From e10259e513e590b4ac74b8da1d5d48499e8b50db Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 26 Feb 2024 16:35:29 -0700 Subject: [PATCH] Add backup schedule for Vault --- environment/deployments/roundtable/main.tf | 43 ++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/environment/deployments/roundtable/main.tf b/environment/deployments/roundtable/main.tf index b90ac8db..2c06198b 100644 --- a/environment/deployments/roundtable/main.tf +++ b/environment/deployments/roundtable/main.tf @@ -98,6 +98,49 @@ module "storage_bucket_b" { } } +// Resources for backups + +resource "google_storage_transfer_project_service_account" "vault-server-storage-backup-sa" { + account_id = "vault-server-storage-backup" + display_name = "Vault Server Storage Backup" + description = "Terraform-managed service account for Vault Server storage backup" + project = module.project_factory.project_id +} + +// Admin storage access to Vault Server backup bucket +resource "google_storage_bucket_iam_binding" "vault-server-storage-backup-binding" { + bucket = module.storage_bucket_b.name + role = "roles/storage.admin" + members = var.vault_server_service_accounts +} + +resource "google_storage_transfer_job" "vault-server-storage-backup" { + description = "Nightly backup of Vault Server storage" + project = module.project_factory.project_id + transfer_spec { + gcs_data_source { + bucket_name = module.storage_bucket.name + } + gcs_data_sink { + bucket_name = module.storage_bucket_b.name + } + } + schedule { + schedule_start_date { + year = 2024 + month = 1 + day = 1 + } + start_time_of_day { // UTC: 2 AM Pacific Standard Time + hours = 10 + minutes = 0 + seconds = 0 + nanos = 0 + } + } + depends_on = [ google_storage_bucket_iam_binding.vault-server-storage-backup-binding ] +} + // RW storage access to Vault Server bucket resource "google_storage_bucket_iam_binding" "vault-server-storage-binding" { bucket = module.storage_bucket.name