Added force destroy feature + new restore policy (#13)

* Updated Documentation + terratest version * Refactored examples to be 4.0 compatible * New feature to allow force destroy for backup vault * Added restore policy * Update documentation + upgrade go modules * Update github actions workflow
umotif-public · Aug 18, 2022 · 92a91c8 · 92a91c8
1 parent a02a7c3
commit 92a91c8
Show file tree

Hide file tree

Showing 12 changed files with 1,144 additions and 214 deletions.
diff --git a/.github/workflows/terraform-checks.yaml b/.github/workflows/terraform-checks.yaml
@@ -1,13 +1,12 @@
 name: Lint and Validate
 
 on:
-  pull_request:
-    branches:
-      - main
+  pull_request_review:
+    types: [submitted, edited]
   workflow_dispatch:
 
 env:
-  TF_VERSION: 0.13.0
+  TF_VERSION: 1.1.7
 
 jobs:
   fmt:

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -1,14 +1,13 @@
 name: Terratest
 
 on:
-  pull_request:
-    branches:
-      - main
+  pull_request_review:
+    types: [submitted, edited]
   workflow_dispatch:
 
 env:
-  TF_VERSION: 0.13.0
-  GO_VERSION: 1.16.5
+  TF_VERSION: 1.1.7
+  GO_VERSION: 1.19
 
 jobs:
   terratest:
@@ -28,20 +27,12 @@ jobs:
     - name: Install dependencies
       run: |
         go mod download
-        go get -u golang.org/x/lint/golint
         go get github.com/gruntwork-io/terratest/modules/retry@v0.31.0
       working-directory: ${{ env.working-directory }}
-    - name: Run checks
-      run: |
-        go vet .
-        golint .
-      working-directory: ${{ env.working-directory }}
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v1
       with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         aws-region: eu-west-1
         role-skip-session-tagging: true
         role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.0.1
+  rev: v4.3.0
   hooks:
   - id: check-added-large-files
     args: ['--maxkb=500']
@@ -17,8 +17,8 @@ repos:
   - id: detect-aws-credentials
     args: ['--allow-missing-credentials']
   - id: trailing-whitespace
-- repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.50.0
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.74.1
   hooks:
   - id: terraform_fmt
   - id: terraform_docs

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,12 @@ All notable changes to this project will be documented in this file.
 <a name="unreleased"></a>
 ## [Unreleased]
 
-- Migrate to main branch + manual trigger to pipeline
+
+
+<a name="1.4.0"></a>
+## [1.4.0] - 2021-06-28
+
+- Migrate to main branch + manual trigger to pipeline ([#12](https://github.com/umotif-public/terraform-aws-backup/issues/12))
 
 
 <a name="1.3.1"></a>
@@ -51,7 +56,8 @@ All notable changes to this project will be documented in this file.
 - Initial commit
 
 
-[Unreleased]: https://github.com/umotif-public/terraform-aws-backup/compare/1.3.1...HEAD
+[Unreleased]: https://github.com/umotif-public/terraform-aws-backup/compare/1.4.0...HEAD
+[1.4.0]: https://github.com/umotif-public/terraform-aws-backup/compare/1.3.1...1.4.0
 [1.3.1]: https://github.com/umotif-public/terraform-aws-backup/compare/1.3.0...1.3.1
 [1.3.0]: https://github.com/umotif-public/terraform-aws-backup/compare/1.2.0...1.3.0
 [1.2.0]: https://github.com/umotif-public/terraform-aws-backup/compare/1.1.0...1.2.0

diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ Terraform module to provision [AWS Backup](https://aws.amazon.com/backup/) resou
 
 ## Terraform versions
 
-Terraform 0.13+. Pin module version to `~> v1.4`. Submit pull-requests to `main` branch. Prior versions on `master` branch will need `~> v1.3`.
+Terraform 1.0+. Pin module version to `~> v1.5`. Submit pull-requests to `main` branch. Prior versions on `master` branch will need `~> v1.3`.
 
 ## Usage
 
@@ -17,7 +17,7 @@ Terraform 0.13+. Pin module version to `~> v1.4`. Submit pull-requests to `main`
 ```hcl
 module "backup" {
   source = "umotif-public/backup/aws"
-  version = "~> 1.4"
+  version = "~> 1.5"
 
   vault_name        = "test-rds-aurora"
   vault_kms_key_arn = "arn:aws:kms:eu-west-1:1111111111:key/07a8a813-fcc9-4d7f-a982648d9c25"
@@ -66,7 +66,7 @@ module "backup" {
 
 ## Assumptions
 
-Module is to be used with Terraform > 0.13.
+Module is to be used with Terraform > 1.0.
 
 ## Examples
 
@@ -79,22 +79,21 @@ Module is to be used with Terraform > 0.13.
 
 Module managed by:
 
-* [Marcin Cuber](https://github.com/marcincuber) ([LinkedIn](https://www.linkedin.com/in/marcincuber/))
-* [Abdul Wahid](https://github.com/Ohid25) ([LinkedIn](https://www.linkedin.com/in/abdul-wahid/))
+* Module managed by [uMotif](https://github.com/umotif-public/).
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.11 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.11 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.11 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
 
 ## Modules
 
@@ -111,7 +110,8 @@ No modules.
 | [aws_iam_policy.main_custom_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.main_custom_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.main_role_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.main_role_backup_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.main_role_restore_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_sns_topic.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_policy.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -148,6 +148,7 @@ No modules.
 | <a name="input_selection_tags"></a> [selection\_tags](#input\_selection\_tags) | A list of selection tags map | `list(any)` | `[]` | no |
 | <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | The Amazon Resource Name (ARN) that specifies the topic for a backup vault’s events | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the resource | `map(string)` | `{}` | no |
+| <a name="input_vault_force_destroy"></a> [vault\_force\_destroy](#input\_vault\_force\_destroy) | A boolean that indicates that all recovery points stored in the vault are deleted so that the vault can be destroyed without error. | `bool` | `false` | no |
 | <a name="input_vault_kms_key_arn"></a> [vault\_kms\_key\_arn](#input\_vault\_kms\_key\_arn) | The server-side encryption key that is used to protect your backups | `string` | `null` | no |
 | <a name="input_vault_name"></a> [vault\_name](#input\_vault\_name) | Name of the backup vault to create. If not given, AWS use default | `string` | `null` | no |
 | <a name="input_vault_sns_kms_key_arn"></a> [vault\_sns\_kms\_key\_arn](#input\_vault\_sns\_kms\_key\_arn) | The server-side encryption key that is used to protect SNS messages for backups | `string` | `null` | no |

diff --git a/examples/multiple-dbs/main.tf b/examples/multiple-dbs/main.tf
@@ -12,12 +12,15 @@ data "aws_vpc" "default" {
   default = true
 }
 
-data "aws_subnet_ids" "all" {
-  vpc_id = data.aws_vpc.default.id
+data "aws_subnets" "all" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
 }
 
 data "aws_subnet" "public" {
-  for_each = data.aws_subnet_ids.all.ids
+  for_each = toset(data.aws_subnets.all.ids)
   id       = each.value
 }
 
@@ -40,14 +43,15 @@ data "aws_kms_key" "sns_backup" {
 # RDS Aurora
 #############
 module "aurora-mysql" {
-  source = "umotif-public/rds-aurora/aws"
+  source  = "umotif-public/rds-aurora/aws"
+  version = "~> 3"
 
   name_prefix   = "${var.name_prefix}-aurora-mysql"
   database_name = "${var.name_prefix}mysqldb"
   engine        = "aurora-mysql"
 
   vpc_id  = data.aws_vpc.default.id
-  subnets = data.aws_subnet_ids.all.ids
+  subnets = data.aws_subnets.all.ids
 
   kms_key_id = data.aws_kms_key.rds.arn
 
@@ -61,7 +65,8 @@ module "aurora-mysql" {
 }
 
 module "aurora-postgresql" {
-  source = "umotif-public/rds-aurora/aws"
+  source  = "umotif-public/rds-aurora/aws"
+  version = "~> 3"
 
   name_prefix             = "${var.name_prefix}-postgresql"
   database_name           = "${var.name_prefix}postgresqldb"
@@ -70,7 +75,7 @@ module "aurora-postgresql" {
   engine_parameter_family = "aurora-postgresql11"
 
   vpc_id  = data.aws_vpc.default.id
-  subnets = data.aws_subnet_ids.all.ids
+  subnets = data.aws_subnets.all.ids
 
   kms_key_id = data.aws_kms_key.rds.arn
 
@@ -90,8 +95,9 @@ module "backup" {
   source = "../.."
 
   # Create a Vault
-  vault_name        = "${var.name_prefix}-rds-aurora"
-  vault_kms_key_arn = data.aws_kms_key.backup.arn
+  vault_name          = "${var.name_prefix}-rds-aurora"
+  vault_kms_key_arn   = data.aws_kms_key.backup.arn
+  vault_force_destroy = true
 
   tags = {
     Environment = "test"

diff --git a/examples/one-db/main.tf b/examples/one-db/main.tf
@@ -9,12 +9,15 @@ data "aws_vpc" "default" {
   default = true
 }
 
-data "aws_subnet_ids" "all" {
-  vpc_id = data.aws_vpc.default.id
+data "aws_subnets" "all" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
 }
 
 data "aws_subnet" "public" {
-  for_each = data.aws_subnet_ids.all.ids
+  for_each = toset(data.aws_subnets.all.ids)
   id       = each.value
 }
 
@@ -33,14 +36,15 @@ data "aws_kms_key" "rds" {
 # RDS Aurora
 #############
 module "aurora" {
-  source = "umotif-public/rds-aurora/aws"
+  source  = "umotif-public/rds-aurora/aws"
+  version = "~> 3"
 
   name_prefix   = "${var.name_prefix}-aurora-mysql"
   database_name = "${var.name_prefix}mysqldb"
   engine        = "aurora-mysql"
 
   vpc_id  = data.aws_vpc.default.id
-  subnets = data.aws_subnet_ids.all.ids
+  subnets = data.aws_subnets.all.ids
 
   kms_key_id = data.aws_kms_key.rds.arn
 
@@ -60,9 +64,9 @@ module "backup" {
   source = "../.."
 
   # Create a Vault
-  vault_name        = "${var.name_prefix}-rds-aurora"
-  vault_kms_key_arn = data.aws_kms_key.backup.arn
-
+  vault_name          = "${var.name_prefix}-rds-aurora"
+  vault_kms_key_arn   = data.aws_kms_key.backup.arn
+  vault_force_destroy = true
   tags = {
     Environment = "test"
   }
@@ -78,10 +82,12 @@ module "backup" {
         Project = "test"
         Region  = "eu-west-1"
       }
+      schedule = "cron(0 2 ? * MON-FRI *)"
 
       lifecycle = {
         delete_after = 30
       }
+
     }
   ]
 

diff --git a/main.tf b/main.tf
@@ -4,9 +4,10 @@
 resource "aws_backup_vault" "main" {
   count = var.vault_name != null ? 1 : 0
 
-  name        = var.vault_name
-  kms_key_arn = var.vault_kms_key_arn
-  tags        = var.tags
+  name          = var.vault_name
+  kms_key_arn   = var.vault_kms_key_arn
+  force_destroy = var.vault_force_destroy
+  tags          = var.tags
 }
 
 #####
@@ -117,18 +118,24 @@ resource "aws_iam_role" "main" {
   tags = var.tags
 }
 
-resource "aws_iam_role_policy_attachment" "main_role_policy_attach" {
+resource "aws_iam_role_policy_attachment" "main_role_backup_policy_attach" {
   policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
   role       = aws_iam_role.main.name
 }
 
+resource "aws_iam_role_policy_attachment" "main_role_restore_policy_attach" {
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores"
+  role       = aws_iam_role.main.name
+}
+
 resource "aws_iam_policy" "main_custom_policy" {
   description = "AWS Backup Tag policy"
+  policy      = data.aws_iam_policy_document.main_custom_policy.json
 
-  policy = data.aws_iam_policy_document.main_custom_policy.json
+  tags = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "main_custom_policy_attach" {
   policy_arn = aws_iam_policy.main_custom_policy.arn
   role       = aws_iam_role.main.name
-}
+}
diff --git a/test/go.mod b/test/go.mod
@@ -3,14 +3,32 @@ module github.com/umotif-public/terraform-aws-backup/test
 go 1.15
 
 require (
-	github.com/gruntwork-io/terratest v0.31.0
-	github.com/jinzhu/copier v0.1.0 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/stretchr/testify v1.6.1
-	golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c // indirect
-	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
-	golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 // indirect
-	golang.org/x/tools v0.1.4 // indirect
+	cloud.google.com/go v0.103.0 // indirect
+	cloud.google.com/go/compute v1.8.0 // indirect
+	cloud.google.com/go/storage v1.25.0 // indirect
+	github.com/aws/aws-sdk-go v1.44.79 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.5.1 // indirect
+	github.com/gruntwork-io/terratest v0.40.20
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-getter v1.6.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
+	github.com/hashicorp/terraform-json v0.14.0 // indirect
+	github.com/jinzhu/copier v0.3.5 // indirect
+	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/mattn/go-zglob v0.0.3 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
+	github.com/stretchr/testify v1.8.0
+	github.com/tmccombs/hcl2json v0.3.4 // indirect
+	github.com/ulikunitz/xz v0.5.10 // indirect
+	golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8 // indirect
+	golang.org/x/net v0.0.0-20220812174116-3211cb980234 // indirect
+	golang.org/x/oauth2 v0.0.0-20220808172628-8227340efae7 // indirect
+	golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2 // indirect
+	google.golang.org/api v0.93.0 // indirect
+	google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
 )