Skip to content

Commit

Permalink
feat(backup): Add vault lock configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
Balsir committed Dec 18, 2024
1 parent e317205 commit 81b9602
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 1 deletion.
4 changes: 3 additions & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,15 @@ repos:
- id: end-of-file-fixer

- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.75.0
rev: v1.86.0
hooks:
- id: terraform_fmt
- id: terraform_tflint
- id: terraform_validate
exclude: '^[^/]+$'
- id: terraform_checkov
args:
- --args=--quiet --skip-check CKV2_GHA_1,CKV_TF_1
- id: terraform_docs
args:
- '--args=--config=.terraform-docs.yml'
Expand Down
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories
| [aws_backup_selection.tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
| [aws_backup_vault.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
| [aws_backup_vault.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
| [aws_backup_vault_lock_configuration.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
| [aws_backup_vault_lock_configuration.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
| [aws_backup_vault_policy.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
| [aws_backup_vault_policy.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
| [aws_caller_identity.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
Expand All @@ -73,6 +75,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories
| <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
| <a name="input_vault_lock_configuration"></a> [vault\_lock\_configuration](#input\_vault\_lock\_configuration) | Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode. | <pre>object({<br> changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode<br> max_retention_days = optional(number, null)<br> min_retention_days = optional(number, null)<br> })</pre> | `{}` | no |
| <a name="input_vault_lock_enabled"></a> [vault\_lock\_enabled](#input\_vault\_lock\_enabled) | Set to true to enable Vault Lock. Defaults to false. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties. | `bool` | `false` | no |

## Outputs

Expand Down
16 changes: 16 additions & 0 deletions aws_backup.tf
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,14 @@ resource "aws_backup_selection" "tag" {
}
}

resource "aws_backup_vault_lock_configuration" "source" {
count = var.enabled && var.vault_lock_enabled ? 1 : 0
backup_vault_name = module.source_label.id
changeable_for_days = var.vault_lock_configuration.changeable_for_days
max_retention_days = var.vault_lock_configuration.max_retention_days
min_retention_days = var.vault_lock_configuration.min_retention_days
}

# Target vault
resource "aws_backup_vault" "target" {
count = var.enabled && var.is_cross_account_backup_enabled ? 1 : 0
Expand All @@ -127,3 +135,11 @@ resource "aws_backup_vault_policy" "target" {
backup_vault_name = aws_backup_vault.target[0].name
policy = data.aws_iam_policy_document.target_vault[0].json
}

resource "aws_backup_vault_lock_configuration" "target" {
count = var.enabled && var.is_cross_account_backup_enabled && var.vault_lock_enabled ? 1 : 0
backup_vault_name = module.target_label.id
changeable_for_days = var.vault_lock_configuration.changeable_for_days
max_retention_days = var.vault_lock_configuration.max_retention_days
min_retention_days = var.vault_lock_configuration.min_retention_days
}
4 changes: 4 additions & 0 deletions kms.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ data "aws_iam_policy_document" "kms_source_policy" {
actions = ["kms:*"]

#checkov:skip=CKV_AWS_109
#checkov:skip=CKV_AWS_356
resources = ["*"]

principals {
Expand All @@ -71,6 +72,7 @@ data "aws_iam_policy_document" "kms_source_policy" {
]

#checkov:skip=CKV_AWS_109
#checkov:skip=CKV_AWS_356
resources = ["*"]

principals {
Expand All @@ -92,6 +94,7 @@ data "aws_iam_policy_document" "kms_target_policy" {
actions = ["kms:*"]

#checkov:skip=CKV_AWS_109
#checkov:skip=CKV_AWS_356
resources = ["*"]

principals {
Expand All @@ -115,6 +118,7 @@ data "aws_iam_policy_document" "kms_target_policy" {
]

#checkov:skip=CKV_AWS_109
#checkov:skip=CKV_AWS_356
resources = ["*"]

principals {
Expand Down
16 changes: 16 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,19 @@ variable "backup_plans" {
}), null)
}))
}

variable "vault_lock_enabled" {
type = bool
description = "Set to true to enable Vault Lock. Defaults to false. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties."
default = false
}

variable "vault_lock_configuration" {
type = object({
changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode
max_retention_days = optional(number, null)
min_retention_days = optional(number, null)
})
description = "Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode."
default = {}
}

0 comments on commit 81b9602

Please sign in to comment.