Allow creating resources for multiple environments in the same account.

modules/aws-backup-source/backup_framework.tf

@@ -1,4 +1,11 @@
+data "aws_backup_framework" "main" {
+  count = var.backup_plan_config.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-framework", "-", "_")
+}
+
 resource "aws_backup_framework" "main" {
+  count = var.backup_plan_config.enable && var.resources_in_same_account == "" ? 1 : 0
+
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-framework", "-", "_")
   description = "${var.project_name} Backup Framework"
@@ -131,8 +138,14 @@ resource "aws_backup_framework" "main" {
   }
 }
 
+data "aws_backup_framework" "dynamodb" {
+  count = var.backup_plan_config_dynamodb.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-dynamodb-framework", "-", "_")
+}
+
 resource "aws_backup_framework" "dynamodb" {
-  count = var.backup_plan_config_dynamodb.enable ? 1 : 0
+  count = var.backup_plan_config_dynamodb.enable && var.resources_in_same_account == "" ? 1 : 0
+
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-dynamodb-framework", "-", "_")
   description = "${var.project_name} DynamoDB Backup Framework"
@@ -172,8 +185,14 @@ resource "aws_backup_framework" "dynamodb" {
   }
 }
 
+data "aws_backup_framework" "ebsvol" {
+  count = var.backup_plan_config_ebsvol.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-ebsvol-framework", "-", "_")
+}
+
 resource "aws_backup_framework" "ebsvol" {
-  count = var.backup_plan_config_ebsvol.enable ? 1 : 0
+  count = var.backup_plan_config_ebsvol.enable && var.resources_in_same_account == "" ? 1 : 0
+
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-ebsvol-framework", "-", "_")
   description = "${var.project_name} EBS Backup Framework"
@@ -213,8 +232,14 @@ resource "aws_backup_framework" "ebsvol" {
   }
 }
 
+data "aws_backup_framework" "aurora" {
+  count = var.backup_plan_config_aurora.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-aurora-framework", "-", "_")
+}
+
 resource "aws_backup_framework" "aurora" {
-  count = var.backup_plan_config_aurora.enable ? 1 : 0
+  count = var.backup_plan_config_aurora.enable && var.resources_in_same_account == "" ? 1 : 0
+
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-aurora-framework", "-", "_")
   description = "${var.project_name} Aurora Backup Framework"
@@ -253,8 +278,14 @@ resource "aws_backup_framework" "aurora" {
   }
 }
 
+data "aws_backup_framework" "parameter_store" {
+  count = var.backup_plan_config_parameter_store.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-parameter-store-framework", "-", "_")
+}
+
 resource "aws_backup_framework" "parameter_store" {
-  count = var.backup_plan_config_parameter_store.enable ? 1 : 0
+  count = var.backup_plan_config_parameter_store.enable && var.resources_in_same_account == "" ? 1 : 0
+
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-parameter-store-framework", "-", "_")
   description = "${var.project_name} Parameter Store Backup Framework"

modules/aws-backup-source/backup_notification.tf

@@ -1,6 +1,6 @@
 resource "aws_backup_vault_notifications" "backup_notification" {
-  count             = var.notifications_target_email_address != "" ? 1 : 0
-  backup_vault_name = aws_backup_vault.main.name
+  count             = var.notifications_target_email_address != "" && var.resources_in_same_account == "" ? 1 : 0
+  backup_vault_name = aws_backup_vault.main[0].name
   sns_topic_arn     = aws_sns_topic.backup[0].arn
   backup_vault_events = [
     "BACKUP_JOB_COMPLETED",

modules/aws-backup-source/backup_plan.tf

@@ -1,5 +1,6 @@
 resource "aws_backup_plan" "default" {
-  name = "${local.resource_name_prefix}-plan"
+  count = var.backup_plan_config.enable && var.resources_in_same_account == "" ? 1 : 0
+  name  = "${local.resource_name_prefix}-plan"
 
   dynamic "rule" {
     for_each = var.backup_plan_config.rules
@@ -31,7 +32,7 @@ resource "aws_backup_plan" "default" {
 
 # this backup plan shouldn't include a continous backup rule as it isn't supported for DynamoDB
 resource "aws_backup_plan" "dynamodb" {
-  count = var.backup_plan_config_dynamodb.enable ? 1 : 0
+  count = var.backup_plan_config_dynamodb.enable && var.resources_in_same_account == "" ? 1 : 0
   name  = "${local.resource_name_prefix}-dynamodb-plan"
 
   dynamic "rule" {
@@ -62,7 +63,7 @@ resource "aws_backup_plan" "dynamodb" {
 }
 
 resource "aws_backup_plan" "ebsvol" {
-  count = var.backup_plan_config_ebsvol.enable ? 1 : 0
+  count = var.backup_plan_config_ebsvol.enable && var.resources_in_same_account == "" ? 1 : 0
   name  = "${local.resource_name_prefix}-ebsvol-plan"
 
   dynamic "rule" {
@@ -93,7 +94,7 @@ resource "aws_backup_plan" "ebsvol" {
 
 # this backup plan shouldn't include a continous backup rule as it isn't supported for Aurora
 resource "aws_backup_plan" "aurora" {
-  count = var.backup_plan_config_aurora.enable ? 1 : 0
+  count = var.backup_plan_config_aurora.enable && var.resources_in_same_account == "" ? 1 : 0
   name  = "${local.resource_name_prefix}-aurora-plan"
 
   dynamic "rule" {
@@ -103,7 +104,7 @@ resource "aws_backup_plan" "aurora" {
         backup_rule_name = rule.value.name
       }
       rule_name         = rule.value.name
-      target_vault_name = aws_backup_vault.main.name
+      target_vault_name = aws_backup_vault.main[0].name
       schedule          = rule.value.schedule
       lifecycle {
         delete_after       = rule.value.lifecycle.delete_after != null ? rule.value.lifecycle.delete_after : null
@@ -122,9 +123,8 @@ resource "aws_backup_plan" "aurora" {
   }
 }
 
-
 resource "aws_backup_plan" "parameter_store" {
-  count = var.backup_plan_config_parameter_store.enable ? 1 : 0
+  count = var.backup_plan_config_parameter_store.enable && var.resources_in_same_account == "" ? 1 : 0
   name  = "${local.resource_name_prefix}-ps-plan"
 
   dynamic "rule" {
@@ -157,6 +157,8 @@ resource "aws_backup_plan" "parameter_store" {
 
 
 resource "aws_backup_selection" "default" {
+  count = var.backup_plan_config.enable && var.resources_in_same_account == "" ? 1 : 0
+
   iam_role_arn = aws_iam_role.backup.arn
   name         = "${local.resource_name_prefix}-selection"
   plan_id      = aws_backup_plan.default.id
@@ -178,7 +180,7 @@ resource "aws_backup_selection" "default" {
 }
 
 resource "aws_backup_selection" "dynamodb" {
-  count        = var.backup_plan_config_dynamodb.enable ? 1 : 0
+  count        = var.backup_plan_config_dynamodb.enable && var.resources_in_same_account == "" ? 1 : 0
   iam_role_arn = aws_iam_role.backup.arn
   name         = "${local.resource_name_prefix}-dynamodb-selection"
   plan_id      = aws_backup_plan.dynamodb[0].id
@@ -200,7 +202,7 @@ resource "aws_backup_selection" "dynamodb" {
 }
 
 resource "aws_backup_selection" "ebsvol" {
-  count        = var.backup_plan_config_ebsvol.enable ? 1 : 0
+  count        = var.backup_plan_config_ebsvol.enable && var.resources_in_same_account == "" ? 1 : 0
   iam_role_arn = aws_iam_role.backup.arn
   name         = "${local.resource_name_prefix}-ebsvol-selection"
   plan_id      = aws_backup_plan.ebsvol[0].id
@@ -222,7 +224,7 @@ resource "aws_backup_selection" "ebsvol" {
 }
 
 resource "aws_backup_selection" "aurora" {
-  count        = var.backup_plan_config_aurora.enable ? 1 : 0
+  count        = var.backup_plan_config_aurora.enable && var.resources_in_same_account == "" ? 1 : 0
   iam_role_arn = aws_iam_role.backup.arn
   name         = "${local.resource_name_prefix}-aurora-selection"
   plan_id      = aws_backup_plan.aurora[0].id
@@ -235,7 +237,7 @@ resource "aws_backup_selection" "aurora" {
 }
 
 resource "aws_backup_selection" "parameter_store" {
-  count        = var.backup_plan_config_parameter_store.enable ? 1 : 0
+  count        = var.backup_plan_config_parameter_store.enable && var.resources_in_same_account == "" ? 1 : 0
   iam_role_arn = aws_iam_role.backup.arn
   name         = "${local.resource_name_prefix}-ps-selection"
   plan_id      = aws_backup_plan.parameter_store[0].id

modules/aws-backup-source/backup_report_plan.tf

@@ -1,6 +1,6 @@
 # Create the reports
 resource "aws_backup_report_plan" "backup_jobs" {
-  name        = var.name_prefix != null ? "${var.name_prefix}_backup_jobs" : "backup_jobs"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_jobs" : "backup_jobs"
   description = "Report for showing whether backups ran successfully in the last 24 hours"
 
   report_delivery_channel {
@@ -18,7 +18,7 @@ resource "aws_backup_report_plan" "backup_jobs" {
 
 # Create the restore testing completion reports
 resource "aws_backup_report_plan" "backup_restore_testing_jobs" {
-  name        = var.name_prefix != null ? "${var.name_prefix}_backup_restore_testing_jobs" : "backup_restore_testing_jobs"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_restore_testing_jobs" : "backup_restore_testing_jobs"
   description = "Report for showing whether backup restore test ran successfully in the last 24 hours"
 
   report_delivery_channel {
@@ -35,7 +35,7 @@ resource "aws_backup_report_plan" "backup_restore_testing_jobs" {
 }
 
 resource "aws_backup_report_plan" "resource_compliance" {
-  name        = var.name_prefix != null ? "${var.name_prefix}_resource_compliance" : "resource_compliance"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_resource_compliance" : "resource_compliance"
   description = "Report for showing whether resources are compliant with the framework"
 
   report_delivery_channel {
@@ -55,7 +55,7 @@ resource "aws_backup_report_plan" "resource_compliance" {
 
 resource "aws_backup_report_plan" "copy_jobs" {
   count       = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? 1 : 0
-  name        = var.name_prefix != null ? "${var.name_prefix}_copy_jobs" : "copy_jobs"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_copy_jobs" : "copy_jobs"
   description = "Report for showing whether copies ran successfully in the last 24 hours"
 
   report_delivery_channel {

modules/aws-backup-source/backup_restore_testing.tf

@@ -1,20 +1,21 @@
 resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan" {
-  restore_testing_plan_name = var.name_prefix != null ? "${var.name_prefix}_backup_restore_testing_plan" : "backup_restore_testing_plan"
+  count = (var.backup_plan_config.enable || var.backup_plan_config_dynamodb.enable || var.backup_plan_config_ebsvol.enable || var.backup_plan_config_aurora.enable) && var.resources_in_same_account == "" ? 1 : 0
+  restore_testing_plan_name = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_restore_testing_plan" : "backup_restore_testing_plan"
   schedule_expression       = var.restore_testing_plan_scheduled_expression
   start_window_hours        = var.restore_testing_plan_start_window
   recovery_point_selection = {
     algorithm             = var.restore_testing_plan_algorithm
-    include_vaults        = [aws_backup_vault.main.arn]
+    include_vaults        = [aws_backup_vault.main[0].arn]
     recovery_point_types  = var.restore_testing_plan_recovery_point_types
     selection_window_days = var.restore_testing_plan_selection_window_days
   }
 }
 
 resource "awscc_backup_restore_testing_selection" "backup_restore_testing_selection_dynamodb" {
-  count                          = var.backup_plan_config_dynamodb.enable ? 1 : 0
+  count                          = var.backup_plan_config_dynamodb.enable && var.resources_in_same_account == "" ? 1 : 0
   iam_role_arn                   = aws_iam_role.backup.arn
   protected_resource_type        = "DynamoDB"
-  restore_testing_plan_name      = awscc_backup_restore_testing_plan.backup_restore_testing_plan.restore_testing_plan_name
+  restore_testing_plan_name      = awscc_backup_restore_testing_plan.backup_restore_testing_plan[0].restore_testing_plan_name
   restore_testing_selection_name = "backup_restore_testing_selection_dynamodb"
   protected_resource_arns        = ["*"]
   protected_resource_conditions = {
@@ -27,10 +28,10 @@ resource "awscc_backup_restore_testing_selection" "backup_restore_testing_select
 
 
 resource "awscc_backup_restore_testing_selection" "backup_restore_testing_selection_ebsvol" {
-  count                          = var.backup_plan_config_ebsvol.enable ? 1 : 0
+  count                          = var.backup_plan_config_ebsvol.enable && var.resources_in_same_account == "" ? 1 : 0
   iam_role_arn                   = aws_iam_role.backup.arn
   protected_resource_type        = "EBS"
-  restore_testing_plan_name      = awscc_backup_restore_testing_plan.backup_restore_testing_plan.restore_testing_plan_name
+  restore_testing_plan_name      = awscc_backup_restore_testing_plan.backup_restore_testing_plan[0].restore_testing_plan_name
   restore_testing_selection_name = "backup_restore_testing_selection_ebsvol"
   protected_resource_arns        = ["*"]
   protected_resource_conditions = {
@@ -42,10 +43,10 @@ resource "awscc_backup_restore_testing_selection" "backup_restore_testing_select
 }
 
 resource "awscc_backup_restore_testing_selection" "backup_restore_testing_selection_aurora" {
-  count                          = var.backup_plan_config_aurora.enable ? 1 : 0
+  count                          = var.backup_plan_config_aurora.enable && var.resources_in_same_account == "" ? 1 : 0
   iam_role_arn                   = aws_iam_role.backup.arn
   protected_resource_type        = "Aurora"
-  restore_testing_plan_name      = awscc_backup_restore_testing_plan.backup_restore_testing_plan.restore_testing_plan_name
+  restore_testing_plan_name      = awscc_backup_restore_testing_plan.backup_restore_testing_plan[0].restore_testing_plan_name
   restore_testing_selection_name = "backup_restore_testing_selection_aurora"
   protected_resource_arns        = ["*"]
   protected_resource_conditions = {
@@ -56,3 +57,10 @@ resource "awscc_backup_restore_testing_selection" "backup_restore_testing_select
   }
   restore_metadata_overrides = local.aurora_overrides
 }
+
+# -----
+
+moved {
+  from = awscc_backup_restore_testing_plan.backup_restore_testing_plan
+  to   = awscc_backup_restore_testing_plan.backup_restore_testing_plan[0]
+}

modules/aws-backup-source/backup_vault.tf

@@ -1,4 +1,11 @@
 resource "aws_backup_vault" "main" {
+  count = var.resources_in_same_account == "" ? 1 : 0
+
   name        = "${local.resource_name_prefix}-vault"
   kms_key_arn = aws_kms_key.aws_backup_key.arn
 }
+
+moved {
+  from = aws_backup_vault.main
+  to   = aws_backup_vault.main[0]
+}

modules/aws-backup-source/backup_vault_policy.tf

@@ -1,10 +1,12 @@
 resource "aws_backup_vault_policy" "vault_policy" {
-  backup_vault_name = aws_backup_vault.main.name
-  policy            = data.aws_iam_policy_document.vault_policy.json
+  count = var.resources_in_same_account == "" ? 1 : 0
+
+  backup_vault_name = aws_backup_vault.main[0].name
+  policy            = data.aws_iam_policy_document.vault_policy[0].json
 }
 
 data "aws_iam_policy_document" "vault_policy" {
-
+  count = var.resources_in_same_account == "" ? 1 : 0
 
   statement {
     sid    = "DenyApartFromTerraform"
@@ -45,3 +47,13 @@ data "aws_iam_policy_document" "vault_policy" {
     }
   }
 }
+
+moved {
+  from = aws_backup_vault_policy.vault_policy
+  to   = aws_backup_vault_policy.vault_policy[0]
+}
+
+moved {
+  from = data.aws_iam_policy_document.vault_policy
+  to   = data.aws_iam_policy_document.vault_policy[0]
+}

modules/aws-backup-source/iam.tf

@@ -12,7 +12,7 @@ data "aws_iam_policy_document" "assume_role" {
 }
 
 resource "aws_iam_role" "backup" {
-  name                 = "${var.project_name}BackupRole"
+  name                 = "${var.include_environment_in_resource_names ? "${var.project_name}-${var.environment_name}" : var.project_name}BackupRole"
   assume_role_policy   = data.aws_iam_policy_document.assume_role.json
   permissions_boundary = length(var.iam_role_permissions_boundary) > 0 ? var.iam_role_permissions_boundary : null
 }

modules/aws-backup-source/kms.tf

@@ -6,7 +6,7 @@ resource "aws_kms_key" "aws_backup_key" {
 }
 
 resource "aws_kms_alias" "backup_key" {
-  name          = var.name_prefix != null ? "alias/${var.name_prefix}/backup-key" : "alias/${var.environment_name}/backup-key"
+  name          = var.name_prefix != null ? "alias/${var.include_environment_in_resource_names ? "${local.resource_name_prefix}" : var.name_prefix}/backup-key" : "alias/${var.environment_name}/backup-key"
   target_key_id = aws_kms_key.aws_backup_key.key_id
 }
 

modules/aws-backup-source/lambda_copy_recovery_point.tf

@@ -1,12 +1,12 @@
 data "archive_file" "lambda_copy_recovery_point_zip" {
-  count       = var.lambda_copy_recovery_point_enable ? 1 : 0
+  count       = var.lambda_copy_recovery_point_enable && var.resources_in_same_account == "" ? 1 : 0
   type        = "zip"
   source_dir  = "${path.module}/resources/copy-recovery-point/"
   output_path = "${path.module}/.terraform/archive_files/lambda_copy_recovery_point.zip"
 }
 
 resource "aws_iam_role" "iam_for_lambda_copy_recovery_point" {
-  count = var.lambda_copy_recovery_point_enable ? 1 : 0
+  count = var.lambda_copy_recovery_point_enable && var.resources_in_same_account == "" ? 1 : 0
   name  = "${local.resource_name_prefix}-lambda-copy-recovery-point-role"
 
   assume_role_policy = jsonencode({
@@ -20,7 +20,7 @@ resource "aws_iam_role" "iam_for_lambda_copy_recovery_point" {
 }
 
 resource "aws_iam_policy" "iam_policy_for_lambda_copy_recovery_point" {
-  count = var.lambda_copy_recovery_point_enable ? 1 : 0
+  count = var.lambda_copy_recovery_point_enable && var.resources_in_same_account == "" ? 1 : 0
   name  = "${local.resource_name_prefix}-lambda-copy-recovery-point-policy"
 
   policy = jsonencode({
@@ -54,13 +54,13 @@ resource "aws_iam_policy" "iam_policy_for_lambda_copy_recovery_point" {
 }
 
 resource "aws_iam_role_policy_attachment" "lambda_copy_recovery_point_policy_attach" {
-  count      = var.lambda_copy_recovery_point_enable ? 1 : 0
+  count      = var.lambda_copy_recovery_point_enable && var.resources_in_same_account == "" ? 1 : 0
   role       = aws_iam_role.iam_for_lambda_copy_recovery_point[0].name
   policy_arn = aws_iam_policy.iam_policy_for_lambda_copy_recovery_point[0].arn
 }
 
 resource "aws_lambda_function" "lambda_copy_recovery_point" {
-  count            = var.lambda_copy_recovery_point_enable ? 1 : 0
+  count            = var.lambda_copy_recovery_point_enable && var.resources_in_same_account == "" ? 1 : 0
   function_name    = "${local.resource_name_prefix}_lambda-copy-recovery-point"
   role             = aws_iam_role.iam_for_lambda_copy_recovery_point[0].arn
   handler          = "lambda_function.lambda_handler"
@@ -74,7 +74,7 @@ resource "aws_lambda_function" "lambda_copy_recovery_point" {
       POLL_INTERVAL_SECONDS = var.lambda_copy_recovery_point_poll_interval_seconds
       MAX_WAIT_MINUTES      = var.lambda_copy_recovery_point_max_wait_minutes
       DESTINATION_VAULT_ARN = var.lambda_copy_recovery_point_destination_vault_arn != "" ? var.lambda_copy_recovery_point_destination_vault_arn : var.backup_copy_vault_arn
-      SOURCE_VAULT_ARN      = var.lambda_copy_recovery_point_source_vault_arn != "" ? var.lambda_copy_recovery_point_source_vault_arn : aws_backup_vault.main.arn
+      SOURCE_VAULT_ARN      = var.lambda_copy_recovery_point_source_vault_arn != "" ? var.lambda_copy_recovery_point_source_vault_arn : aws_backup_vault.main[0].arn
       ASSUME_ROLE_ARN       = var.lambda_copy_recovery_point_assume_role_arn
     }
   }