diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d4a85b6..dbfd75a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -10,13 +10,15 @@ repos:
- id: end-of-file-fixer
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.75.0
+ rev: v1.86.0
hooks:
- id: terraform_fmt
- id: terraform_tflint
- id: terraform_validate
exclude: '^[^/]+$'
- id: terraform_checkov
+ args:
+ - --args=--quiet --skip-check CKV2_GHA_1,CKV_TF_1
- id: terraform_docs
args:
- '--args=--config=.terraform-docs.yml'
diff --git a/README.md b/README.md
index 5e0f62d..1f90b5c 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories
| [aws_backup_selection.tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
| [aws_backup_vault.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
| [aws_backup_vault.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
+| [aws_backup_vault_lock_configuration.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
+| [aws_backup_vault_lock_configuration.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
| [aws_backup_vault_policy.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
| [aws_backup_vault_policy.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
| [aws_caller_identity.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -73,6 +75,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
+| [vault\_lock\_configuration](#input\_vault\_lock\_configuration) | Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode. |
object({| `{}` | no | +| [vault\_lock\_enabled](#input\_vault\_lock\_enabled) | Set to true to enable Vault Lock. Defaults to false. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties. | `bool` | `false` | no | ## Outputs diff --git a/aws_backup.tf b/aws_backup.tf index edb8761..02a2619 100644 --- a/aws_backup.tf +++ b/aws_backup.tf @@ -111,6 +111,14 @@ resource "aws_backup_selection" "tag" { } } +resource "aws_backup_vault_lock_configuration" "source" { + count = var.enabled && var.vault_lock_enabled ? 1 : 0 + backup_vault_name = module.source_label.id + changeable_for_days = var.vault_lock_configuration.changeable_for_days + max_retention_days = var.vault_lock_configuration.max_retention_days + min_retention_days = var.vault_lock_configuration.min_retention_days +} + # Target vault resource "aws_backup_vault" "target" { count = var.enabled && var.is_cross_account_backup_enabled ? 1 : 0 @@ -127,3 +135,11 @@ resource "aws_backup_vault_policy" "target" { backup_vault_name = aws_backup_vault.target[0].name policy = data.aws_iam_policy_document.target_vault[0].json } + +resource "aws_backup_vault_lock_configuration" "target" { + count = var.enabled && var.is_cross_account_backup_enabled && var.vault_lock_enabled ? 1 : 0 + backup_vault_name = module.target_label.id + changeable_for_days = var.vault_lock_configuration.changeable_for_days + max_retention_days = var.vault_lock_configuration.max_retention_days + min_retention_days = var.vault_lock_configuration.min_retention_days +} diff --git a/kms.tf b/kms.tf index dae37f1..4dc22f3 100644 --- a/kms.tf +++ b/kms.tf @@ -48,6 +48,7 @@ data "aws_iam_policy_document" "kms_source_policy" { actions = ["kms:*"] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_356 resources = ["*"] principals { @@ -71,6 +72,7 @@ data "aws_iam_policy_document" "kms_source_policy" { ] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_356 resources = ["*"] principals { @@ -92,6 +94,7 @@ data "aws_iam_policy_document" "kms_target_policy" { actions = ["kms:*"] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_356 resources = ["*"] principals { @@ -115,6 +118,7 @@ data "aws_iam_policy_document" "kms_target_policy" { ] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_356 resources = ["*"] principals { diff --git a/variables.tf b/variables.tf index 25fbb56..ce6ed40 100644 --- a/variables.tf +++ b/variables.tf @@ -43,3 +43,19 @@ variable "backup_plans" { }), null) })) } + +variable "vault_lock_enabled" { + type = bool + description = "Set to true to enable Vault Lock. Defaults to false. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties." + default = false +} + +variable "vault_lock_configuration" { + type = object({ + changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode + max_retention_days = optional(number, null) + min_retention_days = optional(number, null) + }) + description = "Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode." + default = {} +}
changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode
max_retention_days = optional(number, null)
min_retention_days = optional(number, null)
})