Added backup selection by resource

README.md

@@ -40,15 +40,11 @@ No requirements.
 | backup\_vault\_events | An array of events that indicate the status of jobs to back up resources to the backup vault | `list(string)` | <pre>[<br>  "BACKUP_JOB_FAILED",<br>  "COPY_JOB_FAILED"<br>]</pre> | no |
 | changeable\_for\_days | The number of days before the lock date. Until that time, the configuration can be edited or removed. The minimum number of day is 3 days | `number` | `null` | no |
 | enable\_aws\_backup\_vault\_notifications | Enable vault notifications | `bool` | `false` | no |
+| enabled | Change to false to avoid deploying any AWS Backup resources | `bool` | `true` | no |
 | max\_retention\_days | The maximum retention period that the vault retains its recovery points | `number` | `null` | no |
 | min\_retention\_days | The minimum retention period that the vault retains its recovery points | `number` | `null` | no |
 | name | Name of the backup vault to create. | `string` | `""` | no |
-| rule\_completion\_window | The amount of time AWS Backup attempts a backup before canceling the job and returning an error | `number` | `120` | no |
-| rule\_copy\_action\_destination\_vault | Configuration block(s) with copy operation settings | `map` | `{}` | no |
-| rule\_lifecycle\_cold\_storage\_after | Specifies the number of days after creation that a recovery point is moved to cold storage | `number` | `30` | no |
-| rule\_lifecycle\_delete\_after | Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than `cold_storage_after` | `number` | `120` | no |
-| rule\_schedule | A CRON expression specifying when AWS Backup initiates a backup job | `string` | `null` | no |
-| rule\_start\_window | The amount of time in minutes before beginning a backup | `number` | `60` | no |
+| rule | List of backup rules | <pre>list(object({<br>    rule_name                    = string<br>    target_vault_name            = string<br>    schedule                     = string<br>    start_window                 = number<br>    completion_window            = number<br>    enable_continuous_backup    = bool<br>    lifecycle_cold_storage_after = number<br>    lifecycle_delete_after       = number<br>    lifecycle                    = object({<br>      cold_storage_after = number<br>      delete_after       = number<br>    })<br>  }))</pre> | <pre>[<br>  {<br>    "completion_window": 120,<br>    "enable_continuous_backup": true,<br>    "lifecycle": {<br>      "cold_storage_after": 30,<br>      "delete_after": 130<br>    },<br>    "lifecycle_cold_storage_after": 30,<br>    "lifecycle_delete_after": 130,<br>    "rule_name": "backup-rule",<br>    "schedule": "cron(15 * ? * * *)",<br>    "start_window": 60,<br>    "target_vault_name": "backup-vault"<br>  }<br>]</pre> | no |
 | selection\_resources | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan | `list(any)` | `[]` | no |
 | selection\_tag\_key | The key in a key-value pair | `string` | `"Backup"` | no |
 | selection\_tag\_type | An operation, such as StringEquals, that is applied to a key-value pair used to filter resources in a selection | `string` | `"STRINGEQUALS"` | no |

examples/simple-plan-using-tags.tf

@@ -1,15 +1,23 @@
 
 module "backups" {
   source = "git::https://github.com/DNXLabs/terraform-aws-backup?ref=1.0.2"
-
-  name          = "production-by-tags"
-  rule_schedule = "cron(0 12 * * ? *)" # 12:00pm UTC -> 10:00pm AEST (http://crontab.org/)
-
-  # Selection of resources by tag
-  # Supported resources Aurora, DynamoDB, EBS, EC2, FSx, EFS, RDS, Storage Gateway 
-  selection_tag_key   = "Environment"
-  selection_tag_value = "production"
-
-  rule_lifecycle_cold_storage_after = 30
-  rule_lifecycle_delete_after       = 60
+  # source = "./modules/backup"
+  enabled = local.workspace.backups.enabled
+  selection_tag_key   = local.workspace.backups.selection_tag_key
+  selection_tag_value = local.workspace.backups.selection_tag_value
+  for_each = { for rules in local.workspace.backups.rules : rules.rule_name => rules }
+  rule = {
+    rule_name         = local.workspace.backups.rule_name
+    target_vault_name = local.workspace.backups.target_vault_name
+    schedule          = local.workspace.backups.schedule
+    start_window      = local.workspace.backups.start_window
+    completion_window = local.workspace.backups.completion_window
+    enable_continuous_backup = local.workspace.backups.enable_continuous_backup
+    lifecycle_cold_storage_after = local.workspace.backups.lifecycle_cold_storage_after
+    lifecycle_delete_after = local.workspace.backups.lifecycle_delete_after
+    lifecycle = {
+      cold_storage_after = local.workspace.backups.lifecycle_cold_storage_after
+      delete_after       = local.workspace.backups.lifecycle_delete_after
+    }
+  }
 }

main.tf

@@ -23,46 +23,52 @@ resource "aws_backup_vault_lock_configuration" "backup_vault_lock" {
 
 # AWS Backup plan
 resource "aws_backup_plan" "backup_plan" {
-  count = var.account_type == local.account_type.workload ? 1 : 0
+  count = var.enabled ? 1 : 0
+  name  = var.name
+  # Rules
+  dynamic "rule" {
+    for_each = var.rule
+    content {
+      rule_name                = rule.value.rule_name
+      target_vault_name        = aws_backup_vault.backup_vault.name
+      schedule                 = try(rule.value.schedule, null)
+      start_window             = try(rule.value.start_window, null)
+      completion_window        = try(rule.value.completion_window, null)
+      enable_continuous_backup = try(rule.value.enable_continuous_backup, null)
 
-  name = "plan-${var.name}-backup"
-  tags = {
-    Job = "${var.name}-backup"
-  }
-
-  rule {
-    rule_name         = "rule-${var.name}-backup"
-    target_vault_name = aws_backup_vault.backup_vault.name
-    schedule          = var.rule_schedule
-    start_window      = var.rule_start_window
-    completion_window = var.rule_completion_window
+      # Lifecycle
+      dynamic "lifecycle" {
+        for_each = length(lookup(rule.value, "lifecycle", {})) == 0 ? [] : [lookup(rule.value, "lifecycle", {})]
+        content {
+          cold_storage_after = lookup(rule.value, "enable_continuous_backup", false) == true ? null : lookup(lifecycle.value, "cold_storage_after", 7)
+          delete_after       = try(lifecycle.value.delete_after, 35)
+        }
+      }
 
-    lifecycle {
-      cold_storage_after = var.rule_lifecycle_cold_storage_after
-      delete_after       = var.rule_lifecycle_delete_after
-    }
-    recovery_point_tags = {
-      Job = "${var.name}-backup"
-    }
+      # Copy action
+      dynamic "copy_action" {
+        for_each = lookup(rule.value, "copy_actions", [])
+        content {
+          destination_vault_arn = aws_backup_vault.backup_vault.arn
 
-    dynamic "copy_action" {
-      for_each = var.rule_copy_action_destination_vault
-      content {
-        destination_vault_arn = copy_action.value.destination_vault_arn
-        lifecycle {
-          cold_storage_after = copy_action.value.cold_storage_after
-          delete_after       = copy_action.value.delete_after
+          # Copy Action Lifecycle
+          dynamic "lifecycle" {
+            for_each = length(lookup(copy_action.value, "lifecycle", {})) == 0 ? [] : [lookup(copy_action.value, "lifecycle", {})]
+            content {
+              cold_storage_after = lookup(rule.value, "enable_continuous_backup", false) == true ? null :  lookup(lifecycle.value, "cold_storage_after", 7)
+              delete_after       = try(lifecycle.value.delete_after, 35)
+            }
+          }
         }
       }
     }
   }
 }
-
 # AWS Backup selection - tag
-resource "aws_backup_selection" "backup_selection" {
-  count = var.account_type == local.account_type.workload ? 1 : 0
+resource "aws_backup_selection" "tag" {
+  count = length(var.selection_resources) == 0 && var.account_type == local.account_type.workload ? 1 : 0
 
-  name         = "selection-${var.name}-backup"
+  name         = "selection-${var.name}-backup-tag"
   iam_role_arn = aws_iam_role.backup_role[0].arn
 
   plan_id = aws_backup_plan.backup_plan[0].id
@@ -76,10 +82,20 @@ resource "aws_backup_selection" "backup_selection" {
   condition {}
 }
 
+# AWS Backup selection - resources arn
+resource "aws_backup_selection" "resources" {
+  count        = length(var.selection_resources) > 0 && var.account_type == local.account_type.workload ? length(var.selection_resources) : 0
+  name         = "selection-${element(split(":", var.selection_resources[count.index]), length(var.selection_resources[count.index]) - 1)}-backup-${count.index}"
+  iam_role_arn = aws_iam_role.backup_role[0].arn
+  plan_id      = aws_backup_plan.backup_plan[0].id
+  resources    = var.selection_resources
+}
+
 # AWS Backup vault notification
 resource "aws_backup_vault_notifications" "default" {
   count               = try(var.enable_aws_backup_vault_notifications, false) ? 1 : 0
   backup_vault_name   = aws_backup_vault.backup_vault.name
   sns_topic_arn       = var.vault_notification_sns_topic_arn
   backup_vault_events = var.backup_vault_events
-}
+}
+

variables.tf

@@ -77,43 +77,6 @@ variable "backup_vault_events" {
   }
 }
 
-# Default rule
-variable "rule_schedule" {
-  description = "A CRON expression specifying when AWS Backup initiates a backup job"
-  type        = string
-  default     = null
-}
-
-variable "rule_start_window" {
-  description = "The amount of time in minutes before beginning a backup"
-  type        = number
-  default     = 60
-}
-
-variable "rule_completion_window" {
-  description = "The amount of time AWS Backup attempts a backup before canceling the job and returning an error"
-  type        = number
-  default     = 120
-}
-
-# Rule lifecycle
-variable "rule_lifecycle_cold_storage_after" {
-  description = "Specifies the number of days after creation that a recovery point is moved to cold storage"
-  type        = number
-  default     = 30
-}
-
-variable "rule_lifecycle_delete_after" {
-  description = "Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than `cold_storage_after`"
-  type        = number
-  default     = 120
-}
-
-variable "rule_copy_action_destination_vault" {
-  description = "Configuration block(s) with copy operation settings"
-  default     = {}
-}
-
 # Selection
 variable "selection_resources" {
   description = "An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan"
@@ -155,4 +118,43 @@ variable "changeable_for_days" {
   description = "The number of days before the lock date. Until that time, the configuration can be edited or removed. The minimum number of day is 3 days"
   type        = number
   default     = null
+}
+
+variable "rule" {
+  description = "List of backup rules"
+type = list(object({
+    rule_name                    = string
+    target_vault_name            = string
+    schedule                     = string
+    start_window                 = number
+    completion_window            = number
+    enable_continuous_backup    = bool
+    lifecycle_cold_storage_after = number
+    lifecycle_delete_after       = number
+    lifecycle                    = object({
+      cold_storage_after = number
+      delete_after       = number
+    })
+  }))
+default = [{
+    rule_name         = "backup-rule"
+    target_vault_name = "backup-vault"
+    schedule          = "cron(15 * ? * * *)"
+    start_window      = 60
+    completion_window = 120
+    enable_continuous_backup = true
+    lifecycle_cold_storage_after = 30
+    lifecycle_delete_after = 130
+    lifecycle = {
+      cold_storage_after = 30
+      delete_after       = 130
+    }
+  }]
+
+}
+
+variable "enabled" {
+  description = "Change to false to avoid deploying any AWS Backup resources"
+  type        = bool
+  default     = true
 }