diff --git a/README.md b/README.md
index f7e0a4c..4d35b8f 100644
--- a/README.md
+++ b/README.md
@@ -40,15 +40,11 @@ No requirements.
| backup\_vault\_events | An array of events that indicate the status of jobs to back up resources to the backup vault | `list(string)` | [
"BACKUP_JOB_FAILED",
"COPY_JOB_FAILED"
]
| no |
| changeable\_for\_days | The number of days before the lock date. Until that time, the configuration can be edited or removed. The minimum number of day is 3 days | `number` | `null` | no |
| enable\_aws\_backup\_vault\_notifications | Enable vault notifications | `bool` | `false` | no |
+| enabled | Change to false to avoid deploying any AWS Backup resources | `bool` | `true` | no |
| max\_retention\_days | The maximum retention period that the vault retains its recovery points | `number` | `null` | no |
| min\_retention\_days | The minimum retention period that the vault retains its recovery points | `number` | `null` | no |
| name | Name of the backup vault to create. | `string` | `""` | no |
-| rule\_completion\_window | The amount of time AWS Backup attempts a backup before canceling the job and returning an error | `number` | `120` | no |
-| rule\_copy\_action\_destination\_vault | Configuration block(s) with copy operation settings | `map` | `{}` | no |
-| rule\_lifecycle\_cold\_storage\_after | Specifies the number of days after creation that a recovery point is moved to cold storage | `number` | `30` | no |
-| rule\_lifecycle\_delete\_after | Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than `cold_storage_after` | `number` | `120` | no |
-| rule\_schedule | A CRON expression specifying when AWS Backup initiates a backup job | `string` | `null` | no |
-| rule\_start\_window | The amount of time in minutes before beginning a backup | `number` | `60` | no |
+| rule | List of backup rules | list(object({
rule_name = string
target_vault_name = string
schedule = string
start_window = number
completion_window = number
enable_continuous_backup = bool
lifecycle_cold_storage_after = number
lifecycle_delete_after = number
lifecycle = object({
cold_storage_after = number
delete_after = number
})
})) | [
{
"completion_window": 120,
"enable_continuous_backup": true,
"lifecycle": {
"cold_storage_after": 30,
"delete_after": 130
},
"lifecycle_cold_storage_after": 30,
"lifecycle_delete_after": 130,
"rule_name": "backup-rule",
"schedule": "cron(15 * ? * * *)",
"start_window": 60,
"target_vault_name": "backup-vault"
}
]
| no |
| selection\_resources | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan | `list(any)` | `[]` | no |
| selection\_tag\_key | The key in a key-value pair | `string` | `"Backup"` | no |
| selection\_tag\_type | An operation, such as StringEquals, that is applied to a key-value pair used to filter resources in a selection | `string` | `"STRINGEQUALS"` | no |
diff --git a/examples/simple-plan-using-tags.tf b/examples/simple-plan-using-tags.tf
index 160d702..72688c0 100644
--- a/examples/simple-plan-using-tags.tf
+++ b/examples/simple-plan-using-tags.tf
@@ -1,15 +1,23 @@
module "backups" {
source = "git::https://github.com/DNXLabs/terraform-aws-backup?ref=1.0.2"
-
- name = "production-by-tags"
- rule_schedule = "cron(0 12 * * ? *)" # 12:00pm UTC -> 10:00pm AEST (http://crontab.org/)
-
- # Selection of resources by tag
- # Supported resources Aurora, DynamoDB, EBS, EC2, FSx, EFS, RDS, Storage Gateway
- selection_tag_key = "Environment"
- selection_tag_value = "production"
-
- rule_lifecycle_cold_storage_after = 30
- rule_lifecycle_delete_after = 60
+ # source = "./modules/backup"
+ enabled = local.workspace.backups.enabled
+ selection_tag_key = local.workspace.backups.selection_tag_key
+ selection_tag_value = local.workspace.backups.selection_tag_value
+ for_each = { for rules in local.workspace.backups.rules : rules.rule_name => rules }
+ rule = {
+ rule_name = local.workspace.backups.rule_name
+ target_vault_name = local.workspace.backups.target_vault_name
+ schedule = local.workspace.backups.schedule
+ start_window = local.workspace.backups.start_window
+ completion_window = local.workspace.backups.completion_window
+ enable_continuous_backup = local.workspace.backups.enable_continuous_backup
+ lifecycle_cold_storage_after = local.workspace.backups.lifecycle_cold_storage_after
+ lifecycle_delete_after = local.workspace.backups.lifecycle_delete_after
+ lifecycle = {
+ cold_storage_after = local.workspace.backups.lifecycle_cold_storage_after
+ delete_after = local.workspace.backups.lifecycle_delete_after
+ }
+ }
}
diff --git a/main.tf b/main.tf
index 5661b21..3cb6d5d 100644
--- a/main.tf
+++ b/main.tf
@@ -23,46 +23,52 @@ resource "aws_backup_vault_lock_configuration" "backup_vault_lock" {
# AWS Backup plan
resource "aws_backup_plan" "backup_plan" {
- count = var.account_type == local.account_type.workload ? 1 : 0
+ count = var.enabled ? 1 : 0
+ name = var.name
+ # Rules
+ dynamic "rule" {
+ for_each = var.rule
+ content {
+ rule_name = rule.value.rule_name
+ target_vault_name = aws_backup_vault.backup_vault.name
+ schedule = try(rule.value.schedule, null)
+ start_window = try(rule.value.start_window, null)
+ completion_window = try(rule.value.completion_window, null)
+ enable_continuous_backup = try(rule.value.enable_continuous_backup, null)
- name = "plan-${var.name}-backup"
- tags = {
- Job = "${var.name}-backup"
- }
-
- rule {
- rule_name = "rule-${var.name}-backup"
- target_vault_name = aws_backup_vault.backup_vault.name
- schedule = var.rule_schedule
- start_window = var.rule_start_window
- completion_window = var.rule_completion_window
+ # Lifecycle
+ dynamic "lifecycle" {
+ for_each = length(lookup(rule.value, "lifecycle", {})) == 0 ? [] : [lookup(rule.value, "lifecycle", {})]
+ content {
+ cold_storage_after = lookup(rule.value, "enable_continuous_backup", false) == true ? null : lookup(lifecycle.value, "cold_storage_after", 7)
+ delete_after = try(lifecycle.value.delete_after, 35)
+ }
+ }
- lifecycle {
- cold_storage_after = var.rule_lifecycle_cold_storage_after
- delete_after = var.rule_lifecycle_delete_after
- }
- recovery_point_tags = {
- Job = "${var.name}-backup"
- }
+ # Copy action
+ dynamic "copy_action" {
+ for_each = lookup(rule.value, "copy_actions", [])
+ content {
+ destination_vault_arn = aws_backup_vault.backup_vault.arn
- dynamic "copy_action" {
- for_each = var.rule_copy_action_destination_vault
- content {
- destination_vault_arn = copy_action.value.destination_vault_arn
- lifecycle {
- cold_storage_after = copy_action.value.cold_storage_after
- delete_after = copy_action.value.delete_after
+ # Copy Action Lifecycle
+ dynamic "lifecycle" {
+ for_each = length(lookup(copy_action.value, "lifecycle", {})) == 0 ? [] : [lookup(copy_action.value, "lifecycle", {})]
+ content {
+ cold_storage_after = lookup(rule.value, "enable_continuous_backup", false) == true ? null : lookup(lifecycle.value, "cold_storage_after", 7)
+ delete_after = try(lifecycle.value.delete_after, 35)
+ }
+ }
}
}
}
}
}
-
# AWS Backup selection - tag
-resource "aws_backup_selection" "backup_selection" {
- count = var.account_type == local.account_type.workload ? 1 : 0
+resource "aws_backup_selection" "tag" {
+ count = length(var.selection_resources) == 0 && var.account_type == local.account_type.workload ? 1 : 0
- name = "selection-${var.name}-backup"
+ name = "selection-${var.name}-backup-tag"
iam_role_arn = aws_iam_role.backup_role[0].arn
plan_id = aws_backup_plan.backup_plan[0].id
@@ -76,10 +82,20 @@ resource "aws_backup_selection" "backup_selection" {
condition {}
}
+# AWS Backup selection - resources arn
+resource "aws_backup_selection" "resources" {
+ count = length(var.selection_resources) > 0 && var.account_type == local.account_type.workload ? length(var.selection_resources) : 0
+ name = "selection-${element(split(":", var.selection_resources[count.index]), length(var.selection_resources[count.index]) - 1)}-backup-${count.index}"
+ iam_role_arn = aws_iam_role.backup_role[0].arn
+ plan_id = aws_backup_plan.backup_plan[0].id
+ resources = var.selection_resources
+}
+
# AWS Backup vault notification
resource "aws_backup_vault_notifications" "default" {
count = try(var.enable_aws_backup_vault_notifications, false) ? 1 : 0
backup_vault_name = aws_backup_vault.backup_vault.name
sns_topic_arn = var.vault_notification_sns_topic_arn
backup_vault_events = var.backup_vault_events
-}
\ No newline at end of file
+}
+
diff --git a/variables.tf b/variables.tf
index 5fbd383..059e7cf 100644
--- a/variables.tf
+++ b/variables.tf
@@ -77,43 +77,6 @@ variable "backup_vault_events" {
}
}
-# Default rule
-variable "rule_schedule" {
- description = "A CRON expression specifying when AWS Backup initiates a backup job"
- type = string
- default = null
-}
-
-variable "rule_start_window" {
- description = "The amount of time in minutes before beginning a backup"
- type = number
- default = 60
-}
-
-variable "rule_completion_window" {
- description = "The amount of time AWS Backup attempts a backup before canceling the job and returning an error"
- type = number
- default = 120
-}
-
-# Rule lifecycle
-variable "rule_lifecycle_cold_storage_after" {
- description = "Specifies the number of days after creation that a recovery point is moved to cold storage"
- type = number
- default = 30
-}
-
-variable "rule_lifecycle_delete_after" {
- description = "Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than `cold_storage_after`"
- type = number
- default = 120
-}
-
-variable "rule_copy_action_destination_vault" {
- description = "Configuration block(s) with copy operation settings"
- default = {}
-}
-
# Selection
variable "selection_resources" {
description = "An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan"
@@ -155,4 +118,43 @@ variable "changeable_for_days" {
description = "The number of days before the lock date. Until that time, the configuration can be edited or removed. The minimum number of day is 3 days"
type = number
default = null
+}
+
+variable "rule" {
+ description = "List of backup rules"
+type = list(object({
+ rule_name = string
+ target_vault_name = string
+ schedule = string
+ start_window = number
+ completion_window = number
+ enable_continuous_backup = bool
+ lifecycle_cold_storage_after = number
+ lifecycle_delete_after = number
+ lifecycle = object({
+ cold_storage_after = number
+ delete_after = number
+ })
+ }))
+default = [{
+ rule_name = "backup-rule"
+ target_vault_name = "backup-vault"
+ schedule = "cron(15 * ? * * *)"
+ start_window = 60
+ completion_window = 120
+ enable_continuous_backup = true
+ lifecycle_cold_storage_after = 30
+ lifecycle_delete_after = 130
+ lifecycle = {
+ cold_storage_after = 30
+ delete_after = 130
+ }
+ }]
+
+}
+
+variable "enabled" {
+ description = "Change to false to avoid deploying any AWS Backup resources"
+ type = bool
+ default = true
}
\ No newline at end of file