diff --git a/README.md b/README.md
index 8c13e3f..70483a4 100644
--- a/README.md
+++ b/README.md
@@ -155,7 +155,7 @@ module "aws_backup_example" {
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.31.0 |
+| [aws](#provider\_aws) | 4.55.0 |
## Modules
@@ -168,6 +168,7 @@ No modules.
| [aws_backup_plan.ab_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
| [aws_backup_selection.ab_selection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
| [aws_backup_vault.ab_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
+| [aws_backup_vault_lock_configuration.ab_vault_lock_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
| [aws_backup_vault_notifications.backup_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_notifications) | resource |
| [aws_iam_policy.ab_tag_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.ab_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -186,9 +187,13 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [changeable\_for\_days](#input\_changeable\_for\_days) | The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode | `number` | `null` | no |
| [enabled](#input\_enabled) | Change to false to avoid deploying any AWS Backup resources | `bool` | `true` | no |
| [iam\_role\_arn](#input\_iam\_role\_arn) | If configured, the module will attach this role to selections, instead of creating IAM resources by itself | `string` | `null` | no |
| [iam\_role\_name](#input\_iam\_role\_name) | Allow to set IAM role name, otherwise use predefined default | `string` | `""` | no |
+| [locked](#input\_locked) | Change to true to add a lock configuration for the backup vault | `bool` | `false` | no |
+| [max\_retention\_days](#input\_max\_retention\_days) | The maximum retention period that the vault retains its recovery points | `number` | `null` | no |
+| [min\_retention\_days](#input\_min\_retention\_days) | The minimum retention period that the vault retains its recovery points | `number` | `null` | no |
| [notifications](#input\_notifications) | Notification block which defines backup vault events and the SNS Topic ARN to send AWS Backup notifications to. Leave it empty to disable notifications | `any` | `{}` | no |
| [plan\_name](#input\_plan\_name) | The display name of a backup plan | `string` | n/a | yes |
| [rule\_completion\_window](#input\_rule\_completion\_window) | The amount of time AWS Backup attempts a backup before canceling the job and returning an error | `number` | `null` | no |
diff --git a/examples/simple_plan_using_lock_configuration/README.md b/examples/simple_plan_using_lock_configuration/README.md
new file mode 100644
index 0000000..820d69d
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/README.md
@@ -0,0 +1,64 @@
+# Simple plan using lists
+
+This example shows you how to create a simple plan using lists instead of variables:
+
+```
+module "aws_backup_example" {
+
+ source = "lgallard/backup/aws"
+
+ # Vault
+ vault_name = "vault-1"
+
+ # Vault lock configuration
+ locked = true
+ changeable_for_days = 3
+ max_retention_days = 1200
+ min_retention_days = 7
+
+ # Plan
+ plan_name = "simple-plan-list"
+
+ # One rule using a list of maps
+ rules = [
+ {
+ name = "rule-1"
+ schedule = "cron(0 12 * * ? *)"
+ start_window = 120
+ completion_window = 360
+ enable_continuous_backup = true
+ lifecycle = {
+ cold_storage_after = 0
+ delete_after = 90
+ },
+ recovery_point_tags = {
+ Environment = "production"
+ }
+ },
+ ]
+
+ # One selection using a list of maps
+ selections = [
+ {
+ name = "selection-1"
+ resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table1"]
+ selection_tags = {
+ type = "STRINGEQUALS"
+ key = "Environment"
+ value = "production"
+ }
+ },
+ {
+ name = "selection-2"
+ resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table2"]
+ },
+ ]
+
+ tags = {
+ Owner = "devops"
+ Environment = "production"
+ Terraform = true
+ }
+
+}
+```
diff --git a/examples/simple_plan_using_lock_configuration/main.tf b/examples/simple_plan_using_lock_configuration/main.tf
new file mode 100644
index 0000000..b47eba7
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/main.tf
@@ -0,0 +1,49 @@
+module "aws_backup_example" {
+
+ source = "lgallard/backup/aws"
+
+ # Vault
+ vault_name = "vault-1"
+
+ # Vault lock configuration
+ locked = true
+ changeable_for_days = 3
+ max_retention_days = 1200
+ min_retention_days = 7
+
+ # Plan
+ plan_name = "simple-plan-list"
+
+ # One rule using a list of maps
+ rules = [
+ {
+ name = "rule-1"
+ schedule = "cron(0 12 * * ? *)"
+ start_window = 120
+ completion_window = 360
+ enable_continuous_backup = true
+ lifecycle = {
+ cold_storage_after = 0
+ delete_after = 90
+ },
+ recovery_point_tags = {
+ Environment = "production"
+ }
+ },
+ ]
+
+ # One selection using a list of maps
+ selections = [
+ {
+ name = "selection-1"
+ resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table"]
+ },
+ ]
+
+ tags = {
+ Owner = "devops"
+ Environment = "production"
+ Terraform = true
+ }
+
+}
diff --git a/examples/simple_plan_using_lock_configuration/provider.tf b/examples/simple_plan_using_lock_configuration/provider.tf
new file mode 100644
index 0000000..634c762
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/provider.tf
@@ -0,0 +1,4 @@
+provider "aws" {
+ region = var.env["region"]
+ profile = var.env["profile"]
+}
diff --git a/examples/simple_plan_using_lock_configuration/terraform.tfvars b/examples/simple_plan_using_lock_configuration/terraform.tfvars
new file mode 100644
index 0000000..3cdaa9a
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/terraform.tfvars
@@ -0,0 +1,4 @@
+env = {
+ region = "us-east-1"
+ profile = "default"
+}
diff --git a/examples/simple_plan_using_lock_configuration/variables.tf b/examples/simple_plan_using_lock_configuration/variables.tf
new file mode 100644
index 0000000..c7b7aed
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/variables.tf
@@ -0,0 +1,4 @@
+variable "env" {
+ type = map(any)
+ default = {}
+}
diff --git a/main.tf b/main.tf
index 5ed8f7a..e9e1211 100644
--- a/main.tf
+++ b/main.tf
@@ -6,6 +6,15 @@ resource "aws_backup_vault" "ab_vault" {
tags = var.tags
}
+# AWS Backup vault lock configuration
+resource "aws_backup_vault_lock_configuration" "ab_vault_lock_configuration" {
+ count = var.locked && var.vault_name != null ? 1 : 0
+ backup_vault_name = var.vault_name
+ changeable_for_days = var.changeable_for_days
+ max_retention_days = var.max_retention_days
+ min_retention_days = var.min_retention_days
+}
+
# AWS Backup plan
resource "aws_backup_plan" "ab_plan" {
count = var.enabled ? 1 : 0
diff --git a/variables.tf b/variables.tf
index ae85d1b..03284f8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -19,6 +19,33 @@ variable "tags" {
default = {}
}
+#
+# AWS Backup vault lock configuration
+#
+variable "locked" {
+ description = "Change to true to add a lock configuration for the backup vault"
+ type = bool
+ default = false
+}
+
+variable "changeable_for_days" {
+ description = "The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode"
+ type = number
+ default = null
+}
+
+variable "max_retention_days" {
+ description = "The maximum retention period that the vault retains its recovery points"
+ type = number
+ default = null
+}
+
+variable "min_retention_days" {
+ description = "The minimum retention period that the vault retains its recovery points"
+ type = number
+ default = null
+}
+
#
# AWS Backup plan
#