Create a reference code for exporting RDS snapshots to S3 (#299)

binbashar · Aug 19, 2021 · bd1941b · bd1941b
1 parent 7cb3faf
commit bd1941b
Show file tree

Hide file tree

Showing 3 changed files with 272 additions and 0 deletions.
diff --git a/apps-devstg/databases-aurora/rds-export-to-s3/config.tf b/apps-devstg/databases-aurora/rds-export-to-s3/config.tf
@@ -0,0 +1,37 @@
+# -------------------------------------
+# Providers
+# -------------------------------------
+provider "aws" {
+  region                  = var.region
+  profile                 = var.profile
+  shared_credentials_file = "~/.aws/${var.project}/config"
+}
+
+# -------------------------------------
+# Backend Config (partial)
+# -------------------------------------
+terraform {
+  required_version = ">= 0.14.4"
+
+  backend "s3" {
+    key = "apps-devstg/databases-aurora/rds-export-to-s3/terraform.tfstate"
+  }
+
+  required_providers {
+    aws = ">= 3.8"
+  }
+}
+
+# -------------------------------------
+# Data Resources
+# -------------------------------------
+data "terraform_remote_state" "databases-aurora" {
+  backend = "s3"
+
+  config = {
+    region  = var.region
+    profile = var.profile
+    bucket  = var.bucket
+    key     = "apps-devstg/databases-aurora/terraform.tfstate"
+  }
+}
diff --git a/apps-devstg/databases-aurora/rds-export-to-s3/main.tf b/apps-devstg/databases-aurora/rds-export-to-s3/main.tf
@@ -0,0 +1,133 @@
+locals {
+  bucket_name = "${var.project}-${var.environment}-rds-exported-snapshots"
+  tags = {
+    Name        = "rds-export-to-s3"
+    Terraform   = "true"
+    Environment = var.environment
+  }
+}
+
+# -----------------------------------------------------------------------------
+# RDS Export To S3
+# -----------------------------------------------------------------------------
+module "rds_export_to_s3" {
+  source = "github.com/binbashar/terraform-aws-rds-export-to-s3.git?ref=master"
+
+  # Set a prefix for naming resources
+  prefix = "aurora-mysql"
+
+  # The database name whose RDS snapshots will be exported to S3
+  database_name = data.terraform_remote_state.databases-aurora.outputs.this_rds_cluster_id
+
+  # The RDS snapshots events that should be included: RDS Aurora (RDS-EVENT-0169) or RDS non-Aurora (RDS-EVENT-0091)
+  rds_event_id = "RDS-EVENT-0169"
+
+  # The S3 bucket that will store the exported snapshots
+  snapshots_bucket_name = module.bucket.s3_bucket_id
+  snapshots_bucket_arn  = module.bucket.s3_bucket_arn
+
+  # The SNS topic that will receive notifications about exported snapshots events
+  notifications_topic_arn = "arn:aws:sns:us-east-1:523857393444:sns-topic-slack-notify-monitoring-sec"
+
+  # A logging level which is useful for debugging
+  log_level = "DEBUG"
+
+  tags = local.tags
+}
+
+# -----------------------------------------------------------------------------
+# This bucket will be used for storing the exported RDS snapshots.
+# -----------------------------------------------------------------------------
+module "bucket" {
+  source = "github.com/binbashar/terraform-aws-s3-bucket.git?ref=v2.6.0"
+
+  bucket        = local.bucket_name
+  acl           = "private"
+  force_destroy = true
+
+  attach_deny_insecure_transport_policy = true
+
+  # lifecycle_rule = [
+  #   {
+  #     id      = "all"
+  #     enabled = true
+  #     prefix  = "/"
+
+  #     tags = {
+  #       rule      = "all"
+  #     }
+
+  #     transition = [
+  #       {
+  #         days          = 30
+  #         storage_class = "ONEZONE_IA"
+  #       },
+  #       {
+  #         days          = 60
+  #         storage_class = "GLACIER"
+  #       }
+  #     ]
+
+  #     expiration = {
+  #       days = 90
+  #     }
+
+  #     noncurrent_version_expiration = {
+  #       days = 30
+  #     }
+  #   }
+  # ]
+
+  # replication_configuration = {
+  #   role = aws_iam_role.replication.arn
+
+  #   rules = [
+  #     {
+  #       id       = "main"
+  #       status   = "Enabled"
+  #       priority = 10
+
+  #       source_selection_criteria = {
+  #         sse_kms_encrypted_objects = {
+  #           enabled = true
+  #         }
+  #       }
+
+  #       filter = {
+  #         prefix = "/"
+  #       }
+
+  #       destination = {
+  #         bucket             = "arn:aws:s3:::${local.bucket_name}"
+  #         storage_class      = "STANDARD"
+  #         replica_kms_key_id = aws_kms_key.replica.arn
+  #         account_id         = data.aws_caller_identity.current.account_id
+  #         access_control_translation = {
+  #           owner = "Destination"
+  #         }
+  #       }
+  #     }
+  #   ]
+  # }
+
+  #
+  # object_lock_mode              = "GOVERNANCE"
+  # object_lock_retain_until_date = formatdate("YYYY-MM-DD'T'hh:00:00Z", timeadd(timestamp(), "24h"))
+  # object_lock_legal_hold_status = true
+  #
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+  tags = local.tags
+}
diff --git a/apps-devstg/databases-aurora/rds-export-to-s3/variables.tf b/apps-devstg/databases-aurora/rds-export-to-s3/variables.tf
@@ -0,0 +1,102 @@
+#
+# config/backend.config
+#
+#================================#
+# Terraform AWS Backend Settings #
+#================================#
+variable "region" {
+  type        = string
+  description = "AWS Region"
+}
+
+variable "profile" {
+  type        = string
+  description = "AWS Profile (required by the backend but also used for other resources)"
+}
+
+variable "bucket" {
+  type        = string
+  description = "AWS S3 TF State Backend Bucket"
+}
+
+variable "dynamodb_table" {
+  type        = string
+  description = "AWS DynamoDB TF Lock state table name"
+}
+
+variable "encrypt" {
+  type        = bool
+  description = "Enable AWS DynamoDB with server side encryption"
+}
+
+#
+# config/base.config
+#
+#=============================#
+# Project Variables           #
+#=============================#
+variable "project" {
+  type        = string
+  description = "Project Name"
+}
+
+variable "project_long" {
+  type        = string
+  description = "Project Long Name"
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment Name"
+}
+
+#
+# config/extra.config
+#
+#=============================#
+# Accounts & Extra Vars       #
+#=============================#
+variable "region_secondary" {
+  type        = string
+  description = "AWS Scondary Region for HA"
+}
+
+variable "root_account_id" {
+  type        = string
+  description = "Account: Root"
+}
+
+variable "security_account_id" {
+  type        = string
+  description = "Account: Security & Users Management"
+}
+
+variable "shared_account_id" {
+  type        = string
+  description = "Account: Shared Resources"
+}
+
+variable "appsdevstg_account_id" {
+  type        = string
+  description = "Account: Dev Modules & Libs"
+}
+
+variable "appsprd_account_id" {
+  type        = string
+  description = "Account: Prod Modules & Libs"
+}
+
+variable "network_account_id" {
+  type        = string
+  description = "Account: Network"
+}
+
+variable "vault_address" {
+  type        = string
+  description = "Hashicorp vault api endpoint address"
+}
+
+variable "vault_token" {
+  type        = string
+  description = "Hashicorp vault admin token"
+}