From 81b9602e41de03ca8e60732b9ce7576525d0abac Mon Sep 17 00:00:00 2001 From: Balsir Date: Wed, 18 Dec 2024 20:16:42 +0100 Subject: [PATCH 1/3] feat(backup): Add vault lock configuration --- .pre-commit-config.yaml | 4 +++- README.md | 4 ++++ aws_backup.tf | 16 ++++++++++++++++ kms.tf | 4 ++++ variables.tf | 16 ++++++++++++++++ 5 files changed, 43 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d4a85b6..dbfd75a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,13 +10,15 @@ repos: - id: end-of-file-fixer - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.75.0 + rev: v1.86.0 hooks: - id: terraform_fmt - id: terraform_tflint - id: terraform_validate exclude: '^[^/]+$' - id: terraform_checkov + args: + - --args=--quiet --skip-check CKV2_GHA_1,CKV_TF_1 - id: terraform_docs args: - '--args=--config=.terraform-docs.yml' diff --git a/README.md b/README.md index 5e0f62d..1f90b5c 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories | [aws_backup_selection.tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource | | [aws_backup_vault.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource | | [aws_backup_vault.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource | +| [aws_backup_vault_lock_configuration.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource | +| [aws_backup_vault_lock_configuration.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource | | [aws_backup_vault_policy.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource | | [aws_backup_vault_policy.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource | | [aws_caller_identity.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | @@ -73,6 +75,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [vault\_lock\_configuration](#input\_vault\_lock\_configuration) | Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode. |
object({
changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode
max_retention_days = optional(number, null)
min_retention_days = optional(number, null)
})
| `{}` | no | +| [vault\_lock\_enabled](#input\_vault\_lock\_enabled) | Set to true to enable Vault Lock. Defaults to false. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties. | `bool` | `false` | no | ## Outputs diff --git a/aws_backup.tf b/aws_backup.tf index edb8761..02a2619 100644 --- a/aws_backup.tf +++ b/aws_backup.tf @@ -111,6 +111,14 @@ resource "aws_backup_selection" "tag" { } } +resource "aws_backup_vault_lock_configuration" "source" { + count = var.enabled && var.vault_lock_enabled ? 1 : 0 + backup_vault_name = module.source_label.id + changeable_for_days = var.vault_lock_configuration.changeable_for_days + max_retention_days = var.vault_lock_configuration.max_retention_days + min_retention_days = var.vault_lock_configuration.min_retention_days +} + # Target vault resource "aws_backup_vault" "target" { count = var.enabled && var.is_cross_account_backup_enabled ? 1 : 0 @@ -127,3 +135,11 @@ resource "aws_backup_vault_policy" "target" { backup_vault_name = aws_backup_vault.target[0].name policy = data.aws_iam_policy_document.target_vault[0].json } + +resource "aws_backup_vault_lock_configuration" "target" { + count = var.enabled && var.is_cross_account_backup_enabled && var.vault_lock_enabled ? 1 : 0 + backup_vault_name = module.target_label.id + changeable_for_days = var.vault_lock_configuration.changeable_for_days + max_retention_days = var.vault_lock_configuration.max_retention_days + min_retention_days = var.vault_lock_configuration.min_retention_days +} diff --git a/kms.tf b/kms.tf index dae37f1..4dc22f3 100644 --- a/kms.tf +++ b/kms.tf @@ -48,6 +48,7 @@ data "aws_iam_policy_document" "kms_source_policy" { actions = ["kms:*"] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_356 resources = ["*"] principals { @@ -71,6 +72,7 @@ data "aws_iam_policy_document" "kms_source_policy" { ] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_356 resources = ["*"] principals { @@ -92,6 +94,7 @@ data "aws_iam_policy_document" "kms_target_policy" { actions = ["kms:*"] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_356 resources = ["*"] principals { @@ -115,6 +118,7 @@ data "aws_iam_policy_document" "kms_target_policy" { ] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_356 resources = ["*"] principals { diff --git a/variables.tf b/variables.tf index 25fbb56..ce6ed40 100644 --- a/variables.tf +++ b/variables.tf @@ -43,3 +43,19 @@ variable "backup_plans" { }), null) })) } + +variable "vault_lock_enabled" { + type = bool + description = "Set to true to enable Vault Lock. Defaults to false. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties." + default = false +} + +variable "vault_lock_configuration" { + type = object({ + changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode + max_retention_days = optional(number, null) + min_retention_days = optional(number, null) + }) + description = "Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode." + default = {} +} From 049de6076034b80957e3dacae5d6e9f0c03f6cdd Mon Sep 17 00:00:00 2001 From: Balsir Date: Wed, 18 Dec 2024 20:28:29 +0100 Subject: [PATCH 2/3] feat(backup): Add vault lock configuration --- iam.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/iam.tf b/iam.tf index 577841d..d95c48e 100644 --- a/iam.tf +++ b/iam.tf @@ -72,6 +72,7 @@ data "aws_iam_policy_document" "source_vault" { actions = ["backup:CopyIntoBackupVault"] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_111 resources = ["*"] principals { @@ -94,6 +95,7 @@ data "aws_iam_policy_document" "target_vault" { actions = ["backup:CopyIntoBackupVault"] #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_111 resources = ["*"] principals { From 67fdf54544cd9596de5f7dfd90b802607aa2a71e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Stehl=C3=ADk?= Date: Thu, 19 Dec 2024 11:24:03 +0100 Subject: [PATCH 3/3] Update variables.tf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Martin Odstrčilík --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index ce6ed40..343f5ea 100644 --- a/variables.tf +++ b/variables.tf @@ -46,7 +46,7 @@ variable "backup_plans" { variable "vault_lock_enabled" { type = bool - description = "Set to true to enable Vault Lock. Defaults to false. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties." + description = "Set to `true` to enable Vault Lock. Defaults to `false`. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties." default = false }