Merge pull request #9 from geekcell/rewrite-module-parts

feat: version 2 release

.editorconfig

@@ -8,7 +8,7 @@ end_of_line = lf
 indent_size = 2
 indent_style = space
 insert_final_newline = true
-max_line_length = 80
+max_line_length = 120
 trim_trailing_whitespace = true
 
 [*.md]

.github/workflows/test.yaml

@@ -0,0 +1,57 @@
+---
+###############
+## Run tests ##
+###############
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+name: Test
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+##########################
+# Prevent duplicate jobs #
+##########################
+concurrency:
+  group: ${{ github.repository }}
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+###############
+# Run the job #
+###############
+jobs:
+  terraform-test:
+    name: Terraform Test
+    runs-on: ubuntu-latest
+    steps:
+      ############################
+      # Checkout the source code #
+      ############################
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      #############################
+      # Configure AWS credentials #
+      #############################
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::${{ vars.AWS_TESTING_ACCOUNT_ID }}:role/${{ vars.AWS_TESTING_ROLE }}
+          aws-region: ${{ vars.AWS_TESTING_REGION }}
+          mask-aws-account-id: false
+
+      #############
+      # Run tests #
+      #############
+      - name: Run Tests
+        timeout-minutes: 30
+        run: terraform init && terraform test

.pre-commit-config.yaml

@@ -4,6 +4,8 @@ repos:
     hooks:
       - id: terraform_docs
       - id: terraform_fmt
+        args:
+          - --args=-recursive
       - id: terraform_validate
         args:
           - --hook-config=--retry-once-with-cleanup=true

.terraform-docs.yml

@@ -26,14 +26,19 @@ content: |-
   # Examples
     ### Basic Example
     ```hcl
-    {{ include "examples/basic-example/main.tf" }}
+    {{ include "examples/minimal/main.tf" }}
     ```
 
     ### With Rules
     ```hcl
-    {{ include "examples/with-rules/main.tf" }}
+    {{ include "examples/with-predefined-rules/main.tf" }}
     ```
 
+  # Predefined Rules
+  ```hcl
+  {{ include "rules.tf" }}
+  ```
+
 output:
   file: "README.md"
   mode: inject

README.md

@@ -7,6 +7,7 @@
 [![Release](https://github.com/geekcell/terraform-aws-backup/actions/workflows/release.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-backup/actions/workflows/release.yaml)
 [![Validate](https://github.com/geekcell/terraform-aws-backup/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-backup/actions/workflows/validate.yaml)
 [![Lint](https://github.com/geekcell/terraform-aws-backup/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-backup/actions/workflows/linter.yaml)
+[![Test](https://github.com/geekcell/terraform-aws-backup/actions/workflows/test.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-backup/actions/workflows/test.yaml)
 
 ### Security
 [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-backup/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-backup&benchmark=INFRASTRUCTURE+SECURITY)
@@ -37,7 +38,7 @@
 
 This Terraform module provides a preconfigured solution for setting up
 AWS Backup in your AWS account. With this module, you can easily and
-efficiently create and manage backup policies for your AWS resources. Our
+efficiently create and manage backups for your AWS resources. Our
 team has extensive experience working with AWS Backup and has optimized
 this module to provide the best possible experience for users.
 
@@ -53,19 +54,30 @@ great choice.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_backup_name"></a> [backup\_name](#input\_backup\_name) | The display name of a backup plan. | `string` | n/a | yes |
-| <a name="input_changeable_for_days"></a> [changeable\_for\_days](#input\_changeable\_for\_days) | The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode. | `number` | `null` | no |
+| <a name="input_changeable_for_days"></a> [changeable\_for\_days](#input\_changeable\_for\_days) | The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create<br>  a vault lock in compliance mode. When you apply this setting:<br><br>  The vault will become immutable in 3 days after applying. You have 3 days of grace time to manage or delete the vault<br>  lock before it becomes immutable. During this time, only those users with specific IAM permissions can make changes.<br><br>  Once the vault is locked in compliance mode, it cannot be managed or deleted by anyone, even the root user or AWS.<br>  The only way to deactivate the lock is to terminate the account, which will delete all the backups.<br><br>  Since you cannot delete the Vault, it will be charged for backups until that date. Be careful! | `number` | `null` | no |
+| <a name="input_custom_rules"></a> [custom\_rules](#input\_custom\_rules) | Backup rules to add to the AWS Backup Vault. See examples for usage. | <pre>list(object({<br>    name     = string<br>    schedule = optional(string)<br><br>    start_window      = optional(number)<br>    completion_window = optional(number)<br><br>    enable_continuous_backup = optional(bool)<br>    recovery_point_tags      = optional(map(string), {})<br><br>    lifecycle = optional(object({<br>      cold_storage_after = optional(number)<br>      delete_after       = optional(number)<br>    }))<br><br>    copy_action = optional(object({<br>      destination_vault_arn = optional(string)<br>      lifecycle = optional(object({<br>        cold_storage_after = optional(number)<br>        delete_after       = optional(number)<br>      }))<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_enable_customer_managed_kms"></a> [enable\_customer\_managed\_kms](#input\_enable\_customer\_managed\_kms) | Whether to enable customer managed KMS encryption for the backup vault. | `bool` | `false` | no |
+| <a name="input_enable_vault_lock"></a> [enable\_vault\_lock](#input\_enable\_vault\_lock) | Whether to enable Vault Lock for the backup vault. | `bool` | `false` | no |
+| <a name="input_enable_windows_vss_backup"></a> [enable\_windows\_vss\_backup](#input\_enable\_windows\_vss\_backup) | Whether to enable Windows VSS backup for the backup plan. | `bool` | `false` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The ARN of the KMS Key to use to encrypt your backups. If left empty, the default AWS KMS will be used. | `string` | `null` | no |
 | <a name="input_max_retention_days"></a> [max\_retention\_days](#input\_max\_retention\_days) | The maximum retention period that the vault retains its recovery points. | `number` | `365` | no |
 | <a name="input_min_retention_days"></a> [min\_retention\_days](#input\_min\_retention\_days) | The minimum retention period that the vault retains its recovery points. | `number` | `7` | no |
-| <a name="input_resources"></a> [resources](#input\_resources) | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan. | `list(string)` | n/a | yes |
-| <a name="input_rules"></a> [rules](#input\_rules) | Backup rules to add to the AWS Backup Vault. See examples for usage. | <pre>list(object({<br>    name                     = string<br>    schedule                 = string<br>    start_window             = number<br>    completion_window        = number<br>    enable_continuous_backup = bool<br>    lifecycle                = map(string)<br>  }))</pre> | <pre>[<br>  {<br>    "completion_window": 240,<br>    "enable_continuous_backup": false,<br>    "lifecycle": {<br>      "cold_storage_after": 1,<br>      "delete_after": 365<br>    },<br>    "name": "weekly-snapshot",<br>    "schedule": "cron(0 3 ? * 2,3,4,5,6,7,1 *)",<br>    "start_window": 60<br>  },<br>  {<br>    "completion_window": 240,<br>    "enable_continuous_backup": false,<br>    "lifecycle": {<br>      "cold_storage_after": 1,<br>      "delete_after": 365<br>    },<br>    "name": "monthly-snapshot",<br>    "schedule": "cron(0 3 1 * ? *)",<br>    "start_window": 60<br>  },<br>  {<br>    "completion_window": 240,<br>    "enable_continuous_backup": false,<br>    "lifecycle": {<br>      "cold_storage_after": 1,<br>      "delete_after": 730<br>    },<br>    "name": "quarterly-snapshot",<br>    "schedule": "cron(0 3 1 1,4,7,10 ? *)",<br>    "start_window": 60<br>  },<br>  {<br>    "completion_window": 240,<br>    "enable_continuous_backup": false,<br>    "lifecycle": {<br>      "cold_storage_after": 1,<br>      "delete_after": 3650<br>    },<br>    "name": "yearly-snapshot",<br>    "schedule": "cron(0 3 1 1 ? *)",<br>    "start_window": 60<br>  },<br>  {<br>    "completion_window": 240,<br>    "enable_continuous_backup": true,<br>    "lifecycle": {<br>      "cold_storage_after": null,<br>      "delete_after": 35<br>    },<br>    "name": "daily-snapshot",<br>    "schedule": "cron(0 3 ? * * *)",<br>    "start_window": 60<br>  }<br>]</pre> | no |
-| <a name="input_service"></a> [service](#input\_service) | The service that the resource belongs to. | `string` | n/a | yes |
+| <a name="input_plan_name"></a> [plan\_name](#input\_plan\_name) | The display name of the backup plan. | `string` | n/a | yes |
+| <a name="input_predefined_rules"></a> [predefined\_rules](#input\_predefined\_rules) | A list of predefined backup rules to add to the AWS Backup Plan. See examples for usage. | `list(string)` | `[]` | no |
+| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The ARN of the IAM role that AWS Backup uses to authenticate when restoring or backing up the target resources. If left empty, a default role will be created. | `string` | `null` | no |
+| <a name="input_selections"></a> [selections](#input\_selections) | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan. | <pre>list(object({<br>    name     = string<br>    role_arn = optional(string)<br><br>    arns = optional(list(string))<br>    tag = optional(object({<br>      type  = string<br>      key   = string<br>      value = string<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to add to the AWS Backup. | `map(any)` | `{}` | no |
+| <a name="input_vault_force_destroy"></a> [vault\_force\_destroy](#input\_vault\_force\_destroy) | Whether to allow the backup vault to be destroyed even if it contains recovery points. | `string` | `false` | no |
 | <a name="input_vault_name"></a> [vault\_name](#input\_vault\_name) | Name of the backup vault to create. | `string` | n/a | yes |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_backup_plan_arn"></a> [backup\_plan\_arn](#output\_backup\_plan\_arn) | The ARN of the backup plan. |
+| <a name="output_backup_plan_id"></a> [backup\_plan\_id](#output\_backup\_plan\_id) | The ID of the backup plan. |
+| <a name="output_backup_vault_arn"></a> [backup\_vault\_arn](#output\_backup\_vault\_arn) | The ARN of the backup vault. |
+| <a name="output_backup_vault_id"></a> [backup\_vault\_id](#output\_backup\_vault\_id) | The ID of the backup vault. |
 
 ## Providers
 
@@ -75,27 +87,30 @@ No outputs.
 
 ## Resources
 
-- resource.aws_backup_plan.main (main.tf#55)
-- resource.aws_backup_selection.main (main.tf#48)
-- resource.aws_backup_vault.main (main.tf#18)
-- resource.aws_backup_vault_lock_configuration.main (main.tf#25)
-- resource.aws_iam_role.main (main.tf#96)
-- resource.aws_iam_role_policy_attachment.main_backup (main.tf#103)
-- resource.aws_iam_role_policy_attachment.main_restore (main.tf#108)
-- resource.aws_iam_role_policy_attachment.s3_backup (main.tf#113)
-- resource.aws_iam_role_policy_attachment.s3_restore (main.tf#118)
-- data source.aws_iam_policy_document.main (data.tf#1)
+- resource.aws_backup_plan.main (main.tf#45)
+- resource.aws_backup_selection.main (main.tf#103)
+- resource.aws_backup_vault.main (main.tf#27)
+- resource.aws_backup_vault_lock_configuration.main (main.tf#35)
 
 # Examples
 ### Basic Example
 ```hcl
 module "basic-example" {
   source = "../../"
 
-  vault_name  = "main"
-  backup_name = "rds"
-  service     = "s3"
-  resources   = ["arn:aws:s3:::my-bucket"]
+  vault_name = "my-project"
+  plan_name  = "customer-data"
+
+  selections = [
+    {
+      name = "s3-buckets"
+      arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
+    },
+    {
+      name = "db-snaps"
+      arns = ["arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance"]
+    }
+  ]
 }
 ```
 
@@ -104,14 +119,13 @@ module "basic-example" {
 module "with-rules" {
   source = "../../"
 
-  vault_name  = "main"
-  backup_name = "rds"
-  service     = "s3"
-  resources   = ["arn:aws:s3:::my-bucket"]
+  vault_name = "my-project"
+  plan_name  = "customer-data"
 
-  rules = [
+  predefined_rules = ["daily-snapshot", "monthly-snapshot"]
+  custom_rules = [
     {
-      name                     = "weekly-snapshot"
+      name                     = "my-custom-rule"
       schedule                 = "cron(0 3 ? * 2,3,4,5,6,7,1 *)"
       start_window             = 60
       completion_window        = 240
@@ -123,6 +137,109 @@ module "with-rules" {
       }
     }
   ]
+
+  selections = [
+    {
+      name = "s3-buckets"
+      arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
+    },
+    {
+      name = "db-snaps"
+      arns = ["arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance"]
+    }
+  ]
+}
+```
+
+# Predefined Rules
+```hcl
+locals {
+  predefined_rules = [
+    # At 03:00 AM UTC, daily
+    {
+      name                     = "daily-snapshot"
+      schedule                 = "cron(0 3 ? * * *)"
+      start_window             = 60
+      completion_window        = 240
+      enable_continuous_backup = true
+      recovery_point_tags      = {}
+
+      lifecycle = {
+        cold_storage_after = null
+        delete_after       = 35 # 5 weeks
+      }
+
+      copy_action = null
+    },
+
+    # At 03:00 AM UTC, every Sunday
+    {
+      name                     = "weekly-snapshot"
+      schedule                 = "cron(0 3 ? * SUN *)"
+      start_window             = 60
+      completion_window        = 240
+      enable_continuous_backup = true
+      recovery_point_tags      = {}
+
+      lifecycle = {
+        cold_storage_after = null
+        delete_after       = 183 # 6 months
+      }
+
+      copy_action = null
+    },
+
+    # At 03:00 AM UTC, on day 1 of the month
+    {
+      name                     = "monthly-snapshot"
+      schedule                 = "cron(0 3 1 * ? *)"
+      start_window             = 60
+      completion_window        = 240
+      enable_continuous_backup = false
+      recovery_point_tags      = {}
+
+      lifecycle = {
+        cold_storage_after = 1   # day
+        delete_after       = 365 # 1 year
+      }
+
+      copy_action = null
+    },
+
+    # At 03:00 AM UTC, on day 1 of the month, only in January, April, July, and October
+    {
+      name                     = "quarterly-snapshot"
+      schedule                 = "cron(0 3 1 1,4,7,10 ? *)"
+      start_window             = 60
+      completion_window        = 240
+      enable_continuous_backup = false
+      recovery_point_tags      = {}
+
+      lifecycle = {
+        cold_storage_after = 1   # day
+        delete_after       = 730 # 2 years
+      }
+
+      copy_action = null
+    },
+
+    # At 03:00 AM UTC, on day 1 of the month, only in January
+    {
+      name                     = "yearly-snapshot"
+      schedule                 = "cron(0 3 1 1 ? *)"
+      start_window             = 60
+      completion_window        = 240
+      enable_continuous_backup = false
+      recovery_point_tags      = {}
+
+      lifecycle = {
+        cold_storage_after = 1    # day
+        delete_after       = 3650 # 10 years
+      }
+
+      copy_action = null
+    }
+  ]
 }
 ```
 <!-- END_TF_DOCS -->

docs/20-badges.md

@@ -4,6 +4,7 @@
 [![Release](https://github.com/geekcell/terraform-aws-backup/actions/workflows/release.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-backup/actions/workflows/release.yaml)
 [![Validate](https://github.com/geekcell/terraform-aws-backup/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-backup/actions/workflows/validate.yaml)
 [![Lint](https://github.com/geekcell/terraform-aws-backup/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-backup/actions/workflows/linter.yaml)
+[![Test](https://github.com/geekcell/terraform-aws-backup/actions/workflows/test.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-backup/actions/workflows/test.yaml)
 
 ### Security
 [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-backup/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-backup&benchmark=INFRASTRUCTURE+SECURITY)

examples/minimal/main.tf

@@ -0,0 +1,17 @@
+module "basic-example" {
+  source = "../../"
+
+  vault_name = "my-project"
+  plan_name  = "customer-data"
+
+  selections = [
+    {
+      name = "s3-buckets"
+      arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
+    },
+    {
+      name = "db-snaps"
+      arns = ["arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance"]
+    }
+  ]
+}