Merge pull request #324 from mdr-engineering/feature/ftd_MSOCI-1929_BackupScheduleUpdator

Updates backups module to intelligently update the existing policy if it exists

base/backups/ami_backups.tf

@@ -10,12 +10,16 @@
 #          is made whether or not to apply, so do not make changes in such a script.
 data "external" "get_dlm_policies" {
   program = ["bin/get_current_dlm_policies", var.aws_partition, var.aws_region, var.aws_account_id, var.account_name]
+  depends_on = [ null_resource.create_dlm_policy ]
 }
 
-# useful for debugging, but don't leave it uncommented or itll report a change on second apply:
-#output "dlm_policies" {
-#  value = data.external.get_dlm_policies.result
-#}
+output "dlm_policies" {
+  value = data.external.get_dlm_policies.result
+}
+
+locals {
+  policy_id = lookup(data.external.get_dlm_policies.result, "PolicyId", "NULL")
+}
 
 # In rare cases, you may need/want to manually recreate this. To do so, run
 #    terragrunt taint null_resource.create_dlm_policy
@@ -23,9 +27,23 @@ resource "null_resource" "create_dlm_policy" {
   #count = data.external.get_dlm_policies.result["PolicyId"] == "null" ? 1 : 0
   #count = data.external.get_dlm_policies.result["PolicyId"] == "policy-02af49210b5b375d5" ? 1 : 0
 
-  # Could maybe find some sort of trigger here, in case the DLM is deleted?
+  triggers = {
+    aws_partition = var.aws_partition
+    aws_region = var.aws_region
+    aws_account_id = var.aws_account_id
+    account_name = var.account_name
+  }
 
   provisioner "local-exec" {
-    command = "bin/create_dlm_policy ${var.aws_partition} ${var.aws_region} ${var.aws_account_id} ${var.account_name}"
+    command = "bin/create_or_update_dlm_policy ${var.aws_partition} ${var.aws_region} ${var.aws_account_id} ${var.account_name}"
   }
+
+  #provisioner "local-exec" {
+  #  when    = destroy
+  #  command = "bin/destroy_dlm_policy ${self.triggers.aws_partition} ${self.triggers.aws_region} ${self.triggers.aws_account_id} ${self.triggers.account_name}"
+  #}
+}
+
+output help {
+  value = "If you need to update/recreate the policy, run: terragrunt taint null_resource.create_dlm_policy"
 }

base/backups/bin/create_dlm_policy

@@ -1,113 +0,0 @@
-#! /bin/bash
-#
-# Creates the XDR DLM Policy to backup AMIs daily and copy them cross-region.
-#
-# NOTE: If you create a new policy, the old policy will remain. Use the modify
-# script instead. And even if you delete the old policy, the images created by
-# it will remain and continue to incur charges.
-set -euo pipefail
-
-PARTITION=$1
-REGION=$2
-ACCOUNT=$3
-ACCOUNT_NAME=$4
-
-# Fix for some accounts having -gov already appended and some not.
-# Accounts in gov will get it appended.
-ACCOUNT_NAME=${ACCOUNT_NAME%%-gov}
-
-if [[ ${REGION} == "us-gov-east-1" ]]; then
-  PROFILE=${ACCOUNT_NAME}-gov
-  TARGET_REGION="us-gov-west-1"
-elif [[ ${REGION} == "us-gov-west-1" ]]; then
-  PROFILE=${ACCOUNT_NAME}-gov
-  TARGET_REGION="us-gov-east-1"
-elif [[ ${REGION} == "us-east-1" ]]; then
-  PROFILE=${ACCOUNT_NAME}
-  TARGET_REGION="us-west-1"
-elif [[ ${REGION} == "us-west-1" ]]; then
-  PROFILE=${ACCOUNT_NAME}
-  TARGET_REGION="us-east-1"
-else
-  >&2 echo ERROR: Could not determine target region from source region \"${REGION}\"
-  exit -1
-fi
-
-# Fix the accounts that we foolish prepended 'afs-' to.
-PROFILE=${PROFILE##afs-}
-
-# Find the target region key ARN, since we can't use aliases here
-KMS_KEY_ID=$(aws --profile ${PROFILE} --region ${TARGET_REGION} kms list-aliases | jq -r '.Aliases[] | select(.AliasName=="alias/ami_backup_key") | .TargetKeyId')
-KMS_ARN=$(aws --profile ${PROFILE} --region ${TARGET_REGION} kms describe-key --key-id ${KMS_KEY_ID} | jq -r '.KeyMetadata.Arn')
-
-tmpfile=$(mktemp /tmp/create_dlm_policy.XXXXXXX)
-cat > ${tmpfile} <<EOF
-{
-    "PolicyType": "IMAGE_MANAGEMENT",
-    "ResourceTypes": [
-        "INSTANCE"
-    ],
-    "TargetTags": [
-        {
-            "Key": "Snapshot",
-            "Value": "Daily"
-        }
-    ],
-    "Schedules": [
-        {
-            "Name": "XDR AMI Backups with Cross Region Replication",
-            "CopyTags": true,
-            "TagsToAdd": [
-                {
-                    "Key": "SnapshotPolicy",
-                    "Value": "Daily"
-                },
-                {
-                    "Key": "SnapshotCreator",
-                    "Value": "XDR AMI Backups with Cross Region Replication"
-                }
-            ],
-            "VariableTags": [
-                {
-                    "Key": "instance-id",
-                    "Value": "\$(instance-id)"
-                }
-            ],
-            "CreateRule": {
-                "Interval": 24,
-                "IntervalUnit": "HOURS",
-                "Times": [
-                    "03:30"
-                ]
-            },
-            "RetainRule": {
-                "Count": 2
-            },
-            "CrossRegionCopyRules": [
-                {
-                    "TargetRegion": "${TARGET_REGION}",
-                    "Encrypted": true,
-                    "CmkArn": "${KMS_ARN}",
-                    "CopyTags": true,
-                    "RetainRule": {
-                        "Interval": 2,
-                        "IntervalUnit": "DAYS"
-                    }
-                }
-            ]
-        }
-    ],
-    "Parameters": {
-        "NoReboot": true
-    }
-}
-EOF
-
-aws --profile ${PROFILE} --region ${REGION} dlm create-lifecycle-policy \
-  --execution-role-arn arn:${PARTITION}:iam::${ACCOUNT}:role/dlm-lifecycle-role \
-  --description "XDR AMI Backups with Cross Region Replication" \
-  --state ENABLED \
-  --tags '{ "Name": "XDR-AMI-XRegion", "SnapshotPolicy": "Daily" }' \
-  --policy-details file://${tmpfile}
-
-rm $tmpfile

base/backups/bin/create_or_update_dlm_policy

@@ -0,0 +1,217 @@
+#! /bin/bash
+#
+# Creates the XDR DLM Policy to backup AMIs daily and copy them cross-region.
+#
+# NOTE: If you create a new policy, the old policy will remain. Use the modify
+# script instead. And even if you delete the old policy, the images created by
+# it will remain and continue to incur charges.
+set -euo pipefail
+
+PARTITION=$1
+REGION=$2
+ACCOUNT=$3
+ACCOUNT_NAME=$4
+
+# Fix for some accounts having -gov already appended and some not.
+# Accounts in gov will get it appended.
+ACCOUNT_NAME=${ACCOUNT_NAME%%-gov}
+
+if [[ ${REGION} == "us-gov-east-1" ]]; then
+  PROFILE=${ACCOUNT_NAME}-gov
+  TARGET_REGION="us-gov-west-1"
+elif [[ ${REGION} == "us-gov-west-1" ]]; then
+  PROFILE=${ACCOUNT_NAME}-gov
+  TARGET_REGION="us-gov-east-1"
+elif [[ ${REGION} == "us-east-1" ]]; then
+  PROFILE=${ACCOUNT_NAME}
+  TARGET_REGION="us-west-1"
+elif [[ ${REGION} == "us-west-1" ]]; then
+  PROFILE=${ACCOUNT_NAME}
+  TARGET_REGION="us-east-1"
+else
+  >&2 echo ERROR: Could not determine target region from source region \"${REGION}\"
+  exit -1
+fi
+
+# Fix the accounts that we foolish prepended 'afs-' to.
+PROFILE=${PROFILE##afs-}
+
+# Find the target region key ARN, since we can't use aliases here
+KMS_KEY_ID=$(aws --profile ${PROFILE} --region ${TARGET_REGION} kms list-aliases | jq -r '.Aliases[] | select(.AliasName=="alias/ami_backup_key") | .TargetKeyId')
+KMS_ARN=$(aws --profile ${PROFILE} --region ${TARGET_REGION} kms describe-key --key-id ${KMS_KEY_ID} | jq -r '.KeyMetadata.Arn')
+
+tmpfile=$(mktemp /tmp/create_dlm_policy.XXXXXXX)
+cat > ${tmpfile} <<EOF
+{
+    "PolicyType": "IMAGE_MANAGEMENT",
+    "ResourceTypes": [
+        "INSTANCE"
+    ],
+    "TargetTags": [
+        {
+            "Key": "Snapshot",
+            "Value": "Daily"
+        }
+    ],
+    "Schedules": [
+        {
+            "Name": "XDR AMI Backups with Cross Region Replication - Daily Schedule",
+            "CopyTags": true,
+            "TagsToAdd": [
+                {
+                    "Key": "SnapshotPolicy",
+                    "Value": "Daily"
+                },
+                {
+                    "Key": "SnapshotRetention",
+                    "Value": "Daily"
+                },
+                {
+                    "Key": "SnapshotCreator",
+                    "Value": "XDR AMI Backups with Cross Region Replication - Daily"
+                }
+            ],
+            "VariableTags": [
+                {
+                    "Key": "instance-id",
+                    "Value": "\$(instance-id)"
+                }
+            ],
+            "CreateRule": {
+                "Interval": 24,
+                "IntervalUnit": "HOURS",
+                "Times": [
+                    "03:30"
+                ]
+            },
+            "RetainRule": {
+                "Count": 7
+            },
+            "CrossRegionCopyRules": [
+                {
+                    "TargetRegion": "${TARGET_REGION}",
+                    "Encrypted": true,
+                    "CmkArn": "${KMS_ARN}",
+                    "CopyTags": true,
+                    "RetainRule": {
+                        "Interval": 7,
+                        "IntervalUnit": "DAYS"
+                    }
+                }
+            ]
+        },
+        {
+            "Name": "XDR AMI Backups with Cross Region Replication - Weekly Schedule",
+            "CopyTags": true,
+            "TagsToAdd": [
+                {
+                    "Key": "SnapshotPolicy",
+                    "Value": "Daily"
+                },
+                {
+                    "Key": "SnapshotRetention",
+                    "Value": "Weekly"
+                },
+                {
+                    "Key": "SnapshotCreator",
+                    "Value": "XDR AMI Backups with Cross Region Replication - Weekly"
+                }
+            ],
+            "VariableTags": [
+                {
+                    "Key": "instance-id",
+                    "Value": "\$(instance-id)"
+                }
+            ],
+            "CreateRule": {
+                "CronExpression": "cron(30 03 ? * MON *)"
+            },
+            "RetainRule": {
+                "Count": 4
+            },
+            "CrossRegionCopyRules": [
+                {
+                    "TargetRegion": "${TARGET_REGION}",
+                    "Encrypted": true,
+                    "CmkArn": "${KMS_ARN}",
+                    "CopyTags": true,
+                    "RetainRule": {
+                        "Interval": 4,
+                        "IntervalUnit": "WEEKS"
+                    }
+                }
+            ]
+        },
+        {
+            "Name": "XDR AMI Backups with Cross Region Replication - Monthly Schedule",
+            "CopyTags": true,
+            "TagsToAdd": [
+                {
+                    "Key": "SnapshotPolicy",
+                    "Value": "Daily"
+                },
+                {
+                    "Key": "SnapshotRetention",
+                    "Value": "Monthly"
+                },
+                {
+                    "Key": "SnapshotCreator",
+                    "Value": "XDR AMI Backups with Cross Region Replication - Monthly"
+                }
+            ],
+            "VariableTags": [
+                {
+                    "Key": "instance-id",
+                    "Value": "\$(instance-id)"
+                }
+            ],
+            "CreateRule": {
+                "CronExpression": "cron(30 03 1 * ? *)"
+            },
+            "RetainRule": {
+                "Count": 12
+            },
+            "CrossRegionCopyRules": [
+                {
+                    "TargetRegion": "${TARGET_REGION}",
+                    "Encrypted": true,
+                    "CmkArn": "${KMS_ARN}",
+                    "CopyTags": true,
+                    "RetainRule": {
+                        "Interval": 12,
+                        "IntervalUnit": "MONTHS"
+                    }
+                }
+            ]
+        }
+    ],
+    "Parameters": {
+        "NoReboot": true
+    }
+}
+EOF
+
+POLICIES=$(aws --profile ${PROFILE} --region ${REGION} dlm get-lifecycle-policies)
+# Extracts the policy IDs of IMAGE_MANAGEMENT policye
+POLICY_ID=$(echo $POLICIES | jq -r '[.Policies[] | select(.PolicyType=="IMAGE_MANAGEMENT") | select(.Tags.SnapshotPolicy=="Daily")] | first | .PolicyId')
+
+if [ "${POLICY_ID}" != 'null' ]; then
+  echo Updating existing policy ${POLICY_ID}
+  aws --profile ${PROFILE} --region ${REGION} dlm update-lifecycle-policy --policy-id ${POLICY_ID} \
+    --execution-role-arn arn:${PARTITION}:iam::${ACCOUNT}:role/dlm-lifecycle-role \
+    --description "XDR Long Term AMI Backups with Cross Region Replication" \
+    --state ENABLED \
+    --policy-details file://${tmpfile}
+    # At some future date, hopefully tags will be supported on the update
+    #--tags '{ "Name": "XDR-AMI-XRegion", "SnapshotPolicy": "Daily" }' \
+else
+  echo Creating new policy
+  aws --profile ${PROFILE} --region ${REGION} dlm create-lifecycle-policy \
+    --execution-role-arn arn:${PARTITION}:iam::${ACCOUNT}:role/dlm-lifecycle-role \
+    --description "XDR Long Term AMI Backups with Cross Region Replication" \
+    --state ENABLED \
+    --tags '{ "Name": "XDR-AMI-XRegion", "SnapshotPolicy": "Daily" }' \
+    --policy-details file://${tmpfile}
+fi
+
+rm $tmpfile