1+ terraform {
2+ required_providers {
3+ aws =
4+ source = " hashicorp/aws"
5+ version = " >= 4.41.0"
6+ }
7+ }
8+ }
9+
110provider "aws" {
2- profile = " default"
3- region = " eu-central-1"
11+ profile = . profile
12+ region = . source_region
13+ }
14+
15+ variable "lambda_function_name" {
16+ default = " rds-backup"
17+ type = string
18+ description = " The name for the Lambda function. It will be used as prefix for roles, policies and log group."
19+ }
20+
21+ variable "aws_account_id" {
22+ type = string
23+ description = " The AWS account ID where the function should be installed to."
24+ }
25+
26+ variable "log_group_name" {
27+ default = " /aws/lambda/${ var . lambda_function_name } "
28+ type = string
29+ description = " The name of the log group in CloudWatch Logs."
30+ }
31+
32+ variable "source_region" {
33+ type = string
34+ description = " The source region where the source RDS lives and where the lambda will be configured."
35+ }
36+
37+ variable "target_region" {
38+ type = string
39+ description = " The target region where the snapshots should be copied to."
40+ }
41+
42+ variable "keep_snapshots" {
43+ type = number
44+ description = " Number of snapshots to be kept."
45+ default = 10
46+ }
47+
48+ variable "target_kms" {
49+ type = string
50+ description = " The KMS key for the target region to use for encrytion of the snapshots."
51+ }
52+
53+ variable "source_db" {
54+ type = list (string )
55+ description = " The name of the RDS instances to copy the snapshots."
56+ }
57+
58+ variable "source_cluster" {
59+ type = list (string )
60+ description = " The name of the RDS cluster to copy the snapshots."
61+ }
62+
63+ variable "profile" {
64+ type = string
65+ default = " default"
66+ description = " The AWS CLI profile to use."
467}
568
6- data "aws_iam_policy_document" "test_lambda_policy" {
69+ # Lambda assume policy
70+
71+ data "aws_iam_policy_document" "lambda_assume_role_policy" {
772 statement {
873 effect = " Allow"
974
@@ -16,22 +81,133 @@ data "aws_iam_policy_document" "test_lambda_policy" {
1681 }
1782}
1883
19- resource "aws_iam_role" "test_lambda_role" {
20- name = " test_lambda_role"
21- assume_role_policy = . aws_iam_policy_document . test_lambda_policy . json
84+ # Scheduler assume policy
85+
86+ data "aws_iam_policy_document" "scheduler_assume_role_policy" {
87+ statement {
88+ effect = " Allow"
89+
90+ principals {
91+ type = " Service"
92+ identifiers = " scheduler.amazonaws.com"
93+ }
94+
95+ actions = " sts:AssumeRole"
96+ }
97+ }
98+
99+ # Lambda logging policy
100+
101+ data "aws_iam_policy_document" "lambda_logging_policy" {
102+ statement {
103+ effect = " Allow"
104+
105+ actions =
106+ " logs:CreateLogStream"
107+ " logs:PutLogEvent"
108+ ]
109+
110+ resources = " arn:aws:logs:${ var . aws_account_id } :log-group:${ var . log_group_name } :*"
111+ }
112+ }
113+
114+ # Lambda database snapshot policy
115+
116+ data "aws_iam_policy_document" "lambda_database_policy" {
117+ statement {
118+ effect = " Allow"
119+
120+ actions =
121+ " "
122+ ]
123+ }
124+ }
125+
126+ # Scheduler Lambda invoke policy
127+
128+ data "aws_iam_policy_document" "scheduler_invoke_lambda_policy" {
129+ statement {
130+ effect = " Allow"
131+
132+ actions =
133+ " lambda:InvokeFunction"
134+ ]
135+
136+ resources = . arn
137+ }
138+ }
139+
140+ # Lambda role with assume policy and inline policies for logging and database access
141+
142+ resource "aws_iam_role" "lambda_role" {
143+ name = " ${ var . lambda_function_name } -lambda-role"
144+ assume_role_policy = . aws_iam_policy_document . lambda_assume_role_policy . json
145+ inline_policy {
146+ name = " logging"
147+ policy = . aws_iam_policy_document . lambda_logging_policy . json
148+ }
149+ inline_policy {
150+ name = " database"
151+ policy = . aws_iam_policy_document . lambda_database_policy . json
152+ }
153+ }
154+
155+ # Scheduler role with assume policy and inline policies for invoking Lambda function
156+
157+ resource "aws_iam_role" "scheduler_role" {
158+ name = " ${ var . lambda_function_name } -scheduler-role"
159+ assume_role_policy = . aws_iam_policy_document . scheduler_assume_role_policy . json
160+ inline_policy {
161+ name = " invoke Lambda function"
162+ policy = . aws_iam_policy_document . scheduler_invoke_lambda_policy . json
163+ }
22164}
23165
24- resource "aws_lambda_function" "test_lambda" {
166+ # Cloudwatch log group
167+
168+ resource "aws_cloudwatch_log_group" "cw_log_group" {
169+ name = " /aws/lambda/${ var . lambda_function_name } "
170+ retention_in_days = 14
171+ }
172+
173+ # Scheduler rule
174+
175+ resource "aws_scheduler_schedule" "scheduler_daily" {
176+ name = " ${ var . lambda_function_name } -daily"
177+ description = " Daily backup of database snapshot from"
178+ group_name = " defaul"
179+ flexible_time_window {
180+ mode = " OFF"
181+ }
182+ schedule_expression = " rate(1 days)"
183+ target {
184+ arn = . arn
185+ role_arn = . scheduler_role . arn
186+
187+ }
188+ }
189+
190+ # Lambda function
191+
192+ resource "aws_lambda_function" "lambda_function" {
25193 filename = " package.zip"
26- function_name = " test_lambda "
27- role = . test_lambda_role . arn
194+ function_name = var . lambda_function_name
195+ role = . lambda_role . arn
28196 handler = " main.lambda_handler"
29197
30198 runtime = " python3.11"
199+ architectures = " arm64"
200+ timeout = 10
31201
32202 environment {
33203 variables =
34- foo = " bar"
204+ AWS_ACCOUNT = var.aws_account_id
205+ SOURCE_REGION = var.source_region
206+ TARGET_REGION = var.target_region
207+ SOURCE_DB = " ${ join (" ," . source_db )} "
208+ SOURCE_CLUSTER = " ${ join (" ," . source_cluster )} "
209+ DEST_KMS = var.target_kms
210+ KEEP_SNAPSHOTS = var.keep_snapshots
35211 }
36212 }
37213}
0 commit comments