backup_plan" "spoke" { +# name = "sas-awsng-${var.spoke_account_id}-backup-plan" + +# dynamic "rule" { +# for_each = var.spoke_backup_rules +# content { +# rule_name = rule.value.name +# target_vault_name = aws_backup_vault.spoke.name +# schedule = rule.value.schedule +# start_window = rule.value.start_window +# completion_window = rule.value.completion_window +# recovery_point_tags = rule.value.recovery_point_tags +# enable_continuous_backup = rule.value.enable_continuous_backup + +# dynamic "lifecycle" { +# for_each = lookup(rule.value, "lifecycle", null) != null ? [true] : [] +# content { +# cold_storage_after = rule.value.lifecycle.cold_storage_after +# delete_after = rule.value.lifecycle.delete_after +# } +# } + +# # Copy action for EFS +# dynamic "copy_action" { +# for_each = contains(["efs_backup_rule_daily", "efs_backup_rule_weekly"], rule.value.name) ? [true] : [] + +# content { +# destination_vault_arn = var.central_backup_vault_us # Example for US + +# dynamic "selection_tag" { +# for_each = [for t in rule.value.recovery_point_tags : t if t.key == "Backup" && t.value == "efs"] + +# content { +# type = "STRINGEQUALS" +# key = "Backup" +# value = "efs" +# } +# } + +# dynamic "lifecycle" { +# for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : [] + +# content { +# cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after +# delete_after = rule.value.copy_action.lifecycle.delete_after +# } +# } +# } +# } + +# # Copy action for RDS +# dynamic "copy_action" { +# for_each = contains(["rds_backup_rule_daily", "rds_backup_rule_weekly"], rule.value.name) ? [true] : [] + +# content { +# destination_vault_arn = lookup(local.location_vault_map, var.location, null) + +# dynamic "selection_tag" { +# for_each = [for t in rule.value.recovery_point_tags : t if t.key == "Backup" && t.value == "rds"] + +# content { +# type = "STRINGEQUALS" +# key = "Backup" +# value = "rds" +# } +# } + +# dynamic "lifecycle" { +# for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : [] + +# content { +# cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after +# delete_after = rule.value.copy_action.lifecycle.delete_after +# } +# } +# } +# } + +# # Copy action for FSx +# dynamic "copy_action" { +# for_each = contains(["fsx_backup_rule_daily", "fsx_backup_rule_weekly"], rule.value.name) ? [true] : [] + +# content { +# destination_vault_arn = var.central_backup_vault_us # Example for US or a different FSx target + +# dynamic "selection_tag" { +# for_each = [for t in rule.value.recovery_point_tags : t if t.key == "Backup" && t.value == "fsx"] + +# content { +# type = "STRINGEQUALS" +# key = "Backup" +# value = "fsx" +# } +# } + +# dynamic "lifecycle" { +# for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : [] + +# content { +# cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after +# delete_after = rule.value.copy_action.lifecycle.delete_after +# } +# } +# } +# } + +# } +# } + +# dynamic "advanced_backup_setting" { +# for_each = var.advanced_backup_setting != null ? [true] : [] +# content { +# backup_options = var.advanced_backup_setting.backup_options +# resource_type = var.advanced_backup_setting.resource_type +# } +# } + +# tags = merge( +# var.tags, +# { +# Name = "sas-awsng-${var.spoke_account_id}-backup-plan", +# PolicyOwner = "NextGen" +# } +# ) +# } + +# resource "aws_backup_selection" "spoke" { +# iam_role_arn = aws_iam_role.backup_operator_role.arn +# name = "sas-awsng-${var.spoke_account_id}-backup-selection" +# plan_id = aws_backup_plan.spoke.id + +# dynamic "selection_tag" { +# for_each = ["efs", "rds", "fsx"] + +# content { +# type = "STRINGEQUALS" +# key = "Backup" +# value = selection_tag.value +# } +# } +#} + +locals { + location_vault_map = { + "us-east-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" + "eu-central-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" + "ca-central-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" + "eu-west-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" + "ap-southeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" + "ap-northeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" + "ap-south-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" + "eu-west-3" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" + "us-west-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" + } +} resource "aws_backup_plan" "spoke" { - name = "sas-awsng-${var.spoke_account_id}-backup-plan" dynamic "rule" { for_each = var.spoke_backup_rules - content { rule_name = rule.value.name target_vault_name = aws_backup_vault.spoke.name @@ -256,45 +423,78 @@ resource "aws_backup_plan" "spoke" { dynamic "lifecycle" { for_each = lookup(rule.value, "lifecycle", null) != null ? [true] : [] - content { cold_storage_after = rule.value.lifecycle.cold_storage_after delete_after = rule.value.lifecycle.delete_after } } - copy_action { - destination_vault_arn = var.central_backup_vault_us + # Apply copy action for EFS to US vault + dynamic "copy_action" { + for_each = contains(["efs_backup_rule_daily", "efs_backup_rule_weekly"], rule.value.name) ? [true] : [] + + content { + destination_vault_arn = var.central_backup_vault_us + + dynamic "lifecycle" { + for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : [] + + content { + cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after + delete_after = rule.value.copy_action.lifecycle.delete_after + } + } + } + } + + # Apply copy action for EFS to EU vault + dynamic "copy_action" { + for_each = contains(["efs_backup_rule_daily", "efs_backup_rule_weekly"], rule.value.name) ? [true] : [] - dynamic "lifecycle" { - for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : [] + content { + destination_vault_arn = var.central_backup_vault_eu + + dynamic "lifecycle" { + for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : [] - content { - cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after - delete_after = rule.value.copy_action.lifecycle.delete_after + content { + cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after + delete_after = rule.value.copy_action.lifecycle.delete_after + } } } } - copy_action { - destination_vault_arn = var.central_backup_vault_eu - - dynamic "lifecycle" { - for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : [] - - content { - cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after - delete_after = rule.value.copy_action.lifecycle.delete_after + # Apply region-based copy action for RDS + dynamic "copy_action" { + for_each = contains(["rds_backup_rule_daily", "rds_backup_rule_weekly"], rule.value.name) ? [true] : [] + + content { + destination_vault_arn = lookup(local.location_vault_map, var.location, null) + + dynamic "lifecycle" { + for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : [] + + content { + cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after + delete_after = rule.value.copy_action.lifecycle.delete_after + } } } } + # # No copy action for FSx + # dynamic "copy_action" { + # for_each = contains(rule.value.name, "fsx") ? [] : [true] + # content { + # destination_vault_arn = aws_backup_vault.spoke.arn + # } + # } } } dynamic "advanced_backup_setting" { for_each = var.advanced_backup_setting != null ? [true] : [] - content { backup_options = var.advanced_backup_setting.backup_options resource_type = var.advanced_backup_setting.resource_type @@ -311,7 +511,6 @@ resource "aws_backup_plan" "spoke" { } resource "aws_backup_selection" "spoke" { - iam_role_arn = aws_iam_role.backup_operator_role.arn name = "sas-awsng-${var.spoke_account_id}-backup-selection" plan_id = aws_backup_plan.spoke.id diff --git a/modules/aws_backup/variables.tf b/modules/aws_backup/variables.tf index b5875dc..9c4ccb1 100644 --- a/modules/aws_backup/variables.tf +++ b/modules/aws_backup/variables.tf @@ -104,3 +104,19 @@ variable "hub_environment" { type = string } +# variable "location_vault_map" { +# description = "A map of regions to backup vault ARNs for RDS" +# type = map(string) +# default = { +# "us-east-1" = "arn:aws:backup:${local.region}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "eu-central-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ca-central-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "eu-west-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ap-southeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ap-northeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ap-south-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "eu-west-3" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "us-west-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# } +# } + diff --git a/modules/aws_s3/outputs.tf b/modules/aws_s3/outputs.tf index 502705d..1cf9703 100644 --- a/modules/aws_s3/outputs.tf +++ b/modules/aws_s3/outputs.tf @@ -1,7 +1,7 @@ output "local_s3_bucket_arn" { description = "ARN of the bucket" - value = var.bucket_external == "true" ? "aws-waf-logs-infra-${var.spoke_account_id}-${var.location}-bkt" : aws_s3_bucket.local_s3_bucket.arn + value = var.bucket_external == "true" ? "arn:aws:s3:::aws-waf-logs-infra-${var.spoke_account_id}-${var.location}-bkt" : aws_s3_bucket.local_s3_bucket.arn } output "bucket_name" { diff --git a/variables.tf b/variables.tf index 75f3e4b..f2d4186 100644 --- a/variables.tf +++ b/variables.tf @@ -825,6 +825,62 @@ variable "central_backup_vault_eu" { default = "" } +# variable "spoke_backup_rules" { +# description = "Backup control rules: Schedule indicates the time frame of backup" +# type = list(object({ +# name = string +# schedule = optional(string) +# enable_continuous_backup = optional(bool) +# start_window = optional(number) +# completion_window = optional(number) +# recovery_point_tags = optional(map(string)) +# lifecycle = optional(object({ +# cold_storage_after = optional(number) +# delete_after = optional(number) +# opt_in_to_archive_for_supported_resources = optional(bool) +# })) +# copy_action = optional(object({ +# destination_vault_arn = optional(string) +# lifecycle = optional(object({ +# cold_storage_after = optional(number) +# delete_after = optional(number) +# opt_in_to_archive_for_supported_resources = optional(bool) +# })) +# })) +# })) +# default = [{ +# name = "backup_rule_daily" +# schedule = "cron(0 23 ? * 1-5,7 *)" +# recovery_point_tags = {} +# lifecycle = { +# delete_after = 14 +# } +# }, +# { +# name = "backup_rule_weekly" +# schedule = "cron(0 23 ? * 6 *)" +# recovery_point_tags = {} +# lifecycle = { +# delete_after = 60 +# } +# }] + +# } + + +variable "org_id" { + type = string + description = "organization ID required to enable the conformance pack" + # default = "o-03y3m4pkl8" + default = "" +} + +variable "logging_account" { + description = "Central logging accoutn ID" + type = string + default = "" +} + variable "spoke_backup_rules" { description = "Backup control rules: Schedule indicates the time frame of backup" type = list(object({ @@ -849,37 +905,55 @@ variable "spoke_backup_rules" { })) })) default = [{ - name = "backup_rule_daily" - schedule = "cron(0 23 ? * 1-5,7 *)" + name = "efs_backup_rule_daily" + schedule = "cron(0 23 ? * 1-5,7 *)" recovery_point_tags = {} lifecycle = { delete_after = 14 } - }, + }, + { + name = "efs_backup_rule_weekly" + schedule = "cron(0 23 ? * 6 *)" + recovery_point_tags = {} + lifecycle = { + delete_after = 60 + } + }, + { + name = "rds_backup_rule_daily" + schedule = "cron(0 23 ? * 1-5,7 *)" + recovery_point_tags = {} + lifecycle = { + delete_after = 60 + } + }, { - name = "backup_rule_weekly" - schedule = "cron(0 23 ? * 6 *)" - recovery_point_tags = {} - lifecycle = { - delete_after = 60 - } - }] - -} - - -variable "org_id" { - type = string - description = "organization ID required to enable the conformance pack" - # default = "o-03y3m4pkl8" - default = "" -} - -variable "logging_account" { - description = "Central logging accoutn ID" - type = string - default = "" -} + name = "rds_backup_rule_weekly" + schedule = "cron(0 23 ? * 6 *)" + recovery_point_tags = {} + lifecycle = { + delete_after = 60 + } +}] +} + +# variable "location_vault_map" { +# description = "A map of regions to backup vault ARNs for RDS" +# type = map(string) +# default = { +# "us-east-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "eu-central-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ca-central-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "eu-west-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ap-southeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ap-northeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "ap-south-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "eu-west-3" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# "us-west-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}" +# } +# } +