From 251fd663e45774dd78a72c7eb347694d6a06d44d Mon Sep 17 00:00:00 2001
From: Paul Montero <lpaulmp@gmail.com>
Date: Thu, 16 May 2019 17:22:27 -0500
Subject: [PATCH 1/3] Module to enable DML lifecycle policies

---
 modules/dlm-lifecycle-policy/README.md    | 28 ++++++++++
 modules/dlm-lifecycle-policy/iam.tf       | 58 ++++++++++++++++++++
 modules/dlm-lifecycle-policy/main.tf      | 43 +++++++++++++++
 modules/dlm-lifecycle-policy/variables.tf | 67 +++++++++++++++++++++++
 4 files changed, 196 insertions(+)
 create mode 100644 modules/dlm-lifecycle-policy/README.md
 create mode 100644 modules/dlm-lifecycle-policy/iam.tf
 create mode 100644 modules/dlm-lifecycle-policy/main.tf
 create mode 100644 modules/dlm-lifecycle-policy/variables.tf

diff --git a/modules/dlm-lifecycle-policy/README.md b/modules/dlm-lifecycle-policy/README.md
new file mode 100644
index 00000000..0460e757
--- /dev/null
+++ b/modules/dlm-lifecycle-policy/README.md
@@ -0,0 +1,28 @@
+## Data Lifecycle Manager (DLM) lifecycle policy for managing snapshots
+
+This module creates an IAM role and a policy that manage the creation of EBS snapshots, Data Lifecycle Manager policy let you create snapshots according to the schedule that you choose.
+
+### Example how to use
+
+Define the module in your terraform project:
+```
+variable "ebs_target_tags" {
+  description = "EBS name/tag to query"
+  default     = "myebstagname"
+}
+
+Define variables
+...
+
+module "ebs-backup-policy" {
+  source = "github.com/fpco/terraform-aws-foundation//modules/dlm-lifecycle-policy"
+
+  name_prefix               = "${var.name}"
+  dml_description           = "${var.dml_description}"
+  ebs_target_tags           = "${merge(map("Name", "${var.ebs_target_tags}"), "${var.extra_tags}")}"
+  schedule_create_interval  = "${var.schedule_create_interval}"
+  schedule_create_time      = "${var.schedule_create_time}"
+  schedule_retain_rule      = "${var.schedule_retain_rule}"
+  schedule_tags_to_add      = "${merge(map("Name", "${var.name}-dlm", "SnapshotCreator", "DLM lifecycle"))}"
+}
+```
diff --git a/modules/dlm-lifecycle-policy/iam.tf b/modules/dlm-lifecycle-policy/iam.tf
new file mode 100644
index 00000000..b241fc39
--- /dev/null
+++ b/modules/dlm-lifecycle-policy/iam.tf
@@ -0,0 +1,58 @@
+# Create the iam role
+resource "aws_iam_role" "dlm_lifecycle_role" {
+  count = "${var.create_dlm_iam_role == "true" ? 1 : 0}"
+
+  name                = "${var.role_name}"
+  assume_role_policy  = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "dlm.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+# DLM lifecycle Policy
+resource "aws_iam_role_policy" "dlm_lifecycle" {
+  count = "${var.create_dlm_iam_role == "true" ? 1 : 0}"
+
+  name  = "dlm-lifecycle-policy"
+  role  = "${aws_iam_role.dlm_lifecycle_role.id}"
+
+  policy  = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateSnapshot",
+        "ec2:DeleteSnapshot",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeSnapshots"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags"
+      ],
+      "Resource": "arn:aws:ec2:*::snapshot/*"
+    }
+  ]
+}
+EOF
+}
+
+data "aws_iam_role" "dlm_lifecycle_role" {
+  name = "${var.role_name}"
+}
diff --git a/modules/dlm-lifecycle-policy/main.tf b/modules/dlm-lifecycle-policy/main.tf
new file mode 100644
index 00000000..888e533a
--- /dev/null
+++ b/modules/dlm-lifecycle-policy/main.tf
@@ -0,0 +1,43 @@
+/**
+* ## Data Lifecycle Manager (DLM) lifecycle policy for managing snapshots
+*
+* The purpose of this module is to provide a policy to create snapshots accourding an schudule.
+* This module creates an IAM role and a policy that manage the creation of EBS snapshots, Data Lifecycle Manager policy let you create snapshots according to the schedule that you choose.
+*
+* The module supports:
+*
+* * Generate snapshots of volumes attached to ec2 instances
+* * Assume the IAM Role policy to manage DLM lifecycle policy
+*
+*/
+
+# DLM lifecycle schedule
+resource "aws_dlm_lifecycle_policy" "gitlab-ebs-lifecycle-policy" {
+  description        = "${var.dml_description}"
+  execution_role_arn = "${data.aws_iam_role.dlm_lifecycle_role.arn}"
+  state              = "ENABLED"
+
+  policy_details {
+    resource_types = "${var.dml_resource_type}"
+
+    schedule {
+      name = "${var.name_prefix} ${var.schedule_name}"
+
+      create_rule {
+        interval      = "${var.schedule_create_interval}"
+        interval_unit = "${var.schedule_create_interval_unit}"
+        times         = "${var.schedule_create_time}"
+      }
+
+      retain_rule {
+        count = "${var.schedule_retain_rule}"
+      }
+
+      tags_to_add = "${var.schedule_tags_to_add}"
+      copy_tags   = "${var.schedule_copy_tags}"
+    }
+
+    target_tags = "${var.ebs_target_tags}"
+
+  }
+}
diff --git a/modules/dlm-lifecycle-policy/variables.tf b/modules/dlm-lifecycle-policy/variables.tf
new file mode 100644
index 00000000..7828089c
--- /dev/null
+++ b/modules/dlm-lifecycle-policy/variables.tf
@@ -0,0 +1,67 @@
+variable "name_prefix" {
+  description = "Name to prefix the DML lifecycle"
+  type        = "string"
+}
+
+variable "create_dlm_iam_role" {
+  description = "Creates DLM IAm role and permissions to create snapshots, the role can be create one time pero AWS account"
+  default     = "false"
+}
+
+variable "ebs_target_tags" {
+  description = "Tags to filter the volume that we want to take the snapshot."
+  default     = {}
+}
+
+variable "dml_description" {
+  description = "DLM lifecycle policy description"
+  default     = "DLM lifecycle policy"
+}
+
+variable "dml_resource_type" {
+  description = "DLM resource type"
+  default     = ["VOLUME"]
+}
+
+variable "schedule_name" {
+  description = "Snapshots schedule name"
+  default     = "One week of daily snapshots"
+}
+
+
+variable "schedule_create_interval" {
+  description = "Snapshots schedule interval"
+  default     = 24
+}
+
+variable "schedule_create_interval_unit" {
+  description = "Snapshots schedule interval unit"
+  default     = "HOURS"
+}
+
+variable "schedule_create_time" {
+  description = "Time at which the snapshot will take."
+  type        = "list"
+  default     = ["23:45"]
+}
+
+variable "schedule_retain_rule" {
+  description = "Snapshots schedule retein rule, how many snapshots are retaining"
+  default     = 14
+}
+
+variable "schedule_copy_tags" {
+  description = "Copy all user-defined tags on a source volume to snapshots of the volume created by this policy."
+  default     = false
+}
+
+variable "schedule_tags_to_add" {
+  description = "Tags to add to the snapshot"
+  type        = "map"
+  default     = {"SnapshotCreator" = "DLM lifecycle"}
+}
+
+variable "role_name" {
+  description = "The IAM role name for the DLM lifecyle policy"
+  default     = "dlm-lifecycle-role"
+}

From c2832e89637620ff93ef8079882acf1a7833dd60 Mon Sep 17 00:00:00 2001
From: Paul Montero <lpaulmp@gmail.com>
Date: Tue, 1 Oct 2019 03:52:45 -0500
Subject: [PATCH 2/3] modules/dlm-lifecycle-policy: Update DML module to tf
 0.12 and move the IAM role to another role

---
 modules/dlm-lifecycle-policy/README.md    | 29 +++++-------
 modules/dlm-lifecycle-policy/iam.tf       | 58 -----------------------
 modules/dlm-lifecycle-policy/main.tf      | 27 ++++++-----
 modules/dlm-lifecycle-policy/variables.tf | 36 +++++++-------
 modules/dlm-lifecycle-policy/versions.tf  |  3 ++
 5 files changed, 51 insertions(+), 102 deletions(-)
 delete mode 100644 modules/dlm-lifecycle-policy/iam.tf
 create mode 100644 modules/dlm-lifecycle-policy/versions.tf

diff --git a/modules/dlm-lifecycle-policy/README.md b/modules/dlm-lifecycle-policy/README.md
index 0460e757..4f016d99 100644
--- a/modules/dlm-lifecycle-policy/README.md
+++ b/modules/dlm-lifecycle-policy/README.md
@@ -1,28 +1,25 @@
 ## Data Lifecycle Manager (DLM) lifecycle policy for managing snapshots
 
-This module creates an IAM role and a policy that manage the creation of EBS snapshots, Data Lifecycle Manager policy let you create snapshots according to the schedule that you choose.
+This module creates the policy that manage the creation of EBS snapshots through AWS Data Lifecycle Manager, the policy let you manage the schedule of the snapshot as well as the number of snapshots.
 
 ### Example how to use
 
-Define the module in your terraform project:
-```
-variable "ebs_target_tags" {
-  description = "EBS name/tag to query"
-  default     = "myebstagname"
-}
-
 Define variables
-...
 
+```
 module "ebs-backup-policy" {
   source = "github.com/fpco/terraform-aws-foundation//modules/dlm-lifecycle-policy"
 
-  name_prefix               = "${var.name}"
-  dml_description           = "${var.dml_description}"
-  ebs_target_tags           = "${merge(map("Name", "${var.ebs_target_tags}"), "${var.extra_tags}")}"
-  schedule_create_interval  = "${var.schedule_create_interval}"
-  schedule_create_time      = "${var.schedule_create_time}"
-  schedule_retain_rule      = "${var.schedule_retain_rule}"
-  schedule_tags_to_add      = "${merge(map("Name", "${var.name}-dlm", "SnapshotCreator", "DLM lifecycle"))}"
+  name_prefix             = project-name-backup
+  description             = "DLM lifecycle policy"
+  ebs_target_tags         = "ebs-to-take-snapshot-name-ec2-volume"
+  policy_name             = "One week of daily snapshots"
+  policy_interval         = 24
+  policy_time             = ["23:45"]
+  policy_copy_tags        = false
+  policy_retain_rule      = 14
+  policy_tags_to_add      = "${merge(map("Name", "${var.name}-dlm", "SnapshotCreator", "DLM lifecycle"))}"
+  resource_type           = ["VOLUME"]
+  role_name               = "dlm-lifecycle-role"
 }
 ```
diff --git a/modules/dlm-lifecycle-policy/iam.tf b/modules/dlm-lifecycle-policy/iam.tf
deleted file mode 100644
index b241fc39..00000000
--- a/modules/dlm-lifecycle-policy/iam.tf
+++ /dev/null
@@ -1,58 +0,0 @@
-# Create the iam role
-resource "aws_iam_role" "dlm_lifecycle_role" {
-  count = "${var.create_dlm_iam_role == "true" ? 1 : 0}"
-
-  name                = "${var.role_name}"
-  assume_role_policy  = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "dlm.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-}
-
-# DLM lifecycle Policy
-resource "aws_iam_role_policy" "dlm_lifecycle" {
-  count = "${var.create_dlm_iam_role == "true" ? 1 : 0}"
-
-  name  = "dlm-lifecycle-policy"
-  role  = "${aws_iam_role.dlm_lifecycle_role.id}"
-
-  policy  = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "ec2:CreateSnapshot",
-        "ec2:DeleteSnapshot",
-        "ec2:DescribeVolumes",
-        "ec2:DescribeSnapshots"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "ec2:CreateTags"
-      ],
-      "Resource": "arn:aws:ec2:*::snapshot/*"
-    }
-  ]
-}
-EOF
-}
-
-data "aws_iam_role" "dlm_lifecycle_role" {
-  name = "${var.role_name}"
-}
diff --git a/modules/dlm-lifecycle-policy/main.tf b/modules/dlm-lifecycle-policy/main.tf
index 888e533a..1dc6f902 100644
--- a/modules/dlm-lifecycle-policy/main.tf
+++ b/modules/dlm-lifecycle-policy/main.tf
@@ -11,33 +11,38 @@
 *
 */
 
+# Get the data of role to pass the resource
+data "aws_iam_role" "dlm_lifecycle_role" {
+  name         = var.role_name
+}
+
 # DLM lifecycle schedule
 resource "aws_dlm_lifecycle_policy" "gitlab-ebs-lifecycle-policy" {
-  description        = "${var.dml_description}"
-  execution_role_arn = "${data.aws_iam_role.dlm_lifecycle_role.arn}"
+  description        = var.description
+  execution_role_arn = data.aws_iam_role.dlm_lifecycle_role.arn
   state              = "ENABLED"
 
   policy_details {
-    resource_types = "${var.dml_resource_type}"
+    resource_types = var.resource_type
 
     schedule {
-      name = "${var.name_prefix} ${var.schedule_name}"
+      name = "${var.name_prefix} ${var.policy_name}"
 
       create_rule {
-        interval      = "${var.schedule_create_interval}"
-        interval_unit = "${var.schedule_create_interval_unit}"
-        times         = "${var.schedule_create_time}"
+        interval      = var.policy_interval
+        interval_unit = var.policy_interval_unit
+        times         = var.policy_times
       }
 
       retain_rule {
-        count = "${var.schedule_retain_rule}"
+        count = var.policy_retain_rule
       }
 
-      tags_to_add = "${var.schedule_tags_to_add}"
-      copy_tags   = "${var.schedule_copy_tags}"
+      tags_to_add = var.policy_tags_to_add
+      copy_tags   = var.policy_copy_tags
     }
 
-    target_tags = "${var.ebs_target_tags}"
+    target_tags = var.ebs_target_tags
 
   }
 }
diff --git a/modules/dlm-lifecycle-policy/variables.tf b/modules/dlm-lifecycle-policy/variables.tf
index 7828089c..dbdf55fa 100644
--- a/modules/dlm-lifecycle-policy/variables.tf
+++ b/modules/dlm-lifecycle-policy/variables.tf
@@ -3,59 +3,61 @@ variable "name_prefix" {
   type        = "string"
 }
 
-variable "create_dlm_iam_role" {
-  description = "Creates DLM IAm role and permissions to create snapshots, the role can be create one time pero AWS account"
-  default     = "false"
-}
-
 variable "ebs_target_tags" {
   description = "Tags to filter the volume that we want to take the snapshot."
+  type        = map
   default     = {}
 }
 
-variable "dml_description" {
+variable "description" {
   description = "DLM lifecycle policy description"
+  type        = string
   default     = "DLM lifecycle policy"
 }
 
-variable "dml_resource_type" {
+variable "resource_type" {
   description = "DLM resource type"
+  type        = list(string)
   default     = ["VOLUME"]
 }
 
-variable "schedule_name" {
+variable "policy_name" {
   description = "Snapshots schedule name"
+  type        = string
   default     = "One week of daily snapshots"
 }
 
-
-variable "schedule_create_interval" {
+variable "policy_interval" {
   description = "Snapshots schedule interval"
+  type        = number
   default     = 24
 }
 
-variable "schedule_create_interval_unit" {
+variable "policy_interval_unit" {
   description = "Snapshots schedule interval unit"
+  type        = string
   default     = "HOURS"
 }
 
-variable "schedule_create_time" {
+variable "policy_times" {
   description = "Time at which the snapshot will take."
-  type        = "list"
+  type        = list
   default     = ["23:45"]
 }
 
-variable "schedule_retain_rule" {
+variable "policy_retain_rule" {
   description = "Snapshots schedule retein rule, how many snapshots are retaining"
+  type        = number
   default     = 14
 }
 
-variable "schedule_copy_tags" {
+variable "policy_copy_tags" {
   description = "Copy all user-defined tags on a source volume to snapshots of the volume created by this policy."
+  type        = bool
   default     = false
 }
 
-variable "schedule_tags_to_add" {
+variable "policy_tags_to_add" {
   description = "Tags to add to the snapshot"
   type        = "map"
   default     = {"SnapshotCreator" = "DLM lifecycle"}
@@ -63,5 +65,5 @@ variable "schedule_tags_to_add" {
 
 variable "role_name" {
   description = "The IAM role name for the DLM lifecyle policy"
-  default     = "dlm-lifecycle-role"
+  type        = string
 }
diff --git a/modules/dlm-lifecycle-policy/versions.tf b/modules/dlm-lifecycle-policy/versions.tf
new file mode 100644
index 00000000..d9b6f790
--- /dev/null
+++ b/modules/dlm-lifecycle-policy/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12"
+}

From fb2fc6386f774815bb3fb066c360a4feaf2f308c Mon Sep 17 00:00:00 2001
From: Paul Montero <lpaulmp@gmail.com>
Date: Tue, 1 Oct 2019 04:00:20 -0500
Subject: [PATCH 3/3] modules/dlm-lifecycle-iam-role: Added DLM IAM role to
 allow create snapshots

---
 modules/dlm-lifecycle-iam-role/README.md   | 15 ++++++
 modules/dlm-lifecycle-iam-role/main.tf     | 56 ++++++++++++++++++++++
 modules/dlm-lifecycle-iam-role/versions.tf |  3 ++
 modules/dlm-lifecycle-policy/main.tf       |  2 +-
 modules/dlm-lifecycle-policy/variables.tf  |  2 +-
 5 files changed, 76 insertions(+), 2 deletions(-)
 create mode 100644 modules/dlm-lifecycle-iam-role/README.md
 create mode 100644 modules/dlm-lifecycle-iam-role/main.tf
 create mode 100644 modules/dlm-lifecycle-iam-role/versions.tf

diff --git a/modules/dlm-lifecycle-iam-role/README.md b/modules/dlm-lifecycle-iam-role/README.md
new file mode 100644
index 00000000..301fa445
--- /dev/null
+++ b/modules/dlm-lifecycle-iam-role/README.md
@@ -0,0 +1,15 @@
+## Data Lifecycle Manager (DLM) lifecycle policy for managing snapshots
+
+This module creates the IAM role and the policy that allows the AWS Data Lifecycle Manager to create snapshots.
+
+### Example how to use
+
+Define variables
+
+```
+module "ebs-backup-policy" {
+  source = "github.com/fpco/terraform-aws-foundation//modules/dlm-lifecycle-iam"
+
+  iam_role_name = "dlm-lifecycle-role"
+}
+```
diff --git a/modules/dlm-lifecycle-iam-role/main.tf b/modules/dlm-lifecycle-iam-role/main.tf
new file mode 100644
index 00000000..581292e8
--- /dev/null
+++ b/modules/dlm-lifecycle-iam-role/main.tf
@@ -0,0 +1,56 @@
+variable "iam_role_name" {
+  description = "The IAM role name for the DLM lifecyle policy"
+  type        = string
+  default     = "dlm-lifecycle-role"
+}
+
+# Create the iam role
+resource "aws_iam_role" "dlm_lifecycle_role" {
+  name                = var.iam_role_name
+  assume_role_policy  = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "dlm.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+# DLM lifecycle Policy
+resource "aws_iam_role_policy" "dlm_lifecycle_policy" {
+  name  = "dlm-lifecycle-policy"
+  role  = aws_iam_role.dlm_lifecycle_role.id
+
+  policy  = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateSnapshot",
+        "ec2:DeleteSnapshot",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeSnapshots"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags"
+      ],
+      "Resource": "arn:aws:ec2:*::snapshot/*"
+    }
+  ]
+}
+EOF
+}
diff --git a/modules/dlm-lifecycle-iam-role/versions.tf b/modules/dlm-lifecycle-iam-role/versions.tf
new file mode 100644
index 00000000..d9b6f790
--- /dev/null
+++ b/modules/dlm-lifecycle-iam-role/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/modules/dlm-lifecycle-policy/main.tf b/modules/dlm-lifecycle-policy/main.tf
index 1dc6f902..cb2e4c3d 100644
--- a/modules/dlm-lifecycle-policy/main.tf
+++ b/modules/dlm-lifecycle-policy/main.tf
@@ -17,7 +17,7 @@ data "aws_iam_role" "dlm_lifecycle_role" {
 }
 
 # DLM lifecycle schedule
-resource "aws_dlm_lifecycle_policy" "gitlab-ebs-lifecycle-policy" {
+resource "aws_dlm_lifecycle_policy" "ebs-lifecycle-policy" {
   description        = var.description
   execution_role_arn = data.aws_iam_role.dlm_lifecycle_role.arn
   state              = "ENABLED"
diff --git a/modules/dlm-lifecycle-policy/variables.tf b/modules/dlm-lifecycle-policy/variables.tf
index dbdf55fa..b851de7d 100644
--- a/modules/dlm-lifecycle-policy/variables.tf
+++ b/modules/dlm-lifecycle-policy/variables.tf
@@ -54,7 +54,7 @@ variable "policy_retain_rule" {
 variable "policy_copy_tags" {
   description = "Copy all user-defined tags on a source volume to snapshots of the volume created by this policy."
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "policy_tags_to_add" {