From 20b36beafa53a7ee2fd877b3645f0402025f8150 Mon Sep 17 00:00:00 2001
From: samidbb <40062553+samidbb@users.noreply.github.com>
Date: Fri, 15 Dec 2023 09:22:57 +0100
Subject: [PATCH] Support for adding proper tags (#45)
---
README.md | 14 ++--
locals.tf | 18 ++++-
main.tf | 49 ++++++-------
modules/rds_instance/main.tf | 2 +-
modules/rds_instance/variables.tf | 6 ++
modules/security_group/main.tf | 7 +-
tests/instance/main.tf | 14 ++--
tests/qa/main.tf | 8 ++-
variables.tf | 111 +++++++++++++++++++-----------
9 files changed, 144 insertions(+), 85 deletions(-)
diff --git a/README.md b/README.md
index 178ebd04..a4948b7d 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,7 @@ Terraform module for AWS RDS instances
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [additional\_backup\_retention](#input\_additional\_backup\_retention) | Sets the dfds.data.backup\_retention tag to the specified value. See recommendations here: https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy. For additional info on how backup works see https://wiki.dfds.cloud/en/playbooks/aws-backup/aws-backup-getting-started | `string` | `""` | no |
| [allocated\_storage](#input\_allocated\_storage) | The allocated storage in gigabytes | `number` | `null` | no |
| [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible | `bool` | `true` | no |
| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any database modifications are applied immediately, or during the next maintenance window | `bool` | `false` | no |
@@ -89,27 +90,25 @@ Terraform module for AWS RDS instances
| [cluster\_scaling\_configuration](#input\_cluster\_scaling\_configuration) | Map of nested attributes with scaling properties. Only valid when `engine_mode` is set to `serverless` | `map(string)` | `{}` | no |
| [cluster\_serverlessv2\_scaling\_configuration](#input\_cluster\_serverlessv2\_scaling\_configuration) | Map of nested attributes with serverless v2 scaling properties. Only valid when `engine_mode` is set to `provisioned` | `map(string)` | `{}` | no |
| [cluster\_source\_region](#input\_cluster\_source\_region) | The source region for an encrypted replica DB cluster | `string` | `null` | no |
-| [cluster\_tags](#input\_cluster\_tags) | A map of tags to add to only the cluster. Used for AWS Instance Scheduler tagging | `map(string)` | `{}` | no |
| [cluster\_timeouts](#input\_cluster\_timeouts) | Create, update, and delete timeout configurations for the cluster | `map(string)` | `{}` | no |
| [cluster\_use\_name\_prefix](#input\_cluster\_use\_name\_prefix) | Whether to use `name` as a prefix for the cluster | `bool` | `false` | no |
| [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | On delete, copy all Instance tags to the final snapshot | `bool` | `false` | no |
+| [cost\_centre](#input\_cost\_centre) | Sets the dfds.cost\_centre tag. See recommendations here: https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy | `string` | n/a | yes |
| [create\_db\_cluster\_activity\_stream](#input\_create\_db\_cluster\_activity\_stream) | Determines whether a cluster activity stream is created. | `bool` | `false` | no |
| [create\_db\_instance](#input\_create\_db\_instance) | Whether to create a database instance | `bool` | `true` | no |
| [create\_db\_option\_group](#input\_create\_db\_option\_group) | Create a database option group | `bool` | `true` | no |
| [create\_db\_parameter\_group](#input\_create\_db\_parameter\_group) | Whether to create a database parameter group | `bool` | `true` | no |
| [create\_db\_subnet\_group](#input\_create\_db\_subnet\_group) | Whether to create a DB subnet group | `bool` | `true` | no |
-| [db\_instance\_tags](#input\_db\_instance\_tags) | Additional tags for the DB instance | `map(string)` | `{}` | no |
+| [data\_classification](#input\_data\_classification) | Sets the dfds.data.classification tag to the specified value. See recommendations here: https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy | `string` | n/a | yes |
| [db\_name](#input\_db\_name) | The DB name to create. If omitted, no database is created initially | `string` | `null` | no |
-| [db\_option\_group\_tags](#input\_db\_option\_group\_tags) | Additional tags for the DB option group | `map(string)` | `{}` | no |
-| [db\_parameter\_group\_tags](#input\_db\_parameter\_group\_tags) | Additional tags for the DB parameter group | `map(string)` | `{}` | no |
| [db\_subnet\_group\_description](#input\_db\_subnet\_group\_description) | Description of the DB subnet group to create | `string` | `null` | no |
| [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC | `string` | `null` | no |
-| [db\_subnet\_group\_tags](#input\_db\_subnet\_group\_tags) | Additional tags for the DB subnet group | `map(string)` | `{}` | no |
| [db\_subnet\_group\_use\_name\_prefix](#input\_db\_subnet\_group\_use\_name\_prefix) | Determines whether to use `subnet_group_name` as is or create a unique name beginning with the `subnet_group_name` as the prefix | `bool` | `false` | no |
| [delete\_automated\_backups](#input\_delete\_automated\_backups) | Specifies whether to remove automated backups immediately after the DB instance is deleted | `bool` | `true` | no |
| [deletion\_protection](#input\_deletion\_protection) | The database can't be deleted when this value is set to true | `bool` | `true` | no |
| [domain](#input\_domain) | The ID of the Directory Service Active Directory domain to create the instance in | `string` | `null` | no |
| [domain\_iam\_role\_name](#input\_domain\_iam\_role\_name) | (Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service | `string` | `null` | no |
+| [enable\_default\_backup](#input\_enable\_default\_backup) | Sets the dfds.data.backup tag to true on non-prod resources. Tag is set to true for prod and false for non-prod. Default backup retention is 30 days Point-in-time. More info here https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy | `bool` | `null` | no |
| [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values postgresql (PostgreSQL), upgrade (PostgreSQL) | `list(string)` | `[]` | no |
| [engine\_version](#input\_engine\_version) | The engine version to use. If not specified the preffered version will be used. It is also possible to pass major version in this format "15". Note: that a specific version must be valid and this can be obtained from this documentation: https://docs.aws.amazon.com/AmazonRDS/latest/PostgreSQLReleaseNotes/postgresql-release-calendar.html | `string` | `null` | no |
| [enhanced\_monitoring\_create\_role](#input\_enhanced\_monitoring\_create\_role) | Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs | `bool` | `false` | no |
@@ -147,6 +146,8 @@ Terraform module for AWS RDS instances
| [option\_group\_name](#input\_option\_group\_name) | Name of the option group | `string` | `null` | no |
| [option\_group\_timeouts](#input\_option\_group\_timeouts) | Define maximum timeout for deletion of `aws_db_option_group` resource | `map(string)` | `{}` | no |
| [option\_group\_use\_name\_prefix](#input\_option\_group\_use\_name\_prefix) | Determines whether to use `option_group_name` as is or create a unique name beginning with the `option_group_name` as the prefix | `bool` | `true` | no |
+| [optional\_data\_specific\_tags](#input\_optional\_data\_specific\_tags) | Provide list of tags that are prefixed with dfds.data.* tags on data resources.
Use this variable to ensure that they get applied on the relevant data resources. See here for recommended and opitonal tags: https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy.
Note: Required tags are supplied through dedicated variables. | `map(string)` | `{}` | no |
+| [optional\_tags](#input\_optional\_tags) | Sets the dfds.* tags on all resources | `map(string)` | `{}` | no |
| [options](#input\_options) | A list of Options to apply | `any` | `[]` | no |
| [parameter\_group\_description](#input\_parameter\_group\_description) | Description of the DB parameter group to create | `string` | `null` | no |
| [parameter\_group\_family](#input\_parameter\_group\_family) | The family of the DB parameter group | `string` | `null` | no |
@@ -167,15 +168,16 @@ Terraform module for AWS RDS instances
| [rds\_security\_group\_rules](#input\_rds\_security\_group\_rules) | n/a | object({
ingress_rules = list(any)
ingress_with_self = optional(list(any), [])
}) | n/a | yes |
| [replica\_mode](#input\_replica\_mode) | Specifies whether the replica is in either mounted or open-read-only mode. This attribute is only supported by Oracle instances. Oracle replicas operate in open-read-only mode unless otherwise specified | `string` | `null` | no |
| [replicate\_source\_db](#input\_replicate\_source\_db) | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate | `string` | `null` | no |
+| [resource\_owner\_contact\_email](#input\_resource\_owner\_contact\_email) | Sets the dfds.owner tag | `string` | n/a | yes |
| [restore\_to\_point\_in\_time](#input\_restore\_to\_point\_in\_time) | Restore to a point in time (MySQL is NOT supported) | `map(string)` | `null` | no |
| [s3\_import](#input\_s3\_import) | Restore from a Percona Xtrabackup in S3 (only MySQL is supported) | `map(string)` | `null` | no |
+| [service\_availability](#input\_service\_availability) | Sets the dfds.service.availability tag to the specified value. See recommendations here: https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy | `string` | n/a | yes |
| [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted | `bool` | `true` | no |
| [snapshot\_identifier](#input\_snapshot\_identifier) | Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05 | `string` | `null` | no |
| [storage\_encrypted](#input\_storage\_encrypted) | Specifies whether the DB instance is encrypted | `bool` | `true` | no |
| [storage\_throughput](#input\_storage\_throughput) | Storage throughput value for the DB instance. See `notes` for limitations regarding this variable for `gp3` | `number` | `null` | no |
| [storage\_type](#input\_storage\_type) | One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (new generation of general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not. If you specify 'io1' or 'gp3' , you must also include a value for the 'iops' parameter | `string` | `"gp3"` | no |
| [subnet\_ids](#input\_subnet\_ids) | A list of VPC subnet IDs | `list(string)` | n/a | yes |
-| [tags](#input\_tags) | A mapping of tags to assign to all resources | `map(string)` | `{}` | no |
| [timeouts](#input\_timeouts) | Updated Terraform resource management timeouts. Applies to `aws_db_instance` in particular to permit resource management times | `map(string)` | `{}` | no |
| [timezone](#input\_timezone) | Time zone of the DB instance. timezone is currently only supported by Microsoft SQL Server. The timezone can only be set on creation. See MSSQL User Guide for more information | `string` | `null` | no |
| [username](#input\_username) | Username for the master DB user | `string` | n/a | yes |
diff --git a/locals.tf b/locals.tf
index cd4b1fdf..af0964bc 100644
--- a/locals.tf
+++ b/locals.tf
@@ -20,7 +20,7 @@ locals {
value = 1 # this might need to be changed back and forth to ensure apply_method is applied. See here: https://github.com/hashicorp/terraform-provider-aws/pull/24737
apply_method = "immediate"
}
- ],
+ ],
var.instance_parameters,
local.prod_instance_parameters
)
@@ -98,7 +98,6 @@ locals {
}
}
- # engine_version = var.engine_version != null ? var.engine_version : floor(data.aws_rds_engine_version.default.version)
engine_version = data.aws_rds_engine_version.engine_info.version
is_major_engine_version = try(length(regexall("\\.[0-9]+$", var.engine_version)) > 0, true) # For example, 15 is a major version, but 15.5 is not
environment = var.environment == "prod" ? var.environment : "non-prod"
@@ -115,4 +114,19 @@ locals {
performance_insights_retention_period = var.performance_insights_retention_period != null ? var.performance_insights_retention_period : local.default_config.performance_insights_retention_period
delete_automated_backups = var.delete_automated_backups != null ? var.delete_automated_backups : local.default_config.delete_automated_backups
backup_retention_period = var.backup_retention_period != null ? var.backup_retention_period : 0
+
+ ########################################################################
+ # Tagging
+ ########################################################################
+ all_tags = merge({
+ "dfds.owner" : var.resource_owner_contact_email,
+ "dfds.env" : var.environment,
+ "dfds.cost.centre" : var.cost_centre,
+ "dfds.service.availability" : var.service_availability,
+ }, var.optional_tags)
+ data_backup_retention_tag = var.additional_backup_retention != "" ? { "dfds.data.backup.retention" : var.additional_backup_retention } : {}
+ data_tags = merge({
+ "dfds.data.backup" : var.enable_default_backup,
+ "dfds.data.classification" : var.data_classification,
+ }, var.optional_data_specific_tags, local.data_backup_retention_tag)
}
diff --git a/main.tf b/main.tf
index 97d185c7..4a49c2f1 100644
--- a/main.tf
+++ b/main.tf
@@ -36,7 +36,7 @@ module "db_parameter_group" {
description = var.parameter_group_description
family = local.parameter_group_family
parameters = local.instance_parameters
- tags = merge(var.tags, var.db_parameter_group_tags)
+ tags = local.all_tags
}
module "db_subnet_group" {
@@ -46,7 +46,7 @@ module "db_subnet_group" {
use_name_prefix = var.db_subnet_group_use_name_prefix
description = var.db_subnet_group_description
subnet_ids = var.subnet_ids
- tags = merge(var.tags, var.db_subnet_group_tags)
+ tags = local.all_tags
}
module "cw_log_group" {
@@ -57,6 +57,7 @@ module "cw_log_group" {
cw_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
cw_log_group_kms_key_id = var.cloudwatch_log_group_kms_key_id
cw_log_group_skip_destroy_on_deletion = var.cloudwatch_log_group_skip_destroy_on_deletion
+ tags = local.all_tags
}
module "enhanced_monitoring_iam_role" {
@@ -66,22 +67,21 @@ module "enhanced_monitoring_iam_role" {
monitoring_role_use_name_prefix = var.enhanced_monitoring_role_use_name_prefix
monitoring_role_description = local.monitoring_role_description
monitoring_role_permissions_boundary = var.enhanced_monitoring_role_permissions_boundary
+ tags = local.all_tags
}
module "db_instance" {
- source = "./modules/rds_instance"
- count = var.create_db_instance ? 1 : 0
-
- identifier = var.identifier
- use_identifier_prefix = var.instance_use_identifier_prefix
- engine = local.engine
- engine_version = local.engine_version
- instance_class = local.instance_class
- allocated_storage = local.allocated_storage
- max_allocated_storage = local.max_allocated_storage
- storage_type = var.storage_type
- storage_encrypted = true
-
+ source = "./modules/rds_instance"
+ count = var.create_db_instance ? 1 : 0
+ identifier = var.identifier
+ use_identifier_prefix = var.instance_use_identifier_prefix
+ engine = local.engine
+ engine_version = local.engine_version
+ instance_class = local.instance_class
+ allocated_storage = local.allocated_storage
+ max_allocated_storage = local.max_allocated_storage
+ storage_type = var.storage_type
+ storage_encrypted = true
db_name = var.db_name
username = var.username
password = local.password
@@ -117,7 +117,8 @@ module "db_instance" {
enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
oidc_provider = var.oidc_provider
kubernetes_namespace = var.kubernetes_namespace
- tags = merge(var.tags, var.db_instance_tags)
+ tags = local.all_tags
+ rds_tags = local.data_tags
}
module "cluster_parameters" {
@@ -151,7 +152,7 @@ module "db_multi_az_cluster" {
vpc_security_group_ids = var.vpc_security_group_ids
skip_final_snapshot = var.skip_final_snapshot
enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
- tags = merge(var.tags, var.db_instance_tags)
+ tags = local.all_tags # might also need to add rds_tags
}
@@ -173,8 +174,8 @@ module "db_cluster_serverless" { # TODO: Revisit defaults
apply_immediately = var.apply_immediately
skip_final_snapshot = var.skip_final_snapshot
instance_class = "db.serverless"
- tags = var.tags
- serverlessv2_scaling_configuration = { # TODO: Turn values into default in the variable
+ tags = local.all_tags # might also need to add rds_tags
+ serverlessv2_scaling_configuration = { # TODO: Turn values into default in the variable
min_capacity = 2
max_capacity = 5
}
@@ -187,7 +188,7 @@ module "db_cluster_serverless" { # TODO: Revisit defaults
module "db_proxy" {
source = "./modules/rds_proxy"
count = var.include_proxy ? 1 : 0
- tags = var.tags
+ tags = local.all_tags
name = var.identifier
auth = local.proxy_auth_config
debug_logging = var.proxy_debug_logging
@@ -197,7 +198,7 @@ module "db_proxy" {
role_arn = try(module.db_instance[0].iam_role_for_aws_services.arn, module.db_cluster_serverless[0].iam_role_for_aws_services.arn, null) # TODO: Fix iam_role_for_aws_services for db_cluster_serverless by adding required IAM resources
vpc_security_group_ids = [module.security_group_proxy[0].security_group_id]
vpc_subnet_ids = var.subnet_ids
- proxy_tags = var.tags
+ proxy_tags = local.all_tags
connection_borrow_timeout = null
init_query = null
max_connections_percent = 100
@@ -212,7 +213,7 @@ module "db_proxy" {
cw_log_group_skip_destroy_on_deletion = var.cloudwatch_log_group_skip_destroy_on_deletion
log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
log_group_kms_key_id = var.cloudwatch_log_group_kms_key_id
- log_group_tags = var.tags
+ log_group_tags = local.all_tags
}
@@ -223,7 +224,7 @@ module "security_group" { # TODO: update with another rule for public access
vpc_id = var.vpc_id
ingress_with_cidr_blocks = var.rds_security_group_rules.ingress_rules
ingress_with_self = var.rds_security_group_rules.ingress_with_self
- tags = var.tags
+ tags = local.all_tags
}
module "security_group_proxy" {
@@ -254,5 +255,5 @@ module "security_group_proxy" {
description = "Allow outbound traffic to PostgreSQL instance"
}
]
- tags = var.tags
+ tags = local.all_tags
}
diff --git a/modules/rds_instance/main.tf b/modules/rds_instance/main.tf
index 481dfeac..67342767 100644
--- a/modules/rds_instance/main.tf
+++ b/modules/rds_instance/main.tf
@@ -123,7 +123,7 @@ resource "aws_db_instance" "this" {
}
}
- tags = var.tags
+ tags = merge(var.tags, var.rds_tags)
timeouts {
create = lookup(var.timeouts, "create", null)
diff --git a/modules/rds_instance/variables.tf b/modules/rds_instance/variables.tf
index 6abb3d81..5f5d2e21 100644
--- a/modules/rds_instance/variables.tf
+++ b/modules/rds_instance/variables.tf
@@ -257,6 +257,12 @@ variable "backup_window" {
default = null
}
+variable "rds_tags" {
+ description = "A mapping of tags to assign to the DB instances only."
+ type = map(string)
+ default = {}
+}
+
variable "tags" {
description = "A mapping of tags to assign to all resources"
type = map(string)
diff --git a/modules/security_group/main.tf b/modules/security_group/main.tf
index 19cbdc15..e61bc423 100644
--- a/modules/security_group/main.tf
+++ b/modules/security_group/main.tf
@@ -35,12 +35,7 @@ resource "aws_security_group" "this_name_prefix" {
vpc_id = var.vpc_id
revoke_rules_on_delete = var.revoke_rules_on_delete
- tags = merge(
- {
- "Name" = format("%s", var.name)
- },
- var.tags,
- )
+ tags = var.tags
lifecycle {
create_before_destroy = true
diff --git a/tests/instance/main.tf b/tests/instance/main.tf
index 8ff601b5..ffed81ff 100644
--- a/tests/instance/main.tf
+++ b/tests/instance/main.tf
@@ -13,8 +13,7 @@ locals {
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
- Example = local.name
- Repository = "https://github.com/dfds/aws-modules-rds"
+ "dfds.automation.tool" = "Terraform"
}
}
@@ -27,9 +26,8 @@ module "rds_instance_test" {
username = "instance_user"
ca_cert_identifier = "rds-ca-ecc384-g1"
apply_immediately = true
- tags = local.tags
publicly_accessible = true
- allocated_storage = 5
+ allocated_storage = 20
subnet_ids = concat(module.vpc.public_subnets)
enabled_cloudwatch_logs_exports = ["upgrade", "postgresql"]
cloudwatch_log_group_retention_in_days = 1
@@ -60,7 +58,13 @@ module "rds_instance_test" {
},
]
}
- environment = "dev"
+ environment = "dev"
+ service_availability = "low"
+ resource_owner_contact_email = "example@dfds.com"
+ cost_centre = "buarch-d"
+ data_classification = "public"
+ enable_default_backup = true
+ optional_tags = local.tags
}
################################################################################
diff --git a/tests/qa/main.tf b/tests/qa/main.tf
index 9647a729..11431fa9 100644
--- a/tests/qa/main.tf
+++ b/tests/qa/main.tf
@@ -9,7 +9,6 @@ locals {
tags = {
Name = local.name
Repository = "https://github.com/dfds/aws-modules-rds"
- "dfds.env" = "test"
"dfds.automation.tool" = "Terraform"
"dfds.automation.initiator.location" = "https://github.com/dfds/aws-modules-rds/"
"dfds.automation.initiator.pipeline" = "https://github.com/dfds/aws-modules-rds/actions/workflows/qa.yml"
@@ -30,7 +29,6 @@ module "rds_instance_test" {
iam_database_authentication_enabled = true
ca_cert_identifier = "rds-ca-ecc384-g1"
apply_immediately = true
- tags = local.tags
publicly_accessible = true
subnet_ids = ["subnet-04d5d42ac21fd8e8f", "subnet-0e50a82dec5fc0272", "subnet-0a49d384ff2e8a580"]
enabled_cloudwatch_logs_exports = ["upgrade", "postgresql"]
@@ -45,6 +43,12 @@ module "rds_instance_test" {
kubernetes_namespace = "cloudengineering-bluep-nvfgm"
vpc_id = "vpc-04a384af7d3657687"
deletion_protection = false
+ service_availability = "low"
+ resource_owner_contact_email = "example@dfds.com"
+ cost_centre = "ti-arch"
+ data_classification = "public"
+ enable_default_backup = false
+ optional_tags = local.tags
proxy_security_group_rules = {
ingress_rules = [
diff --git a/variables.tf b/variables.tf
index b8db40c7..aa9ae023 100644
--- a/variables.tf
+++ b/variables.tf
@@ -269,7 +269,7 @@ variable "apply_immediately" {
default = false
}
-variable "maintenance_window" {
+variable "maintenance_window" { # TODO: Need validation. Use regex?
description = "The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00'"
type = string
default = "Sat:18:00-Sat:20:00" # This is adjusted in accordance with AWS Backup schedule, see info here: https://wiki.dfds.cloud/en/playbooks/aws-backup/aws-backup-getting-started
@@ -283,13 +283,13 @@ variable "blue_green_update" {
default = {}
}
-variable "backup_retention_period" {
+variable "backup_retention_period" { # TODO: Delete
description = "The days to retain backups for"
type = number
default = null
}
-variable "backup_window" {
+variable "backup_window" { # TODO: Delete
description = "The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance_window"
type = string
default = null
@@ -307,42 +307,12 @@ variable "s3_import" {
default = null
}
-variable "tags" {
- description = "A mapping of tags to assign to all resources"
- type = map(string)
- default = {}
-}
-
-variable "db_instance_tags" {
- description = "Additional tags for the DB instance"
- type = map(string)
- default = {}
-}
-
-variable "db_option_group_tags" {
- description = "Additional tags for the DB option group"
- type = map(string)
- default = {}
-}
-
-variable "db_parameter_group_tags" {
- description = "Additional tags for the DB parameter group"
- type = map(string)
- default = {}
-}
-
variable "create_db_subnet_group" {
description = "Whether to create a DB subnet group"
type = bool
default = true
}
-variable "db_subnet_group_tags" {
- description = "Additional tags for the DB subnet group"
- type = map(string)
- default = {}
-}
-
variable "db_subnet_group_name" {
description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC"
type = string
@@ -641,12 +611,6 @@ variable "cluster_source_region" {
default = null
}
-variable "cluster_tags" { # TODO: Do we need this?
- description = "A map of tags to add to only the cluster. Used for AWS Instance Scheduler tagging"
- type = map(string)
- default = {}
-}
-
variable "cluster_timeouts" {
description = "Create, update, and delete timeout configurations for the cluster"
type = map(string)
@@ -875,3 +839,72 @@ variable "kubernetes_namespace" {
type = string
default = null
}
+
+
+################################################################################
+# Resource tagging
+################################################################################
+
+variable "resource_owner_contact_email" {
+ description = "Sets the dfds.owner tag"
+ type = string
+ validation {
+ condition = var.resource_owner_contact_email != null && can(regex("^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}$", var.resource_owner_contact_email))
+ error_message = "Invalid value for var.resource_owner_contact_email. Must be a valid email address."
+ }
+}
+
+variable "cost_centre" {
+ description = "Sets the dfds.cost_centre tag. See recommendations here: https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy"
+ type = string
+}
+
+variable "enable_default_backup" {
+ description = "Sets the dfds.data.backup tag to true on non-prod resources. Tag is set to true for prod and false for non-prod. Default backup retention is 30 days Point-in-time. More info here https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy"
+ type = bool
+ default = null
+}
+
+variable "additional_backup_retention" {
+ description = "Sets the dfds.data.backup_retention tag to the specified value. See recommendations here: https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy. For additional info on how backup works see https://wiki.dfds.cloud/en/playbooks/aws-backup/aws-backup-getting-started"
+ type = string
+ default = ""
+ validation {
+ condition = contains(["", "30days", "60days", "180days", "1year", "10year"], var.additional_backup_retention)
+ error_message = "Invalid value for var.additional_backup_retention. Supported values: 30days, 60days, 180days, 1year, 10year."
+ }
+}
+
+variable "data_classification" {
+ description = "Sets the dfds.data.classification tag to the specified value. See recommendations here: https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy"
+ type = string
+ validation {
+ condition = contains(["public", "private", "confidential", "restricted"], var.data_classification)
+ error_message = "Invalid value for var.data_classification. Supported values: public, private, confidential, restricted."
+ }
+}
+
+variable "service_availability" {
+ description = "Sets the dfds.service.availability tag to the specified value. See recommendations here: https://wiki.dfds.cloud/en/playbooks/standards/tagging_policy"
+ type = string
+ validation {
+ condition = contains(["low", "medium", "high"], var.service_availability)
+ error_message = "Invalid value for var.service_availability. Supported values: low, medium, high."
+ }
+}
+
+variable "optional_data_specific_tags" {
+ description = <