feat(backup): Add vault lock configuration

.pre-commit-config.yaml

@@ -10,13 +10,15 @@ repos:
       - id: end-of-file-fixer
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.75.0
+    rev: v1.86.0
     hooks:
     - id: terraform_fmt
     - id: terraform_tflint
     - id: terraform_validate
       exclude: '^[^/]+$'
     - id: terraform_checkov
+      args:
+        - --args=--quiet --skip-check CKV2_GHA_1,CKV_TF_1
     - id: terraform_docs
       args:
         - '--args=--config=.terraform-docs.yml'

README.md

@@ -50,6 +50,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories
 | [aws_backup_selection.tag](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
 | [aws_backup_vault.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
 | [aws_backup_vault.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
+| [aws_backup_vault_lock_configuration.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
+| [aws_backup_vault_lock_configuration.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration) | resource |
 | [aws_backup_vault_policy.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
 | [aws_backup_vault_policy.target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
 | [aws_caller_identity.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -73,6 +75,8 @@ Check out other [terraform modules](https://github.com/orgs/lablabs/repositories
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
+| <a name="input_vault_lock_configuration"></a> [vault\_lock\_configuration](#input\_vault\_lock\_configuration) | Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode. | <pre>object({<br>    changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode<br>    max_retention_days  = optional(number, null)<br>    min_retention_days  = optional(number, null)<br>  })</pre> | `{}` | no |
+| <a name="input_vault_lock_enabled"></a> [vault\_lock\_enabled](#input\_vault\_lock\_enabled) | Set to true to enable Vault Lock. Defaults to false. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties. | `bool` | `false` | no |
 
 ## Outputs
 

aws_backup.tf

@@ -111,6 +111,14 @@ resource "aws_backup_selection" "tag" {
   }
 }
 
+resource "aws_backup_vault_lock_configuration" "source" {
+  count               = var.enabled && var.vault_lock_enabled ? 1 : 0
+  backup_vault_name   = module.source_label.id
+  changeable_for_days = var.vault_lock_configuration.changeable_for_days
+  max_retention_days  = var.vault_lock_configuration.max_retention_days
+  min_retention_days  = var.vault_lock_configuration.min_retention_days
+}
+
 # Target vault
 resource "aws_backup_vault" "target" {
   count         = var.enabled && var.is_cross_account_backup_enabled ? 1 : 0
@@ -127,3 +135,11 @@ resource "aws_backup_vault_policy" "target" {
   backup_vault_name = aws_backup_vault.target[0].name
   policy            = data.aws_iam_policy_document.target_vault[0].json
 }
+
+resource "aws_backup_vault_lock_configuration" "target" {
+  count               = var.enabled && var.is_cross_account_backup_enabled && var.vault_lock_enabled ? 1 : 0
+  backup_vault_name   = module.target_label.id
+  changeable_for_days = var.vault_lock_configuration.changeable_for_days
+  max_retention_days  = var.vault_lock_configuration.max_retention_days
+  min_retention_days  = var.vault_lock_configuration.min_retention_days
+}

iam.tf

@@ -72,6 +72,7 @@ data "aws_iam_policy_document" "source_vault" {
     actions = ["backup:CopyIntoBackupVault"]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_111
     resources = ["*"]
 
     principals {
@@ -94,6 +95,7 @@ data "aws_iam_policy_document" "target_vault" {
     actions = ["backup:CopyIntoBackupVault"]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_111
     resources = ["*"]
 
     principals {

kms.tf

@@ -48,6 +48,7 @@ data "aws_iam_policy_document" "kms_source_policy" {
     actions = ["kms:*"]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_356
     resources = ["*"]
 
     principals {
@@ -71,6 +72,7 @@ data "aws_iam_policy_document" "kms_source_policy" {
     ]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_356
     resources = ["*"]
 
     principals {
@@ -92,6 +94,7 @@ data "aws_iam_policy_document" "kms_target_policy" {
     actions = ["kms:*"]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_356
     resources = ["*"]
 
     principals {
@@ -115,6 +118,7 @@ data "aws_iam_policy_document" "kms_target_policy" {
     ]
 
     #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_356
     resources = ["*"]
 
     principals {

variables.tf

@@ -43,3 +43,19 @@ variable "backup_plans" {
     }), null)
   }))
 }
+
+variable "vault_lock_enabled" {
+  type        = bool
+  description = "Set to `true` to enable Vault Lock. Defaults to `false`. WARNING: If lock is enabled, backup plans and vaults may become immutable to all parties."
+  default     = false
+}
+
+variable "vault_lock_configuration" {
+  type = object({
+    changeable_for_days = optional(number, null) # If omitted, governance mode is set, otherwise, immutable compliance mode
+    max_retention_days  = optional(number, null)
+    min_retention_days  = optional(number, null)
+  })
+  description = "Vault lock configuration. If `changeable_for_days` is null, governance mode is set, otherwise, immutable compliance mode."
+  default     = {}
+}