From 5bdc80499142c9c2e93fa2883009fe6a493c369c Mon Sep 17 00:00:00 2001
From: Shibra Amin <shibra@squareops.com>
Date: Fri, 8 Dec 2023 16:28:03 +0530
Subject: [PATCH] added backup and restore

---
 README.md                                     |  9 ++
 examples/complete/aws/README.md               |  4 +-
 examples/complete/aws/main.tf                 | 14 +++
 helm/backup/values.yaml                       | 11 +++
 helm/restore/values.yaml                      | 10 ++
 main.tf                                       | 43 ++++++++-
 modules/backup/.helmignore                    | 21 +++++
 modules/backup/Chart.yaml                     |  4 +
 modules/backup/templates/backup-secret.yaml   |  8 ++
 modules/backup/templates/cronjob.yaml         | 40 ++++++++
 modules/backup/templates/service_account.yaml |  7 ++
 modules/resources/aws/README.md               |  5 +
 modules/resources/aws/main.tf                 | 93 +++++++++++++++++++
 modules/resources/aws/outputs.tf              | 10 ++
 modules/resources/aws/variables.tf            |  5 +
 modules/restore/.helmignore                   | 21 +++++
 modules/restore/Chart.yaml                    |  4 +
 modules/restore/templates/job.yaml            | 33 +++++++
 modules/restore/templates/restore-secret.yaml |  8 ++
 .../restore/templates/service_account.yaml    |  6 ++
 variable.tf                                   | 47 ++++++++++
 21 files changed, 398 insertions(+), 5 deletions(-)
 create mode 100644 helm/backup/values.yaml
 create mode 100644 helm/restore/values.yaml
 create mode 100644 modules/backup/.helmignore
 create mode 100644 modules/backup/Chart.yaml
 create mode 100644 modules/backup/templates/backup-secret.yaml
 create mode 100644 modules/backup/templates/cronjob.yaml
 create mode 100644 modules/backup/templates/service_account.yaml
 create mode 100644 modules/restore/.helmignore
 create mode 100644 modules/restore/Chart.yaml
 create mode 100644 modules/restore/templates/job.yaml
 create mode 100644 modules/restore/templates/restore-secret.yaml
 create mode 100644 modules/restore/templates/service_account.yaml

diff --git a/README.md b/README.md
index 4d5cd3d..733925b 100644
--- a/README.md
+++ b/README.md
@@ -100,7 +100,9 @@ No modules.
 | Name | Type |
 |------|------|
 | [helm_release.postgres_exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.postgresql_backup](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.postgresql_ha](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.postgresql_restore](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_namespace.postgresql](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 
 ## Inputs
@@ -109,13 +111,20 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of the Postgresql helm chart that will be deployed. | `string` | `"11.7.9"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of eks cluster | `string` | `""` | no |
+| <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Whether or not to deploy postgresql | `bool` | `true` | no |
 | <a name="input_custom_credentials_config"></a> [custom\_credentials\_config](#input\_custom\_credentials\_config) | Specify the configuration settings for Postgresql to pass custom credentials during creation. | `any` | <pre>{<br>  "postgres_password": "",<br>  "repmgr_password": ""<br>}</pre> | no |
 | <a name="input_custom_credentials_enabled"></a> [custom\_credentials\_enabled](#input\_custom\_credentials\_enabled) | Specifies whether to enable custom credentials for PostgreSQL database. | `bool` | `false` | no |
+| <a name="input_iam_role_arn_backup"></a> [iam\_role\_arn\_backup](#input\_iam\_role\_arn\_backup) | IAM role ARN for backup (AWS) | `string` | `""` | no |
+| <a name="input_iam_role_arn_restore"></a> [iam\_role\_arn\_restore](#input\_iam\_role\_arn\_restore) | IAM role ARN for restore (AWS) | `string` | `""` | no |
 | <a name="input_postgres_password"></a> [postgres\_password](#input\_postgres\_password) | PostgresQL password | `any` | `""` | no |
+| <a name="input_postgresql_backup_config"></a> [postgresql\_backup\_config](#input\_postgresql\_backup\_config) | configuration options for Pgsql database backups. It includes properties such as the S3 bucket Name, the S3 bucket region, and the cron expression for full backups. | `any` | <pre>{<br>  "bucket_name": "",<br>  "cron_for_full_backup": "",<br>  "s3_bucket_region": ""<br>}</pre> | no |
+| <a name="input_postgresql_backup_enabled"></a> [postgresql\_backup\_enabled](#input\_postgresql\_backup\_enabled) | Specifies whether to enable backups for Pgsql database. | `bool` | `false` | no |
 | <a name="input_postgresql_config"></a> [postgresql\_config](#input\_postgresql\_config) | Configuration options for the postgresql such as number of replica,chart version, storage class and store password at secret manager. | `map(string)` | <pre>{<br>  "environment": "",<br>  "name": "",<br>  "postgresql_values": "",<br>  "replicaCount": 3,<br>  "storage_class": "gp2",<br>  "store_password_to_secret_manager": true<br>}</pre> | no |
 | <a name="input_postgresql_enabled"></a> [postgresql\_enabled](#input\_postgresql\_enabled) | Whether or not to deploy postgresql | `bool` | `true` | no |
 | <a name="input_postgresql_exporter_enabled"></a> [postgresql\_exporter\_enabled](#input\_postgresql\_exporter\_enabled) | Whether or not to deploy postgresql exporter | `bool` | `false` | no |
 | <a name="input_postgresql_namespace"></a> [postgresql\_namespace](#input\_postgresql\_namespace) | Name of the Kubernetes namespace where the postgresql will be deployed. | `string` | `"postgresql"` | no |
+| <a name="input_postgresql_restore_config"></a> [postgresql\_restore\_config](#input\_postgresql\_restore\_config) | Configuration options for restoring dump to the Postgresql database. | `any` | <pre>{<br>  "bucket_uri": "",<br>  "file_name": "",<br>  "s3_bucket_region": ""<br>}</pre> | no |
+| <a name="input_postgresql_restore_enabled"></a> [postgresql\_restore\_enabled](#input\_postgresql\_restore\_enabled) | Specifies whether to enable restoring dump to the Postgresql database. | `bool` | `false` | no |
 | <a name="input_recovery_window_aws_secret"></a> [recovery\_window\_aws\_secret](#input\_recovery\_window\_aws\_secret) | Number of days that AWS Secrets Manager will wait before deleting a secret. This value can be set to 0 to force immediate deletion, or to a value between 7 and 30 days to allow for recovery. | `number` | `0` | no |
 | <a name="input_repmgr_password"></a> [repmgr\_password](#input\_repmgr\_password) | Replication manager password | `any` | `""` | no |
 
diff --git a/examples/complete/aws/README.md b/examples/complete/aws/README.md
index 4ec345e..a0f30cd 100644
--- a/examples/complete/aws/README.md
+++ b/examples/complete/aws/README.md
@@ -21,8 +21,8 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aws"></a> [aws](#module\_aws) | ../../../modules/resources/aws | n/a |
-| <a name="module_postgresql"></a> [postgresql](#module\_postgresql) | ../../../ | n/a |
+| <a name="module_aws"></a> [aws](#module\_aws) | git@github.com:sq-ia/terraform-kubernetes-postgresql.git//modules/resources/aws | n/a |
+| <a name="module_postgresql"></a> [postgresql](#module\_postgresql) | git@github.com:sq-ia/terraform-kubernetes-postgresql.git | n/a |
 
 ## Resources
 
diff --git a/examples/complete/aws/main.tf b/examples/complete/aws/main.tf
index f4354e1..7ef1540 100644
--- a/examples/complete/aws/main.tf
+++ b/examples/complete/aws/main.tf
@@ -40,4 +40,18 @@ module "postgresql" {
     postgresql_values                = file("./helm/postgresql.yaml")
     store_password_to_secret_manager = local.store_password_to_secret_manager
   }
+  iam_role_arn_backup       = module.aws.iam_role_arn_backup
+  postgresql_backup_enabled = true
+  postgresql_backup_config = {
+    bucket_name          = "backup-309017165673"
+    s3_bucket_region     = "us-east-2"
+    cron_for_full_backup = "*/5 * * * *"
+  }
+  postgresql_restore_enabled = true
+  iam_role_arn_restore       = module.aws.iam_role_arn_restore
+  postgresql_restore_config = {
+    bucket_uri       = "s3://backup-309017165673/pgdump__20231208095502.zip"
+    file_name        = "pgdump__20231208095502.zip"
+    s3_bucket_region = "us-east-2"
+  }
 }
diff --git a/helm/backup/values.yaml b/helm/backup/values.yaml
new file mode 100644
index 0000000..69bf550
--- /dev/null
+++ b/helm/backup/values.yaml
@@ -0,0 +1,11 @@
+## Enable Full backup
+backup:
+  bucket_name: ${bucket_name}
+  aws_default_region: ${s3_bucket_region}
+  cron_for_full_backup: "${cron_for_full_backup}"
+
+annotations:
+  ${annotations}
+
+auth:
+  username: ${custom_user_username}
diff --git a/helm/restore/values.yaml b/helm/restore/values.yaml
new file mode 100644
index 0000000..fd95066
--- /dev/null
+++ b/helm/restore/values.yaml
@@ -0,0 +1,10 @@
+restore:
+  bucket_uri: ${bucket_uri}
+  file_name: ${file_name}
+  aws_default_region: ${s3_bucket_region}
+
+auth:
+  username: "${custom_user_username}"
+
+annotations:
+  ${annotations}
diff --git a/main.tf b/main.tf
index 4c53b8f..6d74f6f 100644
--- a/main.tf
+++ b/main.tf
@@ -1,12 +1,11 @@
 resource "kubernetes_namespace" "postgresql" {
-  count = var.postgresql_enabled ? 1 : 0
+  count = var.create_namespace ? 1 : 0
   metadata {
     name = var.postgresql_namespace
   }
 }
 
 resource "helm_release" "postgresql_ha" {
-  count      = var.postgresql_enabled ? 1 : 0
   depends_on = [kubernetes_namespace.postgresql]
   name       = "postgresql-ha"
   chart      = "postgresql-ha"
@@ -27,7 +26,7 @@ resource "helm_release" "postgresql_ha" {
 }
 
 resource "helm_release" "postgres_exporter" {
-  count      = var.postgresql_enabled && var.postgresql_exporter_enabled ? 1 : 0
+  count      = var.postgresql_exporter_enabled ? 1 : 0
   depends_on = [helm_release.postgresql_ha]
   name       = "postgres-exporter"
   chart      = "prometheus-postgres-exporter"
@@ -42,3 +41,41 @@ resource "helm_release" "postgres_exporter" {
     })
   ]
 }
+
+
+resource "helm_release" "postgresql_backup" {
+  depends_on = [helm_release.postgresql_ha]
+  count      = var.postgresql_backup_enabled ? 1 : 0
+  name       = "postgresql-backup"
+  chart      = "${path.module}/modules/backup"
+  timeout    = 600
+  namespace  = var.postgresql_namespace
+  values = [
+    templatefile("${path.module}/helm/backup/values.yaml", {
+      bucket_name          = var.postgresql_backup_config.bucket_name,
+      s3_bucket_region     = var.postgresql_backup_config.s3_bucket_region,
+      cron_for_full_backup = var.postgresql_backup_config.cron_for_full_backup,
+      custom_user_username = "postgres",
+      annotations          = "eks.amazonaws.com/role-arn: ${var.iam_role_arn_backup}"
+    })
+  ]
+}
+
+## DB dump restore
+resource "helm_release" "postgresql_restore" {
+  depends_on = [helm_release.postgresql_ha]
+  count      = var.postgresql_restore_enabled ? 1 : 0
+  name       = "postgresql-restore"
+  chart      = "${path.module}/modules/restore"
+  timeout    = 600
+  namespace  = var.postgresql_namespace
+  values = [
+    templatefile("${path.module}/helm/restore/values.yaml", {
+      bucket_uri           = var.postgresql_restore_config.bucket_uri,
+      file_name            = var.postgresql_restore_config.file_name,
+      s3_bucket_region     = var.postgresql_restore_config.s3_bucket_region,
+      custom_user_username = "postgres",
+      annotations          = "eks.amazonaws.com/role-arn: ${var.iam_role_arn_restore}"
+    })
+  ]
+}
diff --git a/modules/backup/.helmignore b/modules/backup/.helmignore
new file mode 100644
index 0000000..f0c1319
--- /dev/null
+++ b/modules/backup/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/modules/backup/Chart.yaml b/modules/backup/Chart.yaml
new file mode 100644
index 0000000..cb75ce7
--- /dev/null
+++ b/modules/backup/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: A helm chart for Backup of pgsql and stored in S3
+name: pgsql-backup
+version: 1.0.0
diff --git a/modules/backup/templates/backup-secret.yaml b/modules/backup/templates/backup-secret.yaml
new file mode 100644
index 0000000..ddcdf54
--- /dev/null
+++ b/modules/backup/templates/backup-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pgsql-bucket-name
+  namespace:  {{ .Release.Namespace }}
+  labels:
+data:
+  S3_BUCKET: {{ .Values.backup.bucket_name | b64enc | quote }}
diff --git a/modules/backup/templates/cronjob.yaml b/modules/backup/templates/cronjob.yaml
new file mode 100644
index 0000000..21bb3cb
--- /dev/null
+++ b/modules/backup/templates/cronjob.yaml
@@ -0,0 +1,40 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup-pgsqldb
+spec:
+  schedule: {{ .Values.backup.cron_for_full_backup |  quote }}
+  concurrencyPolicy: Forbid
+  suspend: false
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 1
+
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          imagePullSecrets:
+          - name: regcred
+          serviceAccountName: sa-pgsql-backup
+          containers:
+          - name: backup-pgsqldb
+            image:  squareops01/pgsqldb-backup:v4
+            imagePullPolicy: Always
+            env:
+            - name: DB_HOST
+              value: postgresql-ha-postgresql-headless.{{ .Release.Namespace }}.svc.cluster.local
+            - name: DB_USER
+              value: {{ .Values.auth.username }}
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                    name: postgresql-ha-postgresql
+                    key: password
+            - name: S3_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: pgsql-bucket-name
+                  key: S3_BUCKET
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.backup.aws_default_region }}
diff --git a/modules/backup/templates/service_account.yaml b/modules/backup/templates/service_account.yaml
new file mode 100644
index 0000000..ad90eb7
--- /dev/null
+++ b/modules/backup/templates/service_account.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-pgsql-backup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{ toYaml .Values.annotations  | indent 4 }}
diff --git a/modules/resources/aws/README.md b/modules/resources/aws/README.md
index e42f3bc..3ff3e58 100644
--- a/modules/resources/aws/README.md
+++ b/modules/resources/aws/README.md
@@ -73,6 +73,8 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_role.pgsql_backup_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.pgsql_restore_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_secretsmanager_secret.postgresql_user_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret_version.postgresql_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [random_password.postgresql_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
@@ -90,6 +92,7 @@ No modules.
 | <a name="input_custom_credentials_enabled"></a> [custom\_credentials\_enabled](#input\_custom\_credentials\_enabled) | Set to true if you want to use custom credentials, false to generate random passwords. | `string` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the environment for resource naming. | `string` | `"dev"` | no |
 | <a name="input_name"></a> [name](#input\_name) | A name or identifier for resources. | `string` | `""` | no |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | Name of the Kubernetes namespace where the MYSQL deployment will be deployed. | `string` | `"postgresql"` | no |
 | <a name="input_recovery_window_aws_secret"></a> [recovery\_window\_aws\_secret](#input\_recovery\_window\_aws\_secret) | The recovery window (in days) for an AWS Secrets Manager secret. | `number` | `0` | no |
 | <a name="input_store_password_to_secret_manager"></a> [store\_password\_to\_secret\_manager](#input\_store\_password\_to\_secret\_manager) | Store the password to sceret manager | `bool` | `false` | no |
 
@@ -97,5 +100,7 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_iam_role_arn_backup"></a> [iam\_role\_arn\_backup](#output\_iam\_role\_arn\_backup) | IAM role arn for pgsql backup |
+| <a name="output_iam_role_arn_restore"></a> [iam\_role\_arn\_restore](#output\_iam\_role\_arn\_restore) | IAM role arn for pgsql restore |
 | <a name="output_postgresql_credential"></a> [postgresql\_credential](#output\_postgresql\_credential) | PostgreSQL credentials used for accessing the database. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/resources/aws/main.tf b/modules/resources/aws/main.tf
index b8c0a03..6fd5f89 100644
--- a/modules/resources/aws/main.tf
+++ b/modules/resources/aws/main.tf
@@ -1,3 +1,11 @@
+locals {
+  oidc_provider = replace(
+    data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer,
+    "/^https:///",
+    ""
+  )
+}
+
 data "aws_caller_identity" "current" {}
 
 data "aws_eks_cluster" "cluster" {
@@ -42,4 +50,89 @@ resource "aws_secretsmanager_secret_version" "postgresql_password" {
       "repmgr_username" : "repmgr",
       "repmgr_password" : "${random_password.repmgrPassword[0].result}"
   })
+}
+
+resource "aws_iam_role" "pgsql_backup_role" {
+  name = format("%s-%s-%s", var.cluster_name, var.name, "pgsql-backup")
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_provider}"
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "${local.oidc_provider}:aud" = "sts.amazonaws.com",
+            "${local.oidc_provider}:sub" = "system:serviceaccount:${var.namespace}:sa-pgsql-backup"
+          }
+        }
+      }
+    ]
+  })
+  inline_policy {
+    name = "AllowS3PutObject"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:DeleteObject",
+            "s3:ListBucket",
+            "s3:AbortMultipartUpload",
+            "s3:ListMultipartUploadParts"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+        }
+      ]
+    })
+  }
+}
+
+
+resource "aws_iam_role" "pgsql_restore_role" {
+  name = format("%s-%s-%s", var.cluster_name, var.name, "pgsql-restore")
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_provider}"
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "${local.oidc_provider}:aud" = "sts.amazonaws.com",
+            "${local.oidc_provider}:sub" = "system:serviceaccount:${var.namespace}:sa-postgresql-restore"
+          }
+        }
+      }
+    ]
+  })
+  inline_policy {
+    name = "AllowS3PutObject"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:DeleteObject",
+            "s3:ListBucket",
+            "s3:AbortMultipartUpload",
+            "s3:ListMultipartUploadParts"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+        }
+      ]
+    })
+  }
 }
diff --git a/modules/resources/aws/outputs.tf b/modules/resources/aws/outputs.tf
index cb5475c..035910c 100644
--- a/modules/resources/aws/outputs.tf
+++ b/modules/resources/aws/outputs.tf
@@ -7,3 +7,13 @@ output "postgresql_credential" {
     repmgr_password    = var.custom_credentials_enabled ? var.custom_credentials_config.repmgr_password : nonsensitive(random_password.repmgrPassword[0].result),
   }
 }
+
+output "iam_role_arn_backup" {
+  value       = aws_iam_role.pgsql_backup_role.arn
+  description = "IAM role arn for pgsql backup"
+}
+
+output "iam_role_arn_restore" {
+  value       = aws_iam_role.pgsql_restore_role.arn
+  description = "IAM role arn for pgsql restore"
+}
diff --git a/modules/resources/aws/variables.tf b/modules/resources/aws/variables.tf
index aebd79b..91fd427 100644
--- a/modules/resources/aws/variables.tf
+++ b/modules/resources/aws/variables.tf
@@ -19,6 +19,11 @@ variable "name" {
   default     = ""
   description = "A name or identifier for resources."
 }
+variable "namespace" {
+  type        = string
+  default     = "postgresql"
+  description = "Name of the Kubernetes namespace where the MYSQL deployment will be deployed."
+}
 
 variable "recovery_window_aws_secret" {
   type        = number
diff --git a/modules/restore/.helmignore b/modules/restore/.helmignore
new file mode 100644
index 0000000..f0c1319
--- /dev/null
+++ b/modules/restore/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/modules/restore/Chart.yaml b/modules/restore/Chart.yaml
new file mode 100644
index 0000000..25f74ca
--- /dev/null
+++ b/modules/restore/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: A helm chart for restore of postgresql and stored in S3
+name: postgresql-restore
+version: 1.0.0
diff --git a/modules/restore/templates/job.yaml b/modules/restore/templates/job.yaml
new file mode 100644
index 0000000..bbe5c34
--- /dev/null
+++ b/modules/restore/templates/job.yaml
@@ -0,0 +1,33 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: restore-postgresqldb
+spec:
+  template:
+    spec:
+      serviceAccountName: sa-postgresql-restore
+      containers:
+          - name: restore-postgresqldb
+            image: squareops01/pgsqldb-restore:v2
+            imagePullPolicy: Always
+            env:
+            - name: DB_HOST
+              value: postgresql-ha-postgresql.{{ .Release.Namespace }}.svc.cluster.local
+            - name: DB_USER
+              value: {{ .Values.auth.username }}
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                    name: postgresql-ha-postgresql
+                    key: password
+            - name: POSTGRESQL_BUCKET_RESTORE_URI
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-bucket-uri-restore
+                  key: POSTGRESQL_BUCKET_URI
+            - name: RESTORE_FILE_NAME
+              value: {{ .Values.restore.file_name}}
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.restore.aws_default_region}}
+      restartPolicy: Never
+  backoffLimit: 4
diff --git a/modules/restore/templates/restore-secret.yaml b/modules/restore/templates/restore-secret.yaml
new file mode 100644
index 0000000..1d4e042
--- /dev/null
+++ b/modules/restore/templates/restore-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgresql-bucket-uri-restore
+  namespace:  {{ .Release.Namespace }}
+  labels:
+data:
+  POSTGRESQL_BUCKET_URI: {{ .Values.restore.bucket_uri | b64enc | quote }}
diff --git a/modules/restore/templates/service_account.yaml b/modules/restore/templates/service_account.yaml
new file mode 100644
index 0000000..329feb1
--- /dev/null
+++ b/modules/restore/templates/service_account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-postgresql-restore
+  annotations:
+    {{ toYaml .Values.annotations  | indent 4 }}
diff --git a/variable.tf b/variable.tf
index 1ee2667..d1612fb 100644
--- a/variable.tf
+++ b/variable.tf
@@ -16,6 +16,12 @@ variable "postgresql_enabled" {
   description = "Whether or not to deploy postgresql"
 }
 
+variable "create_namespace" {
+  default     = true
+  type        = bool
+  description = "Whether or not to deploy postgresql"
+}
+
 variable "postgresql_exporter_enabled" {
   default     = false
   type        = bool
@@ -73,3 +79,44 @@ variable "repmgr_password" {
   default     = ""
   type        = any
 }
+
+variable "postgresql_backup_enabled" {
+  type        = bool
+  default     = false
+  description = "Specifies whether to enable backups for Pgsql database."
+}
+variable "iam_role_arn_backup" {
+  description = "IAM role ARN for backup (AWS)"
+  type        = string
+  default     = ""
+}
+
+variable "postgresql_backup_config" {
+  type = any
+  default = {
+    bucket_name          = ""
+    s3_bucket_region     = ""
+    cron_for_full_backup = ""
+  }
+  description = "configuration options for Pgsql database backups. It includes properties such as the S3 bucket Name, the S3 bucket region, and the cron expression for full backups."
+}
+variable "postgresql_restore_enabled" {
+  type        = bool
+  default     = false
+  description = "Specifies whether to enable restoring dump to the Postgresql database."
+}
+
+variable "postgresql_restore_config" {
+  type = any
+  default = {
+    bucket_uri       = ""
+    file_name        = ""
+    s3_bucket_region = ""
+  }
+  description = "Configuration options for restoring dump to the Postgresql database."
+}
+variable "iam_role_arn_restore" {
+  description = "IAM role ARN for restore (AWS)"
+  type        = string
+  default     = ""
+}