modified th backup module

main.tf

@@ -311,7 +311,7 @@ module "postgresql" {
   # disable backups to create DB faster
   backup_retention_period = each.value.backup_retention_days
 
-  tags = merge(local.tags, { "Backup" = var.enable_nist_features == true ? "Enabled" : null })
+  tags = merge(local.tags, { "RDSBackup" = var.enable_nist_features == true ? "Enabled" : null })
 
   # DB subnet group - use public subnet if public access is requested
   publicly_accessible = length(local.postgres_public_access_cidrs) > 0 && var.enable_nist_features == false ? true : false
@@ -454,6 +454,9 @@ module "spoke_backup" {
   central_backup_vault_eu  = var.central_backup_vault_eu
   hub_environment          = var.hub_environment
   depends_on               = [module.resource_checker]
+  selection_tag = var.selection_tag
+  prefix = var.prefix
+
 
 
 }

modules/aws_backup/iam_role.tf

@@ -16,7 +16,7 @@ data "aws_iam_policy_document" "assume_role" {
 }
 
 resource "aws_iam_role" "backup_operator_role" {
-  name               = "sas-awsng-${var.location}-${var.hub_environment}-backup-operator-role"
+  name               = "${var.prefix}-${var.location}-${var.hub_environment}-backup-operator-role"
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
   tags               = var.tags
 }
@@ -27,7 +27,7 @@ resource "aws_iam_role_policy_attachment" "aws_managed_backup_operator" {
 }
 
 resource "aws_iam_role" "restore_operator_role" {
-  name               = "sas-awsng-${var.location}-${var.hub_environment}-backup-restore-operator-role"
+  name               = "${var.prefix}-${var.location}-${var.hub_environment}-backup-restore-operator-role"
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
   tags               = var.tags
 }
@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "ec2_pass" {
 }
 
 resource "aws_iam_policy" "ec2_pass_policy" {
-  name   = "sascloud-ec2-pass-policy-${var.hub_environment}-${var.location}"
+  name   = "${var.prefix}-ec2-pass-policy-${var.hub_environment}-${var.location}"
   policy = data.aws_iam_policy_document.ec2_pass.json
 }
 

modules/aws_backup/main.tf

@@ -1,7 +1,7 @@
 
 
 resource "aws_backup_vault" "spoke" {
-  name        = "sas-awsng-${var.spoke_account_id}-backup-vault"
+  name        = "ng-${var.spoke_account_id}-backup-vault"
   kms_key_arn = aws_kms_key.spoke_vault_key.arn
   tags = merge(
     var.tags,
@@ -92,7 +92,7 @@ data "aws_caller_identity" "current" {}
 
 resource "aws_backup_framework" "backup_compliance_framework" {
   depends_on = [ aws_backup_vault.spoke ]
-  name        = "sas_awsng_${var.spoke_account_id}_backup_framework"
+  name        = "ng_backup_framework"
   description = "This framework validates Recovery Points created by AWS Backup"
   control {
     name = "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK"
@@ -232,166 +232,11 @@ resource "aws_backup_framework" "backup_compliance_framework" {
   }
 
   tags = {
-    "Name"    = "sas-awsng-${var.spoke_account_id}-backup-framework"
+    "Name"    = "${var.prefix}-${var.spoke_account_id}-backup-framework"
     ManagedBy = "Terraform"
   }
 }
 
-# locals {
-#   location_vault_map = {
-#     "us-east-1"      = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
-#     "eu-central-1"   = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
-#     "ca-central-1"   = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
-#     "eu-west-1"      = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
-#     "ap-southeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
-#     "ap-northeast-1" = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
-#     "ap-south-1"     = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
-#     "eu-west-3"      = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
-#     "us-west-1"      = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
-#   }
-# }
-
-# resource "aws_backup_plan" "spoke" {
-#   name = "sas-awsng-${var.spoke_account_id}-backup-plan"
-
-#   dynamic "rule" {
-#     for_each = var.spoke_backup_rules
-#     content {
-#       rule_name                = rule.value.name
-#       target_vault_name        = aws_backup_vault.spoke.name
-#       schedule                 = rule.value.schedule
-#       start_window             = rule.value.start_window
-#       completion_window        = rule.value.completion_window
-#       recovery_point_tags      = rule.value.recovery_point_tags
-#       enable_continuous_backup = rule.value.enable_continuous_backup
-
-#       dynamic "lifecycle" {
-#         for_each = lookup(rule.value, "lifecycle", null) != null ? [true] : []
-#         content {
-#           cold_storage_after = rule.value.lifecycle.cold_storage_after
-#           delete_after       = rule.value.lifecycle.delete_after
-#         }
-#       }
-
-#       # Copy action for EFS
-#       dynamic "copy_action" {
-#         for_each = contains(["efs_backup_rule_daily", "efs_backup_rule_weekly"], rule.value.name) ? [true] : []
-
-#         content {
-#           destination_vault_arn = var.central_backup_vault_us  # Example for US
-
-#           dynamic "selection_tag" {
-#             for_each = [for t in rule.value.recovery_point_tags : t if t.key == "Backup" && t.value == "efs"]
-
-#             content {
-#               type  = "STRINGEQUALS"
-#               key   = "Backup"
-#               value = "efs"
-#             }
-#           }
-
-#           dynamic "lifecycle" {
-#             for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : []
-
-#             content {
-#               cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after
-#               delete_after       = rule.value.copy_action.lifecycle.delete_after
-#             }
-#           }
-#         }
-#       }
-
-#       # Copy action for RDS
-#       dynamic "copy_action" {
-#         for_each = contains(["rds_backup_rule_daily", "rds_backup_rule_weekly"], rule.value.name) ? [true] : []
-
-#         content {
-#           destination_vault_arn = lookup(local.location_vault_map, var.location, null)
-
-#           dynamic "selection_tag" {
-#             for_each = [for t in rule.value.recovery_point_tags : t if t.key == "Backup" && t.value == "rds"]
-
-#             content {
-#               type  = "STRINGEQUALS"
-#               key   = "Backup"
-#               value = "rds"
-#             }
-#           }
-
-#           dynamic "lifecycle" {
-#             for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : []
-
-#             content {
-#               cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after
-#               delete_after       = rule.value.copy_action.lifecycle.delete_after
-#             }
-#           }
-#         }
-#       }
-
-#       # Copy action for FSx
-#       dynamic "copy_action" {
-#         for_each = contains(["fsx_backup_rule_daily", "fsx_backup_rule_weekly"], rule.value.name) ? [true] : []
-
-#         content {
-#           destination_vault_arn = var.central_backup_vault_us  # Example for US or a different FSx target
-
-#           dynamic "selection_tag" {
-#             for_each = [for t in rule.value.recovery_point_tags : t if t.key == "Backup" && t.value == "fsx"]
-
-#             content {
-#               type  = "STRINGEQUALS"
-#               key   = "Backup"
-#               value = "fsx"
-#             }
-#           }
-
-#           dynamic "lifecycle" {
-#             for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : []
-
-#             content {
-#               cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after
-#               delete_after       = rule.value.copy_action.lifecycle.delete_after
-#             }
-#           }
-#         }
-#       }
-
-#     }
-#   }
-
-#   dynamic "advanced_backup_setting" {
-#     for_each = var.advanced_backup_setting != null ? [true] : []
-#     content {
-#       backup_options = var.advanced_backup_setting.backup_options
-#       resource_type  = var.advanced_backup_setting.resource_type
-#     }
-#   }
-
-#   tags = merge(
-#     var.tags,
-#     {
-#       Name        = "sas-awsng-${var.spoke_account_id}-backup-plan",
-#       PolicyOwner = "NextGen"
-#     }
-#   )
-# }
-
-# resource "aws_backup_selection" "spoke" {
-#   iam_role_arn = aws_iam_role.backup_operator_role.arn
-#   name         = "sas-awsng-${var.spoke_account_id}-backup-selection"
-#   plan_id      = aws_backup_plan.spoke.id
-
-#   dynamic "selection_tag" {
-#     for_each = ["efs", "rds", "fsx"]
-
-#     content {
-#       type  = "STRINGEQUALS"
-#       key   = "Backup"
-#       value = selection_tag.value
-#     }
-#   }
-#}
 
 locals {
   location_vault_map = {
@@ -406,12 +251,13 @@ locals {
     "us-west-1"      = "arn:aws:backup:${var.location}:${var.backup_account_id}:backup-vault:sascloud-awsng-central-backup-vault-${var.hub_environment}"
   }
 }
-
+ 
 resource "aws_backup_plan" "spoke" {
-  name = "sas-awsng-${var.spoke_account_id}-backup-plan"
-
+  for_each = var.spoke_backup_rules
+  name     = "sas-awsng-${var.spoke_account_id}-backup-plan-${each.key}"
+
   dynamic "rule" {
-    for_each = var.spoke_backup_rules
+    for_each = each.value["scope"]
     content {
       rule_name                = rule.value.name
       target_vault_name        = aws_backup_vault.spoke.name
@@ -420,108 +266,73 @@ resource "aws_backup_plan" "spoke" {
       completion_window        = rule.value.completion_window
       recovery_point_tags      = rule.value.recovery_point_tags
       enable_continuous_backup = rule.value.enable_continuous_backup
-
+ 
       dynamic "lifecycle" {
         for_each = lookup(rule.value, "lifecycle", null) != null ? [true] : []
         content {
           cold_storage_after = rule.value.lifecycle.cold_storage_after
           delete_after       = rule.value.lifecycle.delete_after
         }
       }
-
-      # Apply copy action for EFS to US vault
-      dynamic "copy_action" {
-          for_each = contains(["efs_backup_rule_daily", "efs_backup_rule_weekly"], rule.value.name) ? [true] : []
-
-        content {
-          destination_vault_arn = var.central_backup_vault_us
-
-          dynamic "lifecycle" {
-            for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : []
-
-            content {
-              cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after
-              delete_after       = rule.value.copy_action.lifecycle.delete_after
-            }
-          }
-        }
-      }
-
-      # Apply copy action for EFS to EU vault
-      dynamic "copy_action" {
-          for_each = contains(["efs_backup_rule_daily", "efs_backup_rule_weekly"], rule.value.name) ? [true] : []
-
-        content {
-          destination_vault_arn = var.central_backup_vault_eu
-
-          dynamic "lifecycle" {
-            for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : []
-
-            content {
-              cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after
-              delete_after       = rule.value.copy_action.lifecycle.delete_after
-            }
+
+      # Apply copy action for all except RDS to US vault
+      copy_action {
+        destination_vault_arn = strcontains(each.key, "spoke") ? var.central_backup_vault_us : lookup(local.location_vault_map, var.location, null)
+        dynamic "lifecycle" {
+          for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : []
+          content {
+            cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after
+            delete_after       = rule.value.copy_action.lifecycle.delete_after
           }
         }
       }
-
-      # Apply region-based copy action for RDS
-      dynamic "copy_action" {
-        for_each = contains(["rds_backup_rule_daily", "rds_backup_rule_weekly"], rule.value.name) ? [true] : []
-
-        content {
-          destination_vault_arn = lookup(local.location_vault_map, var.location, null) 
-
-          dynamic "lifecycle" {
-            for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : []
-
-            content {
-              cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after
-              delete_after       = rule.value.copy_action.lifecycle.delete_after
-            }
+
+      # Apply copy action for all except RDS to EU vault
+      copy_action {
+        destination_vault_arn = strcontains(each.key, "spoke") ? var.central_backup_vault_eu : lookup(local.location_vault_map, var.location, null)
+        dynamic "lifecycle" {
+          for_each = try(lookup(rule.value.copy_action, "lifecycle", null), null) != null ? [true] : []
+          content {
+            cold_storage_after = rule.value.copy_action.lifecycle.cold_storage_after
+            delete_after       = rule.value.copy_action.lifecycle.delete_after
           }
         }
       }
-
-      # # No copy action for FSx
-      # dynamic "copy_action" {
-      #   for_each = contains(rule.value.name, "fsx") ? [] : [true]
-      #   content {
-      #     destination_vault_arn = aws_backup_vault.spoke.arn
-      #   }
-      # }
     }
   }
-
+
+
   dynamic "advanced_backup_setting" {
     for_each = var.advanced_backup_setting != null ? [true] : []
     content {
       backup_options = var.advanced_backup_setting.backup_options
       resource_type  = var.advanced_backup_setting.resource_type
     }
   }
-
+ 
   tags = merge(
     var.tags,
     {
-      Name        = "sas-awsng-${var.spoke_account_id}-backup-plan",
+      Name        = "sas-awsng-${var.spoke_account_id}-backup-plan-${each.key}",
       PolicyOwner = "NextGen"
     }
   )
 }
-
-resource "aws_backup_selection" "spoke" {
+
+resource "aws_backup_selection" "sasng" {
+  for_each     = var.selection_tag
   iam_role_arn = aws_iam_role.backup_operator_role.arn
-  name         = "sas-awsng-${var.spoke_account_id}-backup-selection"
-  plan_id      = aws_backup_plan.spoke.id
-
-  selection_tag {
-    type  = "STRINGEQUALS"
-    key   = "Backup"
-    value = "Enabled"
+  name         = "sas-awsng-${var.spoke_account_id}-backup-selection-${each.key}"
+  plan_id      = strcontains(each.key, "spoke") ? aws_backup_plan.spoke["spoke"].id : aws_backup_plan.spoke["rds"].id
+
+  dynamic "selection_tag" {
+    for_each = strcontains(each.key, "spoke") || strcontains(each.key, "rds") ? each.value.name : []
+    content {
+      type  = selection_tag.value.type
+      key   = selection_tag.value.key
+      value = selection_tag.value.value
+    }
   }
 }
 
 
-
-