Change resources variable to selections object to allow more customization

Author: Ic3w0lf

README.md

@@ -55,7 +55,7 @@ great choice.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_changeable_for_days"></a> [changeable\_for\_days](#input\_changeable\_for\_days) | The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create<br>  a vault lock in compliance mode. When you apply this setting:<br><br>  The vault will become immutable in 3 days after applying. You have 3 days of grace time to manage or delete the vault<br>  lock before it becomes immutable. During this time, only those users with specific IAM permissions can make changes.<br><br>  Once the vault is locked in compliance mode, it cannot be managed or deleted by anyone, even the root user or AWS.<br>  The only way to deactivate the lock is to terminate the account, which will delete all the backups.<br><br>  Since you cannot delete the Vault, it will be charged for backups until that date. Be careful! | `number` | `null` | no |
-| <a name="input_custom_rules"></a> [custom\_rules](#input\_custom\_rules) | Backup rules to add to the AWS Backup Vault. See examples for usage. | <pre>list(object({<br>    name     = string<br>    schedule = optional(string)<br><br>    start_window      = optional(number)<br>    completion_window = optional(number)<br><br>    enable_continuous_backup = optional(bool)<br>    recovery_point_tags      = optional(map(string), {})<br><br>    lifecycle = optional(object({<br>      cold_storage_after = optional(number)<br>      delete_after       = optional(number)<br>    }))<br><br>    copy_action = optional(object({<br>      destination_vault_arn = optional(string)<br>      lifecycle = optional(object({<br>        cold_storage_after = optional(number)<br>        delete_after       = optional(number)<br>      }))<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_custom_rules"></a> [custom\_rules](#input\_custom\_rules) | Backup rules to add to the AWS Backup Vault. See examples for usage. | <pre>list(object({<br>    name     = string<br>    schedule = optional(string)<br><br>    start_window      = optional(number)<br>    completion_window = optional(number)<br><br>    enable_continuous_backup = optional(bool)<br>    recovery_point_tags      = optional(map(string), {})<br><br>    lifecycle = optional(object({<br>      cold_storage_after = optional(number)<br>      delete_after       = optional(number)<br>    }))<br><br>    copy_action = optional(object({<br>      destination_vault_arn = optional(string)<br>      lifecycle             = optional(object({<br>        cold_storage_after = optional(number)<br>        delete_after       = optional(number)<br>      }))<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_enable_customer_managed_kms"></a> [enable\_customer\_managed\_kms](#input\_enable\_customer\_managed\_kms) | Whether to enable customer managed KMS encryption for the backup vault. | `bool` | `false` | no |
 | <a name="input_enable_vault_lock"></a> [enable\_vault\_lock](#input\_enable\_vault\_lock) | Whether to enable Vault Lock for the backup vault. | `bool` | `false` | no |
 | <a name="input_enable_windows_vss_backup"></a> [enable\_windows\_vss\_backup](#input\_enable\_windows\_vss\_backup) | Whether to enable Windows VSS backup for the backup plan. | `bool` | `false` | no |
@@ -64,8 +64,8 @@ great choice.
 | <a name="input_min_retention_days"></a> [min\_retention\_days](#input\_min\_retention\_days) | The minimum retention period that the vault retains its recovery points. | `number` | `7` | no |
 | <a name="input_plan_name"></a> [plan\_name](#input\_plan\_name) | The display name of the backup plan. | `string` | n/a | yes |
 | <a name="input_predefined_rules"></a> [predefined\_rules](#input\_predefined\_rules) | A list of predefined backup rules to add to the AWS Backup Plan. See examples for usage. | `list(string)` | `[]` | no |
-| <a name="input_resources"></a> [resources](#input\_resources) | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan. | `list(string)` | `[]` | no |
 | <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The ARN of the IAM role that AWS Backup uses to authenticate when restoring or backing up the target resources. If left empty, a default role will be created. | `string` | `null` | no |
+| <a name="input_selections"></a> [selections](#input\_selections) | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan. | <pre>list(object({<br>    name     = string<br>    role_arn = optional(string)<br><br>    arns = optional(list(string))<br>    tag  = optional(object({<br>      type  = string<br>      key   = string<br>      value = string<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to add to the AWS Backup. | `map(any)` | `{}` | no |
 | <a name="input_vault_force_destroy"></a> [vault\_force\_destroy](#input\_vault\_force\_destroy) | Whether to allow the backup vault to be destroyed even if it contains recovery points. | `string` | `false` | no |
 | <a name="input_vault_name"></a> [vault\_name](#input\_vault\_name) | Name of the backup vault to create. | `string` | n/a | yes |
@@ -98,9 +98,19 @@ great choice.
 module "basic-example" {
   source = "../../"
 
-  vault_name = "main"
-  plan_name  = "s3"
-  resources  = ["arn:aws:s3:::my-bucket"]
+  vault_name = "my-project"
+  plan_name  = "customer-data"
+
+  selections = [
+    {
+      name = "s3-buckets"
+      arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
+    },
+    {
+      name = "db-snaps"
+      arns = ["arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance"]
+    }
+  ]
 }
 ```
 
@@ -109,9 +119,8 @@ module "basic-example" {
 module "with-rules" {
   source = "../../"
 
-  vault_name = "main"
-  plan_name  = "s3"
-  resources  = ["arn:aws:s3:::my-bucket"]
+  vault_name = "my-project"
+  plan_name  = "customer-data"
 
   predefined_rules = ["daily-snapshot", "monthly-snapshot"]
   custom_rules = [
@@ -128,6 +137,17 @@ module "with-rules" {
       }
     }
   ]
+
+  selections = [
+    {
+      name = "s3-buckets"
+      arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
+    },
+    {
+      name = "db-snaps"
+      arns = ["arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance"]
+    }
+  ]
 }
 ```
 

examples/minimal/main.tf

@@ -1,7 +1,17 @@
 module "basic-example" {
   source = "../../"
 
-  vault_name = "main"
-  plan_name  = "s3"
-  resources  = ["arn:aws:s3:::my-bucket"]
+  vault_name = "my-project"
+  plan_name  = "customer-data"
+
+  selections = [
+    {
+      name = "s3-buckets"
+      arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
+    },
+    {
+      name = "db-snaps"
+      arns = ["arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance"]
+    }
+  ]
 }

examples/with-predefined-rules/main.tf

@@ -1,9 +1,8 @@
 module "with-rules" {
   source = "../../"
 
-  vault_name = "main"
-  plan_name  = "s3"
-  resources  = ["arn:aws:s3:::my-bucket"]
+  vault_name = "my-project"
+  plan_name  = "customer-data"
 
   predefined_rules = ["daily-snapshot", "monthly-snapshot"]
   custom_rules = [
@@ -20,4 +19,15 @@ module "with-rules" {
       }
     }
   ]
+
+  selections = [
+    {
+      name = "s3-buckets"
+      arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
+    },
+    {
+      name = "db-snaps"
+      arns = ["arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance"]
+    }
+  ]
 }

main.tf

@@ -101,13 +101,23 @@ resource "aws_backup_plan" "main" {
 }
 
 resource "aws_backup_selection" "main" {
-  count = length(var.resources) > 0 ? 1 : 0
+  for_each = { for sel in var.selections : sel.name => sel }
 
-  name    = "${var.vault_name}-backup"
+  name    = "${var.vault_name}-${each.key}"
   plan_id = aws_backup_plan.main.id
 
-  iam_role_arn = coalesce(var.role_arn, module.iam_role[0].arn)
-  resources    = var.resources
+  iam_role_arn = coalesce(each.value.role_arn, module.iam_role[0].arn)
+  resources    = each.value.arns
+
+  dynamic "selection_tag" {
+    for_each = each.value.tag != null ? [each.value.tag] : []
+
+    content {
+      key   = selection_tag.value.key
+      type  = selection_tag.value.type
+      value = selection_tag.value.value
+    }
+  }
 }
 
 module "iam_role" {

tests/custom_rules.tftest.hcl

@@ -18,9 +18,15 @@ run "create_vault_with_custom_rules" {
       }
     ]
 
-    resources = [
-      "arn:aws:s3:::example-bucket-arn",
-      "arn:aws:elasticfilesystem:eu-central-1:*:file-system/fs-0123456789abcdef8"
+    selections = [
+      {
+        name = "s3-buckets"
+        arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
+      },
+      {
+        name = "db-snaps"
+        arns = ["arn:aws:rds:eu-central-1:*:db:my-mysql-instance"]
+      }
     ]
 
     tags = {
@@ -50,8 +56,13 @@ run "create_vault_with_custom_rules" {
   }
 
   assert {
-    condition     = length(aws_backup_selection.main[0].resources) == 2
-    error_message = "Expected backup selection to contain 2 resources."
+    condition     = length(aws_backup_selection.main["s3-buckets"].resources) == 2
+    error_message = "Expected S3 backup selection to contain 2 resources."
+  }
+
+  assert {
+    condition     = length(aws_backup_selection.main["db-snaps"].resources) == 1
+    error_message = "Expected DB backup selection to contain 1 resources."
   }
 
   assert {
@@ -60,7 +71,7 @@ run "create_vault_with_custom_rules" {
   }
 
   assert {
-    condition     = aws_backup_selection.main[0].iam_role_arn == module.iam_role[0].arn
+    condition     = aws_backup_selection.main["s3-buckets"].iam_role_arn == module.iam_role[0].arn
     error_message = "Expected backup selection IAM role to be the default one."
   }
 }

variables.tf

@@ -115,10 +115,20 @@ variable "enable_windows_vss_backup" {
 }
 
 # Backup Selection
-variable "resources" {
+variable "selections" {
   description = "An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan."
   default     = []
-  type        = list(string)
+  type = list(object({
+    name     = string
+    role_arn = optional(string)
+
+    arns = optional(list(string))
+    tag = optional(object({
+      type  = string
+      key   = string
+      value = string
+    }))
+  }))
 }
 
 variable "role_arn" {