Update backup vault module. (#203)

* Add ability to specifiy vault policy. * Update the docs. * Add ability to specify KMS key.
UKHomeOffice · Feb 5, 2025 · 48e405b · 48e405b
1 parent 378f55a
commit 48e405b
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 9 deletions.
diff --git a/modules/aws/backup_vault/README.md b/modules/aws/backup_vault/README.md
@@ -1,11 +1,4 @@
 <!-- BEGIN_TF_DOCS -->
-# Terraform Module for - backup-vault
-# Example terragrunt.hcl - inputs
-```hcl
-inputs = {
-  name = "local-backup-vault"
-}
-```
 ## Requirements
 
 No requirements.
@@ -25,12 +18,16 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
+| [aws_backup_vault_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_backup_vault_kms_key_arn"></a> [backup\_vault\_kms\_key\_arn](#input\_backup\_vault\_kms\_key\_arn) | ARN of the KMS key used to protect the AWS Backup vault. | `string` | `null` | no |
+| <a name="input_backup_vault_policy_json"></a> [backup\_vault\_policy\_json](#input\_backup\_vault\_policy\_json) | Resource Policy JSON for the AWS Backup vault. | `string` | `""` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the Backup Vault | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Resource tags | `map(string)` | n/a | yes |
 
 ## Outputs
 

diff --git a/modules/aws/backup_vault/main.tf b/modules/aws/backup_vault/main.tf
@@ -1,4 +1,12 @@
 resource "aws_backup_vault" "this" {
-  name = var.name
-  tags = var.tags
+  name        = var.name
+  tags        = var.tags
+  kms_key_arn = try(var.backup_vault_kms_key_arn, null)
 }
+
+# Created if the policy JSON is supplied.
+resource "aws_backup_vault_policy" "this" {
+  count             = var.backup_vault_policy_json != "" ? 1 : 0
+  backup_vault_name = aws_backup_vault.this.name
+  policy            = var.backup_vault_policy_json
+}
diff --git a/modules/aws/backup_vault/variables.tf b/modules/aws/backup_vault/variables.tf
@@ -3,6 +3,18 @@ variable "name" {
   type        = string
 }
 
+variable "backup_vault_policy_json" {
+  description = "Resource Policy JSON for the AWS Backup vault."
+  type        = string
+  default     = ""
+}
+
+variable "backup_vault_kms_key_arn" {
+  description = "ARN of the KMS key used to protect the AWS Backup vault."
+  type        = string
+  default     = null
+}
+
 variable "tags" {
   description = "Resource tags"
   type        = map(string)