Эх сурвалжийг харах

Removes Legacy Snapshot Backups

AMI backups also take snapshots, so this is no longer needed.

* Removes the ebs_backups.tf, which sets up snapshot DLM
* Fixes the `get_current_dlm_policies` to take parameters
* Updates the `ami_backups.tf` to sendt hose parameters
* Turns on 'unofficial bash strict mode' in the bash scripts
Fred Damstra [afs macbook] 4 жил өмнө
parent
commit
e7db1b1492

+ 6 - 2
base/account_standards/ami_backups.tf

@@ -3,16 +3,20 @@
 # 
 # NOTE: This will not update an existing policy, but will create one if it's missing.
 
-
 # Grab the current policy name. This turned out to be unnecessary for my purposes, but
 # will be useful if in the future we decide to implement a 'modify' resource.
 #
 # WARNING: External data sources are run before the apply, and even before any decision
 #          is made whether or not to apply, so do not make changes in such a script.
 data "external" "get_dlm_policies" {
-  program = ["bin/get_current_dlm_policies"]
+  program = ["bin/get_current_dlm_policies", var.aws_partition, var.aws_region, var.aws_account_id, var.account_name]
 }
 
+# useful for debugging, but don't leave it uncommented or itll report a change on second apply:
+#output "dlm_policies" {
+#  value = data.external.get_dlm_policies.result
+#}
+
 # In rare cases, you may need/want to manually recreate this. To do so, run
 #    terragrunt taint null_resource.create_dlm_policy
 resource "null_resource" "create_dlm_policy" {

+ 2 - 0
base/account_standards/bin/create_dlm_policy

@@ -5,6 +5,8 @@
 # NOTE: If you create a new policy, the old policy will remain. Use the modify
 # script instead. And even if you delete the old policy, the images created by
 # it will remain and continue to incur charges.
+set -euo pipefail
+
 PARTITION=$1
 REGION=$2
 ACCOUNT=$3

+ 25 - 4
base/account_standards/bin/get_current_dlm_policies

@@ -2,11 +2,32 @@
 # Gets the current dlm policies, if any.
 #
 # WARNING: THIS IS RUN DURRING A 'PLAN' STEP. Do not make changes. Read-only in this script.
+set -euo pipefail
 
-# TODO: Pass these in
-PROFILE=mdr-test-c2-gov
-REGION=us-gov-east-1
-ACCOUNT=738800754746
+PARTITION=$1
+REGION=$2
+ACCOUNT=$3
+ACCOUNT_NAME=$4
+
+# Fix for some accounts having -gov already appended and some not.
+# Accounts in gov will get it appended.
+ACCOUNT_NAME=${ACCOUNT_NAME%%-gov}
+
+if [[ ${REGION} == "us-gov-east-1" ]]; then
+  PROFILE=${ACCOUNT_NAME}-gov
+elif [[ ${REGION} == "us-gov-west-1" ]]; then
+  PROFILE=${ACCOUNT_NAME}-gov
+elif [[ ${REGION} == "us-east-1" ]]; then
+  PROFILE=${ACCOUNT_NAME}
+elif [[ ${REGION} == "us-west-1" ]]; then
+  PROFILE=${ACCOUNT_NAME}
+else
+  >&2 echo ERROR: Could not determine target region from source region \"${REGION}\"
+  exit -1
+fi
+
+# Fix the accounts that we foolish prepended 'afs-' to.
+PROFILE=${PROFILE##afs-}
 
 POLICIES=$(aws --profile ${PROFILE} --region ${REGION} dlm get-lifecycle-policies)
 

+ 0 - 36
base/account_standards/ebs_backups.tf

@@ -1,36 +0,0 @@
-# To keep in line with FedRAMP we are setting up a lifecycle on the EBS vol to create "backups"
-# It will target the tag "Snapshot" based on the value depends on what policy is assigned (see comments bellow)
-resource "aws_dlm_lifecycle_policy" "daily" {
-  description        = "daily DLM lifecycle policy"
-  execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
-  state              = "ENABLED"
-
-  policy_details {
-    resource_types = ["VOLUME"]
-
-    schedule {
-      name = "daily snapshots retain 2"
-
-      create_rule {
-        interval      = 24
-        interval_unit = "HOURS"
-        times         = ["23:45"]
-      }
-
-      retain_rule {
-        count = 2
-      }
-
-      tags_to_add = {
-        SnapshotCreator = "DLM"
-        SnapshotPolicy = "Daily"
-      }
-
-      copy_tags = true
-    }
-
-    target_tags = {
-      Snapshot = "Daily"
-    }
-  }
-}