modules/dlm-lifecycle-iam-role: Added DLM IAM role to allow create sn…

…apshots
fpco · Oct 17, 2019 · 8a214e5 · 8a214e5
1 parent e4eb80c
commit 8a214e5
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 2 deletions.
diff --git a/modules/dlm-lifecycle-iam-role/README.md b/modules/dlm-lifecycle-iam-role/README.md
@@ -0,0 +1,15 @@
+## Data Lifecycle Manager (DLM) lifecycle policy for managing snapshots
+
+This module creates the IAM role and the policy that allows the AWS Data Lifecycle Manager to create snapshots.
+
+### Example how to use
+
+Define variables
+
+```
+module "ebs-backup-policy" {
+  source = "github.com/fpco/terraform-aws-foundation//modules/dlm-lifecycle-iam"
+
+  iam_role_name = "dlm-lifecycle-role"
+}
+```
diff --git a/modules/dlm-lifecycle-iam-role/main.tf b/modules/dlm-lifecycle-iam-role/main.tf
@@ -0,0 +1,56 @@
+variable "iam_role_name" {
+  description = "The IAM role name for the DLM lifecyle policy"
+  type        = string
+  default     = "dlm-lifecycle-role"
+}
+
+# Create the iam role
+resource "aws_iam_role" "dlm_lifecycle_role" {
+  name                = var.iam_role_name
+  assume_role_policy  = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "dlm.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+# DLM lifecycle Policy
+resource "aws_iam_role_policy" "dlm_lifecycle_policy" {
+  name  = "dlm-lifecycle-policy"
+  role  = aws_iam_role.dlm_lifecycle_role.id
+
+  policy  = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateSnapshot",
+        "ec2:DeleteSnapshot",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeSnapshots"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags"
+      ],
+      "Resource": "arn:aws:ec2:*::snapshot/*"
+    }
+  ]
+}
+EOF
+}
diff --git a/modules/dlm-lifecycle-iam-role/versions.tf b/modules/dlm-lifecycle-iam-role/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/modules/dlm-lifecycle-policy/main.tf b/modules/dlm-lifecycle-policy/main.tf
@@ -17,7 +17,7 @@ data "aws_iam_role" "dlm_lifecycle_role" {
 }
 
 # DLM lifecycle schedule
-resource "aws_dlm_lifecycle_policy" "gitlab-ebs-lifecycle-policy" {
+resource "aws_dlm_lifecycle_policy" "ebs-lifecycle-policy" {
   description        = var.description
   execution_role_arn = data.aws_iam_role.dlm_lifecycle_role.arn
   state              = "ENABLED"

diff --git a/modules/dlm-lifecycle-policy/variables.tf b/modules/dlm-lifecycle-policy/variables.tf
@@ -54,7 +54,7 @@ variable "policy_retain_rule" {
 variable "policy_copy_tags" {
   description = "Copy all user-defined tags on a source volume to snapshots of the volume created by this policy."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "policy_tags_to_add" {