From 67d4753a3f233be85c8d0d379c4a2dc39ba08ca9 Mon Sep 17 00:00:00 2001
From: Dennis Hoppe <dennis.hoppe@dhoppe.it>
Date: Fri, 24 Feb 2023 10:16:51 +0100
Subject: [PATCH] Add new resource aws_backup_vault_lock_configuration

A vault lock helps protect backups from lifecycle changes, accidental deletion,
or malicious activities.

Closes #71
---
 README.md                                     |  7 +-
 .../README.md                                 | 64 +++++++++++++++++++
 .../main.tf                                   | 49 ++++++++++++++
 .../provider.tf                               |  4 ++
 .../terraform.tfvars                          |  4 ++
 .../variables.tf                              |  4 ++
 main.tf                                       |  9 +++
 variables.tf                                  | 27 ++++++++
 8 files changed, 167 insertions(+), 1 deletion(-)
 create mode 100644 examples/simple_plan_using_lock_configuration/README.md
 create mode 100644 examples/simple_plan_using_lock_configuration/main.tf
 create mode 100644 examples/simple_plan_using_lock_configuration/provider.tf
 create mode 100644 examples/simple_plan_using_lock_configuration/terraform.tfvars
 create mode 100644 examples/simple_plan_using_lock_configuration/variables.tf

diff --git a/README.md b/README.md
index 8c13e3f..70483a4 100644
--- a/README.md
+++ b/README.md
@@ -155,7 +155,7 @@ module "aws_backup_example" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.31.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.55.0 |
 
 ## Modules
 
@@ -168,6 +168,7 @@ No modules.
 | [aws_backup_plan.ab_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
 | [aws_backup_selection.ab_selection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
 | [aws_backup_vault.ab_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
+| [aws_backup_vault_lock_configuration.ab_vault_lock_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
 | [aws_backup_vault_notifications.backup_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_notifications) | resource |
 | [aws_iam_policy.ab_tag_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.ab_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -186,9 +187,13 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_changeable_for_days"></a> [changeable\_for\_days](#input\_changeable\_for\_days) | The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode | `number` | `null` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Change to false to avoid deploying any AWS Backup resources | `bool` | `true` | no |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | If configured, the module will attach this role to selections, instead of creating IAM resources by itself | `string` | `null` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Allow to set IAM role name, otherwise use predefined default | `string` | `""` | no |
+| <a name="input_locked"></a> [locked](#input\_locked) | Change to true to add a lock configuration for the backup vault | `bool` | `false` | no |
+| <a name="input_max_retention_days"></a> [max\_retention\_days](#input\_max\_retention\_days) | The maximum retention period that the vault retains its recovery points | `number` | `null` | no |
+| <a name="input_min_retention_days"></a> [min\_retention\_days](#input\_min\_retention\_days) | The minimum retention period that the vault retains its recovery points | `number` | `null` | no |
 | <a name="input_notifications"></a> [notifications](#input\_notifications) | Notification block which defines backup vault events and the SNS Topic ARN to send AWS Backup notifications to. Leave it empty to disable notifications | `any` | `{}` | no |
 | <a name="input_plan_name"></a> [plan\_name](#input\_plan\_name) | The display name of a backup plan | `string` | n/a | yes |
 | <a name="input_rule_completion_window"></a> [rule\_completion\_window](#input\_rule\_completion\_window) | The amount of time AWS Backup attempts a backup before canceling the job and returning an error | `number` | `null` | no |
diff --git a/examples/simple_plan_using_lock_configuration/README.md b/examples/simple_plan_using_lock_configuration/README.md
new file mode 100644
index 0000000..820d69d
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/README.md
@@ -0,0 +1,64 @@
+# Simple plan using lists
+
+This example shows you how to create a simple plan using lists instead of variables:
+
+```
+module "aws_backup_example" {
+
+  source = "lgallard/backup/aws"
+
+  # Vault
+  vault_name = "vault-1"
+
+  # Vault lock configuration
+  locked              = true
+  changeable_for_days = 3
+  max_retention_days  = 1200
+  min_retention_days  = 7
+
+  # Plan
+  plan_name = "simple-plan-list"
+
+  # One rule using a list of maps
+  rules = [
+    {
+      name                     = "rule-1"
+      schedule                 = "cron(0 12 * * ? *)"
+      start_window             = 120
+      completion_window        = 360
+      enable_continuous_backup = true
+      lifecycle = {
+        cold_storage_after = 0
+        delete_after       = 90
+      },
+      recovery_point_tags = {
+        Environment = "production"
+      }
+    },
+  ]
+
+  # One selection using a list of maps
+  selections = [
+    {
+      name      = "selection-1"
+      resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table1"]
+      selection_tags = {
+        type  = "STRINGEQUALS"
+        key   = "Environment"
+        value = "production"
+      }
+    },
+    {
+      name      = "selection-2"
+      resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table2"]
+    },
+  ]
+
+  tags = {
+    Owner       = "devops"
+    Environment = "production"
+    Terraform   = true
+  }
+
+}
+```
diff --git a/examples/simple_plan_using_lock_configuration/main.tf b/examples/simple_plan_using_lock_configuration/main.tf
new file mode 100644
index 0000000..b47eba7
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/main.tf
@@ -0,0 +1,49 @@
+module "aws_backup_example" {
+
+  source = "lgallard/backup/aws"
+
+  # Vault
+  vault_name = "vault-1"
+
+  # Vault lock configuration
+  locked              = true
+  changeable_for_days = 3
+  max_retention_days  = 1200
+  min_retention_days  = 7
+
+  # Plan
+  plan_name = "simple-plan-list"
+
+  # One rule using a list of maps
+  rules = [
+    {
+      name                     = "rule-1"
+      schedule                 = "cron(0 12 * * ? *)"
+      start_window             = 120
+      completion_window        = 360
+      enable_continuous_backup = true
+      lifecycle = {
+        cold_storage_after = 0
+        delete_after       = 90
+      },
+      recovery_point_tags = {
+        Environment = "production"
+      }
+    },
+  ]
+
+  # One selection using a list of maps
+  selections = [
+    {
+      name      = "selection-1"
+      resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table"]
+    },
+  ]
+
+  tags = {
+    Owner       = "devops"
+    Environment = "production"
+    Terraform   = true
+  }
+
+}
diff --git a/examples/simple_plan_using_lock_configuration/provider.tf b/examples/simple_plan_using_lock_configuration/provider.tf
new file mode 100644
index 0000000..634c762
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/provider.tf
@@ -0,0 +1,4 @@
+provider "aws" {
+  region  = var.env["region"]
+  profile = var.env["profile"]
+}
diff --git a/examples/simple_plan_using_lock_configuration/terraform.tfvars b/examples/simple_plan_using_lock_configuration/terraform.tfvars
new file mode 100644
index 0000000..3cdaa9a
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/terraform.tfvars
@@ -0,0 +1,4 @@
+env = {
+  region  = "us-east-1"
+  profile = "default"
+}
diff --git a/examples/simple_plan_using_lock_configuration/variables.tf b/examples/simple_plan_using_lock_configuration/variables.tf
new file mode 100644
index 0000000..c7b7aed
--- /dev/null
+++ b/examples/simple_plan_using_lock_configuration/variables.tf
@@ -0,0 +1,4 @@
+variable "env" {
+  type    = map(any)
+  default = {}
+}
diff --git a/main.tf b/main.tf
index 5ed8f7a..e9e1211 100644
--- a/main.tf
+++ b/main.tf
@@ -6,6 +6,15 @@ resource "aws_backup_vault" "ab_vault" {
   tags        = var.tags
 }
 
+# AWS Backup vault lock configuration
+resource "aws_backup_vault_lock_configuration" "ab_vault_lock_configuration" {
+  count               = var.locked && var.vault_name != null ? 1 : 0
+  backup_vault_name   = var.vault_name
+  changeable_for_days = var.changeable_for_days
+  max_retention_days  = var.max_retention_days
+  min_retention_days  = var.min_retention_days
+}
+
 # AWS Backup plan
 resource "aws_backup_plan" "ab_plan" {
   count = var.enabled ? 1 : 0
diff --git a/variables.tf b/variables.tf
index ae85d1b..03284f8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -19,6 +19,33 @@ variable "tags" {
   default     = {}
 }
 
+#
+# AWS Backup vault lock configuration
+#
+variable "locked" {
+  description = "Change to true to add a lock configuration for the backup vault"
+  type        = bool
+  default     = false
+}
+
+variable "changeable_for_days" {
+  description = "The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode"
+  type        = number
+  default     = null
+}
+
+variable "max_retention_days" {
+  description = "The maximum retention period that the vault retains its recovery points"
+  type        = number
+  default     = null
+}
+
+variable "min_retention_days" {
+  description = "The minimum retention period that the vault retains its recovery points"
+  type        = number
+  default     = null
+}
+
 #
 # AWS Backup plan
 #