-
Notifications
You must be signed in to change notification settings - Fork 4.1k
/
Copy pathselection.ts
137 lines (120 loc) · 4.08 KB
/
selection.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
import * as iam from '@aws-cdk/aws-iam';
import { Lazy, Resource, Aspects } from '@aws-cdk/core';
import { Construct } from 'constructs';
import { CfnBackupSelection } from './backup.generated';
import { BackupableResourcesCollector } from './backupable-resources-collector';
import { IBackupPlan } from './plan';
import { BackupResource, TagOperation } from './resource';
/**
* Options for a BackupSelection
*/
export interface BackupSelectionOptions {
/**
* The resources to backup.
* Use the helper static methods defined on `BackupResource`.
*/
readonly resources: BackupResource[];
/**
* The name for this selection
*
* @default - a CDK generated name
*/
readonly backupSelectionName?: string;
/**
* The role that AWS Backup uses to authenticate when backuping or restoring
* the resources. The `AWSBackupServiceRolePolicyForBackup` managed policy
* will be attached to this role.
*
* @default - a new role will be created
*/
readonly role?: iam.IRole;
/**
* Whether to automatically give restores permissions to the role that AWS
* Backup uses. If `true`, the `AWSBackupServiceRolePolicyForRestores` managed
* policy will be attached to the role.
*
* @default false
*/
readonly allowRestores?: boolean;
}
/**
* Properties for a BackupSelection
*/
export interface BackupSelectionProps extends BackupSelectionOptions {
/**
* The backup plan for this selection
*/
readonly backupPlan: IBackupPlan;
}
/**
* A backup selection
*/
export class BackupSelection extends Resource implements iam.IGrantable {
/**
* The identifier of the backup plan.
*
* @attribute
*/
public readonly backupPlanId: string;
/**
* The identifier of the backup selection.
*
* @attribute
*/
public readonly selectionId: string;
/**
* The principal to grant permissions to
*/
public readonly grantPrincipal: iam.IPrincipal;
private listOfTags: CfnBackupSelection.ConditionResourceTypeProperty[] = [];
private resources: string[] = [];
private readonly backupableResourcesCollector = new BackupableResourcesCollector();
constructor(scope: Construct, id: string, props: BackupSelectionProps) {
super(scope, id);
const role = props.role || new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('backup.amazonaws.com'),
});
role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSBackupServiceRolePolicyForBackup'));
if (props.allowRestores) {
role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSBackupServiceRolePolicyForRestores'));
}
this.grantPrincipal = role;
const selection = new CfnBackupSelection(this, 'Resource', {
backupPlanId: props.backupPlan.backupPlanId,
backupSelection: {
iamRoleArn: role.roleArn,
selectionName: props.backupSelectionName || this.node.id,
listOfTags: Lazy.any({
produce: () => this.listOfTags,
}, { omitEmptyArray: true }),
resources: Lazy.list({
produce: () => [...this.resources, ...this.backupableResourcesCollector.resources],
}, { omitEmpty: true }),
},
});
this.backupPlanId = selection.attrBackupPlanId;
this.selectionId = selection.attrSelectionId;
for (const resource of props.resources) {
this.addResource(resource);
}
}
private addResource(resource: BackupResource) {
if (resource.tagCondition) {
this.listOfTags.push({
conditionKey: resource.tagCondition.key,
conditionType: resource.tagCondition.operation || TagOperation.STRING_EQUALS,
conditionValue: resource.tagCondition.value,
});
}
if (resource.resource) {
this.resources.push(resource.resource);
}
if (resource.construct) {
Aspects.of(resource.construct).add(this.backupableResourcesCollector);
// Cannot push `this.backupableResourcesCollector.resources` to
// `this.resources` here because it has not been evaluated yet.
// Will be concatenated to `this.resources` in a `Lazy.list`
// in the constructor instead.
}
}
}