terraform-aws-backup/examples/destination/aws-backups.tf at 137c7e44bcbc5746c37a0bc477a43c5316ac0cf8 · NHSDigital/terraform-aws-backup · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

provider "aws" {
  alias  = "source"
  region = "eu-west-2"
}

variable "source_terraform_role_arn" {
  description = "ARN of the terraform role in the source account"
  type        = string
}

data "aws_arn" "source_terraform_role" {
  arn = var.source_terraform_role_arn
}

data "aws_caller_identity" "current" {}

locals {
  # Adjust these as required
  project_name           = "my-shiny-project"
  source_account_id      = data.aws_arn.source_terraform_role.account
  destination_account_id = data.aws_caller_identity.current.account_id
}


# We need a key for the backup vaults. This key will be used to encrypt the backups themselves.
# We need one per vault (on the assumption that each vault will be in a different account).
resource "aws_kms_key" "destination_backup_key" {
  description             = "KMS key for AWS Backup vaults"
  deletion_window_in_days = 7
  enable_key_rotation     = true
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Sid    = "Enable IAM User Permissions"
        Principal = {
          AWS = "arn:aws:iam::${local.destination_account_id}:root"
        }
        Action   = "kms:*"
        Resource = "*"
      }
    ]
  })
}

resource "aws_kms_alias" "destination_backup" {
  target_key_id = aws_kms_key.destination_backup_key.id
  name          = "alias/${local.project_name}-backup-destination"
}

module "destination" {
  source = "../../modules/aws-backup-destination"

  source_account_name     = "source" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name
  account_id              = local.destination_account_id
  source_account_id       = local.source_account_id
  kms_key                 = aws_kms_key.destination_backup_key.arn
  enable_vault_protection = false
  enable_iam_protection   = false
}

###
# Destination vault ARN output
###

output "destination_vault_arn" {
  # The ARN of the backup vault in the destination account is needed by
  # the source account to copy backups into it.
  value = module.destination.vault_arn
}