From 3199a0f1ebc1da32228040f5fe5ba7352270f192 Mon Sep 17 00:00:00 2001
From: Paul Montero <lpaulmp@gmail.com>
Date: Thu, 16 May 2019 17:22:27 -0500
Subject: [PATCH] Module to enable DML lifecycle policies

---
 modules/dlm-lifecycle-policy/README.md    | 26 ++++++++++++
 modules/dlm-lifecycle-policy/iam.tf       | 51 +++++++++++++++++++++++
 modules/dlm-lifecycle-policy/main.tf      | 46 ++++++++++++++++++++
 modules/dlm-lifecycle-policy/variables.tf | 51 +++++++++++++++++++++++
 4 files changed, 174 insertions(+)
 create mode 100644 modules/dlm-lifecycle-policy/README.md
 create mode 100644 modules/dlm-lifecycle-policy/iam.tf
 create mode 100644 modules/dlm-lifecycle-policy/main.tf
 create mode 100644 modules/dlm-lifecycle-policy/variables.tf

diff --git a/modules/dlm-lifecycle-policy/README.md b/modules/dlm-lifecycle-policy/README.md
new file mode 100644
index 00000000..defcbf9b
--- /dev/null
+++ b/modules/dlm-lifecycle-policy/README.md
@@ -0,0 +1,26 @@
+## Data Lifecycle Manager (DLM) lifecycle policy for managing snapshots
+
+This module creates an IAM role and a policy that manage the creation of EBS snapshots, Data Lifecycle Manager policy let you create snapshots according to the schedule that you choose.
+
+### Example how to use
+
+Define the module in your terraform project:
+```
+variable "ebs_target_tags" {
+  description = "EBS name/tag to query"
+  default     = "myebstagname"
+}
+
+Define variables
+...
+
+module "ebs-backup-policy" {
+  source = "git::https://github.com/fpco/terraform-aws-foundation//modules/dlm-lifecycle-policy"
+
+  dml_description      = "${var.dml_description}"
+  ebs_target_tags      = "${(map("Name", "${var.ebs_target_tags}")}"
+  schedule_interval    = "${var.schedule_interval}"
+  schedule_times       = "${var.schedule_interval_times}"
+  schedule_retain_rule = "${var.schedule_retain_rule}"
+}
+```
diff --git a/modules/dlm-lifecycle-policy/iam.tf b/modules/dlm-lifecycle-policy/iam.tf
new file mode 100644
index 00000000..12204ce8
--- /dev/null
+++ b/modules/dlm-lifecycle-policy/iam.tf
@@ -0,0 +1,51 @@
+# Create the iam role
+resource "aws_iam_role" "dlm_lifecycle_role" {
+  name = "dlm-lifecycle-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "dlm.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+# DLM lifecycle Policy
+resource "aws_iam_role_policy" "dlm_lifecycle" {
+  name = "dlm-lifecycle-policy"
+  role = "${aws_iam_role.dlm_lifecycle_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateSnapshot",
+        "ec2:DeleteSnapshot",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeSnapshots"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags"
+      ],
+      "Resource": "arn:aws:ec2:*::snapshot/*"
+    }
+  ]
+}
+EOF
+}
diff --git a/modules/dlm-lifecycle-policy/main.tf b/modules/dlm-lifecycle-policy/main.tf
new file mode 100644
index 00000000..47c37138
--- /dev/null
+++ b/modules/dlm-lifecycle-policy/main.tf
@@ -0,0 +1,46 @@
+/**
+* ## Data Lifecycle Manager (DLM) lifecycle policy for managing snapshots
+*
+* The purpose of this module is to provide a policy to create snapshots accourding an schudule.
+* This module creates an IAM role and a policy that manage the creation of EBS snapshots, Data Lifecycle Manager policy let you create snapshots according to the schedule that you choose.
+*
+* The module supports:
+*
+* * Generate snapshots of volumes attached to ec2 instances
+* * Assume the IAM Role policy to manage DLM lifecycle policy
+*
+*/
+
+# DLM lifecycle schedule
+resource "aws_dlm_lifecycle_policy" "gitlab-ebs-lifecycle-policy" {
+  description        = "${var.dml_description}"
+  execution_role_arn = "${aws_iam_role.dlm_lifecycle_role.arn}"
+  state              = "ENABLED"
+
+  policy_details {
+    resource_types = "${var.dml_resource_type}"
+
+    schedule {
+      name = "${var.name_prefix} ${var.schedule_name}"
+
+      create_rule {
+        interval      = "${var.schedule_interval}"
+        interval_unit = "${var.schedule_interval_unit}"
+        times         = "${var.schedule_times}"
+      }
+
+      retain_rule {
+        count = "${var.schedule_retain_rule}"
+      }
+
+      tags_to_add = {
+        SnapshotCreator = "DLM lifecycle"
+      }
+
+      copy_tags = "${var.schedule_copy_tags}"
+    }
+
+    target_tags = "${var.ebs_target_tags}"
+
+  }
+}
diff --git a/modules/dlm-lifecycle-policy/variables.tf b/modules/dlm-lifecycle-policy/variables.tf
new file mode 100644
index 00000000..74aa49ed
--- /dev/null
+++ b/modules/dlm-lifecycle-policy/variables.tf
@@ -0,0 +1,51 @@
+variable "name_prefix" {
+  description = "Name to prefix the DML lifecycle"
+  type        = "string"
+}
+
+variable "ebs_target_tags" {
+  description = "Tags to filter the volume that we want to take the snapshot."
+  default     = {}
+}
+
+variable "dml_description" {
+  description = "DLM lifecycle policy description"
+  default     = "DLM lifecycle policy"
+}
+
+variable "dml_resource_type" {
+  description = "DLM resource type"
+  default     = ["VOLUME"]
+}
+
+variable "schedule_name" {
+  description = "Snapshots schedule name"
+  default     = "One week of daily snapshots"
+}
+
+
+variable "schedule_interval" {
+  description = "Snapshots schedule interval"
+  default     = 24
+}
+
+variable "schedule_interval_unit" {
+  description = "Snapshots schedule interval unit"
+  default     = "HOURS"
+}
+
+variable "schedule_times" {
+  description = "Time at which the snapshot will take."
+  type        = "list"
+  default     = ["23:45"]
+}
+
+variable "schedule_retain_rule" {
+  description = "Snapshots schedule retein rule, how many snapshots are retaining"
+  default     = 14
+}
+
+variable "schedule_copy_tags" {
+  description = "Copy all user-defined tags on a source volume to snapshots of the volume created by this policy."
+  default     = false
+}