Merge pull request #10 from geekcell/vault-creation-optional

fix: Make vault creation optional

Author: Ic3w0lf

README.md

@@ -55,6 +55,7 @@ great choice.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_changeable_for_days"></a> [changeable\_for\_days](#input\_changeable\_for\_days) | The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create<br>  a vault lock in compliance mode. When you apply this setting:<br><br>  The vault will become immutable in 3 days after applying. You have 3 days of grace time to manage or delete the vault<br>  lock before it becomes immutable. During this time, only those users with specific IAM permissions can make changes.<br><br>  Once the vault is locked in compliance mode, it cannot be managed or deleted by anyone, even the root user or AWS.<br>  The only way to deactivate the lock is to terminate the account, which will delete all the backups.<br><br>  Since you cannot delete the Vault, it will be charged for backups until that date. Be careful! | `number` | `null` | no |
+| <a name="input_create_backup_vault"></a> [create\_backup\_vault](#input\_create\_backup\_vault) | Whether to create a backup vault or use a pre-existing one. | `bool` | `true` | no |
 | <a name="input_custom_rules"></a> [custom\_rules](#input\_custom\_rules) | Backup rules to add to the AWS Backup Vault. See examples for usage. | <pre>list(object({<br>    name     = string<br>    schedule = optional(string)<br><br>    start_window      = optional(number)<br>    completion_window = optional(number)<br><br>    enable_continuous_backup = optional(bool)<br>    recovery_point_tags      = optional(map(string), {})<br><br>    lifecycle = optional(object({<br>      cold_storage_after = optional(number)<br>      delete_after       = optional(number)<br>    }))<br><br>    copy_action = optional(object({<br>      destination_vault_arn = optional(string)<br>      lifecycle = optional(object({<br>        cold_storage_after = optional(number)<br>        delete_after       = optional(number)<br>      }))<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_enable_customer_managed_kms"></a> [enable\_customer\_managed\_kms](#input\_enable\_customer\_managed\_kms) | Whether to enable customer managed KMS encryption for the backup vault. | `bool` | `false` | no |
 | <a name="input_enable_vault_lock"></a> [enable\_vault\_lock](#input\_enable\_vault\_lock) | Whether to enable Vault Lock for the backup vault. | `bool` | `false` | no |
@@ -68,7 +69,7 @@ great choice.
 | <a name="input_selections"></a> [selections](#input\_selections) | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan. | <pre>list(object({<br>    name     = string<br>    role_arn = optional(string)<br><br>    arns = optional(list(string))<br>    tag = optional(object({<br>      type  = string<br>      key   = string<br>      value = string<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to add to the AWS Backup. | `map(any)` | `{}` | no |
 | <a name="input_vault_force_destroy"></a> [vault\_force\_destroy](#input\_vault\_force\_destroy) | Whether to allow the backup vault to be destroyed even if it contains recovery points. | `string` | `false` | no |
-| <a name="input_vault_name"></a> [vault\_name](#input\_vault\_name) | Name of the backup vault to create. | `string` | n/a | yes |
+| <a name="input_vault_name"></a> [vault\_name](#input\_vault\_name) | Name of the backup vault to create or use and existing one. | `string` | n/a | yes |
 
 ## Outputs
 
@@ -87,10 +88,11 @@ great choice.
 
 ## Resources
 
-- resource.aws_backup_plan.main (main.tf#45)
-- resource.aws_backup_selection.main (main.tf#103)
-- resource.aws_backup_vault.main (main.tf#27)
-- resource.aws_backup_vault_lock_configuration.main (main.tf#35)
+- resource.aws_backup_plan.main (main.tf#53)
+- resource.aws_backup_selection.main (main.tf#113)
+- resource.aws_backup_vault.main (main.tf#33)
+- resource.aws_backup_vault_lock_configuration.main (main.tf#43)
+- data source.aws_backup_vault.main (main.tf#27)
 
 # Examples
 ### Basic Example

main.tf

@@ -24,7 +24,15 @@ locals {
   )
 }
 
+data "aws_backup_vault" "main" {
+  count = var.create_backup_vault ? 0 : 1
+
+  name = var.vault_name
+}
+
 resource "aws_backup_vault" "main" {
+  count = var.create_backup_vault ? 1 : 0
+
   name          = var.vault_name
   force_destroy = var.vault_force_destroy
   kms_key_arn   = var.enable_customer_managed_kms ? module.kms[0].key_arn : var.kms_key_id
@@ -49,7 +57,7 @@ resource "aws_backup_plan" "main" {
     for_each = local.merged_rules
 
     content {
-      target_vault_name = aws_backup_vault.main.name
+      target_vault_name = var.vault_name
 
       rule_name                = rule.value.name
       schedule                 = rule.value.schedule
@@ -97,6 +105,8 @@ resource "aws_backup_plan" "main" {
     }
   }
 
+  depends_on = [aws_backup_vault.main]
+
   tags = var.tags
 }
 

outputs.tf

@@ -1,11 +1,11 @@
 output "backup_vault_id" {
   description = "The ID of the backup vault."
-  value       = aws_backup_vault.main.id
+  value       = var.create_backup_vault ? aws_backup_vault.main[0].id : data.aws_backup_vault.main[0].id
 }
 
 output "backup_vault_arn" {
   description = "The ARN of the backup vault."
-  value       = aws_backup_vault.main.arn
+  value       = var.create_backup_vault ? aws_backup_vault.main[0].arn : data.aws_backup_vault.main[0].arn
 }
 
 output "backup_plan_id" {

tests/custom_rules.tftest.hcl

@@ -41,7 +41,7 @@ run "create_vault_with_custom_rules" {
   }
 
   assert {
-    condition     = length(aws_backup_vault.main.kms_key_arn) >= 1
+    condition     = length(aws_backup_vault.main[0].kms_key_arn) >= 1
     error_message = "Expected Backup Plan to be encrypted by default AWS KMS key."
   }
 

tests/predefined_rules.tftest.hcl

@@ -21,7 +21,7 @@ run "create_vault_with_predefined_rules" {
   }
 
   assert {
-    condition     = length(aws_backup_vault.main.kms_key_arn) >= 1
+    condition     = length(aws_backup_vault.main[0].kms_key_arn) >= 1
     error_message = "Expected Backup Plan to be encrypted by default AWS KMS key."
   }
 
@@ -46,7 +46,7 @@ run "create_vault_with_predefined_rules" {
   }
 
   assert {
-    condition     = length(aws_backup_vault.main.tags) == 2
+    condition     = length(aws_backup_vault.main[0].tags) == 2
     error_message = "Expected Vault to have 2 tags."
   }
 

variables.tf

@@ -6,8 +6,14 @@ variable "tags" {
 }
 
 # Backup Vault
+variable "create_backup_vault" {
+  description = "Whether to create a backup vault or use a pre-existing one."
+  default     = true
+  type        = bool
+}
+
 variable "vault_name" {
-  description = "Name of the backup vault to create."
+  description = "Name of the backup vault to create or use and existing one."
   type        = string
 }