diff --git a/modules/aws-backup-destination/backup.tf b/modules/aws-backup-destination/backup.tf index 2cdad37..e33ae48 100644 --- a/modules/aws-backup-destination/backup.tf +++ b/modules/aws-backup-destination/backup.tf @@ -1,13 +1,22 @@ resource "aws_backup_vault" "vault" { + count = var.resources_in_same_account ? 1 : 0 + name = var.name_prefix != null ? "${var.name_prefix}-backup-vault" : "${var.source_account_name}-backup-vault" kms_key_arn = var.kms_key } output "vault_arn" { - value = aws_backup_vault.vault.arn + value = var.resources_in_same_account ? aws_backup_vault.vault[0].arn : null } output "vault_name" { description = "The name of the backup vault." - value = aws_backup_vault.vault.name + value = var.resources_in_same_account ? aws_backup_vault.vault[0].name : null +} + +# ----- + +moved { + from = aws_backup_vault.vault + to = aws_backup_vault.vault[0] } diff --git a/modules/aws-backup-destination/backup_vault_lock.tf b/modules/aws-backup-destination/backup_vault_lock.tf index e1a3178..0509490 100644 --- a/modules/aws-backup-destination/backup_vault_lock.tf +++ b/modules/aws-backup-destination/backup_vault_lock.tf @@ -1,6 +1,7 @@ resource "aws_backup_vault_lock_configuration" "vault_lock" { - count = var.enable_vault_protection ? 1 : 0 - backup_vault_name = aws_backup_vault.vault.name + count = var.enable_vault_protection && var.resources_in_same_account ? 1 : 0 + + backup_vault_name = aws_backup_vault.vault[0].name changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null max_retention_days = var.vault_lock_max_retention_days min_retention_days = var.vault_lock_min_retention_days diff --git a/modules/aws-backup-destination/backup_vault_policy.tf b/modules/aws-backup-destination/backup_vault_policy.tf index 06e3468..9e94230 100644 --- a/modules/aws-backup-destination/backup_vault_policy.tf +++ b/modules/aws-backup-destination/backup_vault_policy.tf @@ -1,9 +1,12 @@ resource "aws_backup_vault_policy" "vault_policy" { - backup_vault_name = aws_backup_vault.vault.name - policy = data.aws_iam_policy_document.vault_policy.json + count = var.resources_in_same_account ? 1 : 0 + + backup_vault_name = aws_backup_vault.vault[0].name + policy = data.aws_iam_policy_document.vault_policy[0].json } data "aws_iam_policy_document" "vault_policy" { + count = var.resources_in_same_account ? 1 : 0 statement { sid = "AllowCopyToVault" @@ -66,3 +69,15 @@ data "aws_iam_policy_document" "vault_policy" { } } } + +# ----- + +moved { + from = aws_backup_vault_policy.vault_policy + to = aws_backup_vault_policy.vault_policy[0] +} + +moved { + from = data.aws_iam_policy_document.vault_policy + to = data.aws_iam_policy_document.vault_policy[0] +} diff --git a/modules/aws-backup-destination/iam.tf b/modules/aws-backup-destination/iam.tf index c700e86..bcd7641 100644 --- a/modules/aws-backup-destination/iam.tf +++ b/modules/aws-backup-destination/iam.tf @@ -42,7 +42,7 @@ resource "aws_iam_role" "copy_recovery_point" { } data "aws_iam_policy_document" "copy_recovery_point_permissions" { - count = var.enable_cross_account_vault_access ? 1 : 0 + count = var.enable_cross_account_vault_access && var.resources_in_same_account ? 1 : 0 # Start copy job (resource-level supports recoveryPoint*) statement { @@ -71,7 +71,7 @@ data "aws_iam_policy_document" "copy_recovery_point_permissions" { ] resources = [ "arn:aws:backup:${var.region}:${var.account_id}:recovery-point:*", - "arn:aws:backup:${var.region}:${var.account_id}:backup-vault:${aws_backup_vault.vault.name}", + "arn:aws:backup:${var.region}:${var.account_id}:backup-vault:${aws_backup_vault.vault[0].name}", "arn:aws:backup:${var.region}:${var.source_account_id}:backup-vault:*" ] } diff --git a/modules/aws-backup-destination/parameter_store_kms.tf b/modules/aws-backup-destination/parameter_store_kms.tf index 374fda7..409a57f 100644 --- a/modules/aws-backup-destination/parameter_store_kms.tf +++ b/modules/aws-backup-destination/parameter_store_kms.tf @@ -1,4 +1,6 @@ data "aws_iam_policy_document" "kms_key_policy" { + count = var.resources_in_same_account ? 1 : 0 + statement { sid = "Enable IAM User Permissions" effect = "Allow" @@ -33,17 +35,38 @@ data "aws_iam_policy_document" "kms_key_policy" { } resource "aws_kms_key" "parameter_store_key" { + count = var.resources_in_same_account ? 1 : 0 + description = "KMS key for cross-account encryption of Parameter Store backups." deletion_window_in_days = 7 - policy = data.aws_iam_policy_document.kms_key_policy.json + policy = data.aws_iam_policy_document.kms_key_policy[0].json } resource "aws_kms_alias" "parameter_store_alias" { + count = var.resources_in_same_account ? 1 : 0 + name = "alias/parameter-store-backup-key" - target_key_id = aws_kms_key.parameter_store_key.key_id + target_key_id = aws_kms_key.parameter_store_key[0].key_id } output "parameter_store_kms_key_arn" { description = "The ARN of the KMS key created in the backup account." - value = aws_kms_key.parameter_store_key.arn + value = var.resources_in_same_account ? aws_kms_key.parameter_store_key[0].arn : null +} + +# ----- + +moved { + from = data.aws_iam_policy_document.kms_key_policy + to = data.aws_iam_policy_document.kms_key_policy[0] +} + +moved { + from = aws_kms_key.parameter_store_key + to = aws_kms_key.parameter_store_key[0] +} + +moved { + from = aws_kms_alias.parameter_store_alias + to = aws_kms_alias.parameter_store_alias[0] } diff --git a/modules/aws-backup-destination/variables.tf b/modules/aws-backup-destination/variables.tf index bbe68da..bdc6b8e 100644 --- a/modules/aws-backup-destination/variables.tf +++ b/modules/aws-backup-destination/variables.tf @@ -100,3 +100,12 @@ variable "enable_cross_account_vault_access" { type = bool default = false } + +# If we're building this for multiple environments in the same account, some things +# should not be created. Such as the vault! There can be only one - the environment +# vaults should all copy to this, main/backup/immutable vault. +variable "resources_in_same_account" { + description = "Should all resources be created in the same account. Set to 'true' if base resources already exists in the account, and they should be reused." + type = bool + default = false +} diff --git a/modules/aws-backup-source/backup_framework.tf b/modules/aws-backup-source/backup_framework.tf index 19a2803..52a6ff0 100644 --- a/modules/aws-backup-source/backup_framework.tf +++ b/modules/aws-backup-source/backup_framework.tf @@ -1,4 +1,16 @@ +# There can be only one [framework with x controls in one account]! +# +# For the frameworks of the other envs in the account, we "import" +# them using a `data` record, looking for the environment name set +# in the `resources_in_same_account` variable. + +data "aws_backup_framework" "main" { + count = var.backup_plan_config.enable && var.resources_in_same_account != "" ? 1 : 0 + name = replace("${var.name_prefix}-${var.resources_in_same_account}-framework", "-", "_") +} resource "aws_backup_framework" "main" { + count = var.backup_plan_config.enable && var.resources_in_same_account == "" ? 1 : 0 + # must be underscores instead of dashes name = replace("${local.resource_name_prefix}-framework", "-", "_") description = "${var.project_name} Backup Framework" @@ -131,8 +143,12 @@ resource "aws_backup_framework" "main" { } } +data "aws_backup_framework" "dynamodb" { + count = var.backup_plan_config_dynamodb.enable && var.resources_in_same_account != "" ? 1 : 0 + name = replace("${var.name_prefix}-${var.resources_in_same_account}-dynamodb-framework", "-", "_") +} resource "aws_backup_framework" "dynamodb" { - count = var.backup_plan_config_dynamodb.enable ? 1 : 0 + count = var.backup_plan_config_dynamodb.enable && var.resources_in_same_account == "" ? 1 : 0 # must be underscores instead of dashes name = replace("${local.resource_name_prefix}-dynamodb-framework", "-", "_") description = "${var.project_name} DynamoDB Backup Framework" @@ -172,8 +188,12 @@ resource "aws_backup_framework" "dynamodb" { } } +data "aws_backup_framework" "ebsvol" { + count = var.backup_plan_config_ebsvol.enable && var.resources_in_same_account != "" ? 1 : 0 + name = replace("${var.name_prefix}-${var.resources_in_same_account}-ebsvol-framework", "-", "_") +} resource "aws_backup_framework" "ebsvol" { - count = var.backup_plan_config_ebsvol.enable ? 1 : 0 + count = var.backup_plan_config_ebsvol.enable && var.resources_in_same_account == "" ? 1 : 0 # must be underscores instead of dashes name = replace("${local.resource_name_prefix}-ebsvol-framework", "-", "_") description = "${var.project_name} EBS Backup Framework" @@ -213,8 +233,12 @@ resource "aws_backup_framework" "ebsvol" { } } +data "aws_backup_framework" "aurora" { + count = var.backup_plan_config_aurora.enable && var.resources_in_same_account != "" ? 1 : 0 + name = replace("${var.name_prefix}-${var.resources_in_same_account}-aurora-framework", "-", "_") +} resource "aws_backup_framework" "aurora" { - count = var.backup_plan_config_aurora.enable ? 1 : 0 + count = var.backup_plan_config_aurora.enable && var.resources_in_same_account == "" ? 1 : 0 # must be underscores instead of dashes name = replace("${local.resource_name_prefix}-aurora-framework", "-", "_") description = "${var.project_name} Aurora Backup Framework" @@ -253,8 +277,12 @@ resource "aws_backup_framework" "aurora" { } } +data "aws_backup_framework" "parameter_store" { + count = var.backup_plan_config_parameter_store.enable && var.resources_in_same_account != "" ? 1 : 0 + name = replace("${var.name_prefix}-${var.resources_in_same_account}-parameter-store-framework", "-", "_") +} resource "aws_backup_framework" "parameter_store" { - count = var.backup_plan_config_parameter_store.enable ? 1 : 0 + count = var.backup_plan_config_parameter_store.enable && var.resources_in_same_account == "" ? 1 : 0 # must be underscores instead of dashes name = replace("${local.resource_name_prefix}-parameter-store-framework", "-", "_") description = "${var.project_name} Parameter Store Backup Framework" @@ -292,3 +320,10 @@ resource "aws_backup_framework" "parameter_store" { } } } + +# ----- + +moved { + from = aws_backup_framework.main + to = aws_backup_framework.main[0] +} diff --git a/modules/aws-backup-source/backup_plan.tf b/modules/aws-backup-source/backup_plan.tf index 4e7a671..e235608 100644 --- a/modules/aws-backup-source/backup_plan.tf +++ b/modules/aws-backup-source/backup_plan.tf @@ -168,7 +168,12 @@ resource "aws_backup_selection" "default" { } condition { dynamic "string_equals" { - for_each = local.selection_tags_null_checked + for_each = concat(local.selection_tags_null_checked, [ + { + "key" : var.backup_plan_config.selection_tag, + "value" : var.backup_plan_config.selection_tag_value != null ? var.backup_plan_config.selection_tag_value : "True" + } + ]) content { key = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}" value = try(string_equals.value.value, null) @@ -190,7 +195,12 @@ resource "aws_backup_selection" "dynamodb" { } condition { dynamic "string_equals" { - for_each = local.selection_tags_dynamodb_null_checked + for_each = concat(local.selection_tags_dynamodb_null_checked, [ + { + "key" : var.backup_plan_config_dynamodb.selection_tag, + "value" : var.backup_plan_config_dynamodb.selection_tag_value != null ? var.backup_plan_config_dynamodb.selection_tag_value : "True" + } + ]) content { key = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}" value = try(string_equals.value.value, null) @@ -212,7 +222,12 @@ resource "aws_backup_selection" "ebsvol" { } condition { dynamic "string_equals" { - for_each = local.selection_tags_ebsvol_null_checked + for_each = concat(local.selection_tags_ebsvol_null_checked, [ + { + "key" : var.backup_plan_config_ebsvol.selection_tag, + "value" : var.backup_plan_config_ebsvol.selection_tag_value != null ? var.backup_plan_config_ebsvol.selection_tag_value : "True" + } + ]) content { key = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}" value = try(string_equals.value.value, null) @@ -230,7 +245,21 @@ resource "aws_backup_selection" "aurora" { selection_tag { key = var.backup_plan_config_aurora.selection_tag type = "STRINGEQUALS" - value = "True" + value = (var.backup_plan_config_aurora.selection_tag_value == null) ? "True" : var.backup_plan_config_aurora.selection_tag_value + } + condition { + dynamic "string_equals" { + for_each = concat(local.selection_tags_aurora_null_checked, [ + { + "key" : var.backup_plan_config_aurora.selection_tag, + "value" : var.backup_plan_config_aurora.selection_tag_value != null ? var.backup_plan_config_aurora.selection_tag_value : "True" + } + ]) + content { + key = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}" + value = try(string_equals.value.value, null) + } + } } } @@ -247,7 +276,12 @@ resource "aws_backup_selection" "parameter_store" { } condition { dynamic "string_equals" { - for_each = local.selection_tags_parameter_store_null_checked + for_each = concat(local.selection_tags_parameter_store_null_checked, [ + { + "key" : var.backup_plan_config_parameter_store.selection_tag, + "value" : var.backup_plan_config_parameter_store.selection_tag_value != null ? var.backup_plan_config_parameter_store.selection_tag_value : "True" + } + ]) content { key = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}" value = try(string_equals.value.value, null) diff --git a/modules/aws-backup-source/backup_report_plan.tf b/modules/aws-backup-source/backup_report_plan.tf index cdb1d1c..a736884 100644 --- a/modules/aws-backup-source/backup_report_plan.tf +++ b/modules/aws-backup-source/backup_report_plan.tf @@ -1,6 +1,6 @@ # Create the reports resource "aws_backup_report_plan" "backup_jobs" { - name = var.name_prefix != null ? "${var.name_prefix}_backup_jobs" : "backup_jobs" + name = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_jobs" : "backup_jobs" description = "Report for showing whether backups ran successfully in the last 24 hours" report_delivery_channel { @@ -18,7 +18,7 @@ resource "aws_backup_report_plan" "backup_jobs" { # Create the restore testing completion reports resource "aws_backup_report_plan" "backup_restore_testing_jobs" { - name = var.name_prefix != null ? "${var.name_prefix}_backup_restore_testing_jobs" : "backup_restore_testing_jobs" + name = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_restore_testing_jobs" : "backup_restore_testing_jobs" description = "Report for showing whether backup restore test ran successfully in the last 24 hours" report_delivery_channel { @@ -35,7 +35,7 @@ resource "aws_backup_report_plan" "backup_restore_testing_jobs" { } resource "aws_backup_report_plan" "resource_compliance" { - name = var.name_prefix != null ? "${var.name_prefix}_resource_compliance" : "resource_compliance" + name = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_resource_compliance" : "resource_compliance" description = "Report for showing whether resources are compliant with the framework" report_delivery_channel { @@ -55,7 +55,7 @@ resource "aws_backup_report_plan" "resource_compliance" { resource "aws_backup_report_plan" "copy_jobs" { count = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? 1 : 0 - name = var.name_prefix != null ? "${var.name_prefix}_copy_jobs" : "copy_jobs" + name = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_copy_jobs" : "copy_jobs" description = "Report for showing whether copies ran successfully in the last 24 hours" report_delivery_channel { diff --git a/modules/aws-backup-source/backup_restore_testing.tf b/modules/aws-backup-source/backup_restore_testing.tf index b6389fc..7ddba1c 100644 --- a/modules/aws-backup-source/backup_restore_testing.tf +++ b/modules/aws-backup-source/backup_restore_testing.tf @@ -1,5 +1,5 @@ resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan" { - restore_testing_plan_name = var.name_prefix != null ? "${var.name_prefix}_backup_restore_testing_plan" : "backup_restore_testing_plan" + restore_testing_plan_name = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_restore_testing_plan" : "backup_restore_testing_plan" schedule_expression = var.restore_testing_plan_scheduled_expression start_window_hours = var.restore_testing_plan_start_window recovery_point_selection = { @@ -18,10 +18,17 @@ resource "awscc_backup_restore_testing_selection" "backup_restore_testing_select restore_testing_selection_name = "backup_restore_testing_selection_dynamodb" protected_resource_arns = ["*"] protected_resource_conditions = { - string_equals = [{ - key = "aws:ResourceTag/${var.backup_plan_config_dynamodb.selection_tag}" - value = "True" - }] + string_equals = concat([ + { + key = "aws:ResourceTag/${var.backup_plan_config_dynamodb.selection_tag}" + value = "True" + } + ], [ + for tag in local.selection_tags_dynamodb_null_checked: { + key = "aws:ResourceTag/${tag.key}", + value = tag.value + } + ]) } } @@ -34,10 +41,17 @@ resource "awscc_backup_restore_testing_selection" "backup_restore_testing_select restore_testing_selection_name = "backup_restore_testing_selection_ebsvol" protected_resource_arns = ["*"] protected_resource_conditions = { - string_equals = [{ - key = "aws:ResourceTag/${var.backup_plan_config_ebsvol.selection_tag}" - value = "True" - }] + string_equals = concat([ + { + key = "aws:ResourceTag/${var.backup_plan_config_ebsvol.selection_tag}" + value = "True" + } + ], [ + for tag in local.selection_tags_ebsvol_null_checked: { + key = "aws:ResourceTag/${tag.key}", + value = tag.value + } + ]) } } @@ -49,10 +63,17 @@ resource "awscc_backup_restore_testing_selection" "backup_restore_testing_select restore_testing_selection_name = "backup_restore_testing_selection_aurora" protected_resource_arns = ["*"] protected_resource_conditions = { - string_equals = [{ - key = "aws:ResourceTag/${var.backup_plan_config_aurora.selection_tag}" - value = "True" - }] + string_equals = concat([ + { + key = "aws:ResourceTag/${var.backup_plan_config_aurora.selection_tag}" + value = "True" + } + ], [ + for tag in local.selection_tags_aurora_null_checked: { + key = "aws:ResourceTag/${tag.key}", + value = tag.value + } + ]) } restore_metadata_overrides = local.aurora_overrides } diff --git a/modules/aws-backup-source/iam.tf b/modules/aws-backup-source/iam.tf index 3b81513..384f746 100644 --- a/modules/aws-backup-source/iam.tf +++ b/modules/aws-backup-source/iam.tf @@ -12,7 +12,7 @@ data "aws_iam_policy_document" "assume_role" { } resource "aws_iam_role" "backup" { - name = "${var.project_name}BackupRole" + name = "${var.include_environment_in_resource_names ? "${var.project_name}-${var.environment_name}" : var.project_name}BackupRole" assume_role_policy = data.aws_iam_policy_document.assume_role.json permissions_boundary = length(var.iam_role_permissions_boundary) > 0 ? var.iam_role_permissions_boundary : null } diff --git a/modules/aws-backup-source/kms.tf b/modules/aws-backup-source/kms.tf index e8a07a2..a36e37a 100644 --- a/modules/aws-backup-source/kms.tf +++ b/modules/aws-backup-source/kms.tf @@ -6,7 +6,7 @@ resource "aws_kms_key" "aws_backup_key" { } resource "aws_kms_alias" "backup_key" { - name = var.name_prefix != null ? "alias/${var.name_prefix}/backup-key" : "alias/${var.environment_name}/backup-key" + name = var.name_prefix != null ? "alias/${var.include_environment_in_resource_names ? "${local.resource_name_prefix}" : var.name_prefix}/backup-key" : "alias/${var.environment_name}/backup-key" target_key_id = aws_kms_key.aws_backup_key.key_id } diff --git a/modules/aws-backup-source/locals.tf b/modules/aws-backup-source/locals.tf index 39d37d0..48530fd 100644 --- a/modules/aws-backup-source/locals.tf +++ b/modules/aws-backup-source/locals.tf @@ -1,21 +1,27 @@ locals { - resource_name_prefix = var.name_prefix != null ? var.name_prefix : "${data.aws_region.current.id}-${data.aws_caller_identity.current.account_id}-backup" + resource_name_prefix = var.name_prefix != null ? (var.include_environment_in_resource_names ? "${var.name_prefix}-${var.environment_name}" : var.name_prefix) : (var.include_environment_in_resource_names ? "${data.aws_region.current.id}-${data.aws_caller_identity.current.account_id}-${var.environment_name}-backup" : "${data.aws_region.current.id}-${data.aws_caller_identity.current.account_id}-backup") + selection_tag_value_null_checked = (var.backup_plan_config.selection_tag_value == null) ? "True" : var.backup_plan_config.selection_tag_value + selection_tag_value_aurora_null_checked = (var.backup_plan_config_aurora.selection_tag_value == null) ? "True" : var.backup_plan_config_aurora.selection_tag_value selection_tag_value_dynamodb_null_checked = (var.backup_plan_config_dynamodb.selection_tag_value == null) ? "True" : var.backup_plan_config_dynamodb.selection_tag_value - selection_tags_null_checked = (var.backup_plan_config.selection_tags == null) ? [{ "key" : var.backup_plan_config.selection_tag, "value" : local.selection_tag_value_null_checked }] : var.backup_plan_config.selection_tags - selection_tags_dynamodb_null_checked = (var.backup_plan_config_dynamodb.selection_tags == null) ? [{ "key" : var.backup_plan_config_dynamodb.selection_tag, "value" : local.selection_tag_value_dynamodb_null_checked }] : var.backup_plan_config_dynamodb.selection_tags selection_tag_value_ebsvol_null_checked = (var.backup_plan_config_ebsvol.selection_tag_value == null) ? "True" : var.backup_plan_config_ebsvol.selection_tag_value - selection_tags_ebsvol_null_checked = (var.backup_plan_config_ebsvol.selection_tags == null) ? [{ "key" : var.backup_plan_config_ebsvol.selection_tag, "value" : local.selection_tag_value_ebsvol_null_checked }] : var.backup_plan_config_ebsvol.selection_tags selection_tag_value_parameter_store_null_checked = (var.backup_plan_config_parameter_store.selection_tag_value == null) ? "True" : var.backup_plan_config_parameter_store.selection_tag_value - selection_tags_parameter_store_null_checked = (var.backup_plan_config_parameter_store.selection_tags == null) ? [{ "key" : var.backup_plan_config_parameter_store.selection_tag, "value" : local.selection_tag_value_parameter_store_null_checked }] : var.backup_plan_config_parameter_store.selection_tags - framework_arn_list = flatten(concat( - [aws_backup_framework.main.arn], - var.backup_plan_config_ebsvol.enable ? [aws_backup_framework.ebsvol[0].arn] : [], - var.backup_plan_config_dynamodb.enable ? [aws_backup_framework.dynamodb[0].arn] : [], - var.backup_plan_config_aurora.enable ? [aws_backup_framework.aurora[0].arn] : [], - var.backup_plan_config_parameter_store.enable ? [aws_backup_framework.parameter_store[0].arn] : [] + selection_tags_null_checked = (var.backup_plan_config.selection_tags == null) ? [{ "key" : var.backup_plan_config.selection_tag, "value" : local.selection_tag_value_null_checked }] : var.backup_plan_config.selection_tags + selection_tags_aurora_null_checked = (var.backup_plan_config_aurora.selection_tags == null) ? [{ "key" : var.backup_plan_config_aurora.selection_tag, "value" : local.selection_tag_value_aurora_null_checked }] : var.backup_plan_config_aurora.selection_tags + selection_tags_dynamodb_null_checked = (var.backup_plan_config_dynamodb.selection_tags == null) ? [{ "key" : var.backup_plan_config_dynamodb.selection_tag, "value" : local.selection_tag_value_dynamodb_null_checked }] : var.backup_plan_config_dynamodb.selection_tags + selection_tags_ebsvol_null_checked = (var.backup_plan_config_ebsvol.selection_tags == null) ? [{ "key" : var.backup_plan_config_ebsvol.selection_tag, "value" : local.selection_tag_value_ebsvol_null_checked }] : var.backup_plan_config_ebsvol.selection_tags + selection_tags_parameter_store_null_checked = (var.backup_plan_config_parameter_store.selection_tags == null) ? [{ "key" : var.backup_plan_config_parameter_store.selection_tag, "value" : local.selection_tag_value_parameter_store_null_checked }] : var.backup_plan_config_parameter_store.selection_tags + + framework_arn_list = flatten(concat( + var.backup_plan_config.enable ? [var.resources_in_same_account == "" ? aws_backup_framework.main[0].arn : aws_backup_framework.main[0].arn] : [], + var.backup_plan_config_ebsvol.enable ? [var.resources_in_same_account == "" ? aws_backup_framework.ebsvol[0].arn : data.aws_backup_framework.ebsvol[0].arn] : [], + var.backup_plan_config_dynamodb.enable ? [var.resources_in_same_account == "" ? aws_backup_framework.dynamodb[0].arn : data.aws_backup_framework.dynamodb[0].arn] : [], + var.backup_plan_config_aurora.enable ? [var.resources_in_same_account == "" ? aws_backup_framework.aurora[0].arn : data.aws_backup_framework.aurora[0].arn] : [], + var.backup_plan_config_parameter_store.enable ? [var.resources_in_same_account == "" ? aws_backup_framework.parameter_store[0].arn : data.aws_backup_framework.parameter_store[0].arn] : [] )) - aurora_overrides = var.backup_plan_config_aurora.restore_testing_overrides == null ? null : jsondecode(var.backup_plan_config_aurora.restore_testing_overrides) + + aurora_overrides = var.backup_plan_config_aurora.restore_testing_overrides == null ? null : jsondecode(var.backup_plan_config_aurora.restore_testing_overrides) + terraform_role_arns = length(var.terraform_role_arns) > 0 ? var.terraform_role_arns : [var.terraform_role_arn] } diff --git a/modules/aws-backup-source/variables.tf b/modules/aws-backup-source/variables.tf index d99aa10..0b88829 100644 --- a/modules/aws-backup-source/variables.tf +++ b/modules/aws-backup-source/variables.tf @@ -265,6 +265,7 @@ variable "backup_plan_config_ebsvol" { default = { enable = true selection_tag = "BackupEBSVol" + selection_tag_value = "True" compliance_resource_types = ["EBS"] rules = [ { @@ -305,8 +306,13 @@ variable "backup_plan_config_ebsvol" { variable "backup_plan_config_aurora" { description = "Configuration for backup plans with aurora" type = object({ - enable = bool - selection_tag = string + enable = bool + selection_tag = optional(string) + selection_tag_value = optional(string) + selection_tags = optional(list(object({ + key = optional(string) + value = optional(string) + }))) compliance_resource_types = list(string) restore_testing_overrides = optional(string) rules = optional(list(object({ @@ -325,6 +331,8 @@ variable "backup_plan_config_aurora" { default = { enable = true selection_tag = "BackupAurora" + selection_tag_value = "True" + selection_tags = [] compliance_resource_types = ["Aurora"] rules = [ { @@ -520,3 +528,19 @@ variable "lambda_restore_to_s3_max_wait_minutes" { type = number default = 5 } + +variable "include_environment_in_resource_names" { + description = "Should the environment name be included in resource names. Required for 'all resources in the same account'" + type = bool + default = false +} + +# Plans etc are _account_ specific, not _environment_ specific, so we only want to create some resources +# once. As in, when this is `""` (empty string). For additional envs in the account, set this to the environment +# where the "base" resources are (for example `dev`). +# NOTE: Require `include_environment_in_resource_names` set to `true` for this to work! +variable "resources_in_same_account" { + description = "Should all resources be created in the same account. Set to 'true' if base resources already exists in the account, and they should be reused." + type = string + default = "" +}