Skip to content

Commit

Permalink
DSOS-2690: update db backup retention (#6737)
Browse files Browse the repository at this point in the history 
* add additional lifecycle policies for rman backup

* CSR: update db-backup lifecycle

* fix

* fix

* update db backup lifecycle
  • Loading branch information
@drobinson-moj
drobinson-moj authored Jun 26, 2024
1 parent d6b983c commit fd54a3d
Show file tree
Hide file tree
Showing 11 changed files with 58 additions and 85 deletions.
9 changes: 3 additions & 6 deletions terraform/environments/corporate-staff-rostering/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ locals {
]
cloudwatch_metric_oam_links_ssm_parameters = ["hmpps-oem-${local.environment}"]
cloudwatch_metric_oam_links = ["hmpps-oem-${local.environment}"]
db_backup_bucket_name = "csr-db-backup-bucket"
enable_azure_sas_token = true
enable_backup_plan_daily_and_weekly = true
enable_business_unit_kms_cmks = true
Expand All @@ -38,6 +39,8 @@ locals {
enable_ec2_self_provision = true
enable_ec2_oracle_enterprise_managed_server = true
enable_ec2_user_keypair = true
enable_s3_bucket = true
enable_s3_db_backup_bucket = true
enable_s3_shared_bucket = true
iam_policies_filter = ["ImageBuilderS3BucketWriteAndDeleteAccessPolicy"]
iam_policies_ec2_default = ["EC2S3BucketWriteAndDeleteAccessPolicy", "ImageBuilderS3BucketWriteAndDeleteAccessPolicy"]
Expand Down Expand Up @@ -77,12 +80,6 @@ locals {
}
}

s3_buckets = {
s3-bucket = {
iam_policies = module.baseline_presets.s3_iam_policies
}
}

security_groups = {
domain = local.security_groups.domain
web = local.security_groups.web
Expand Down
2 changes: 2 additions & 0 deletions terraform/environments/corporate-staff-rostering/locals_development.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ locals {

baseline_presets_development = {
options = {
cloudwatch_metric_oam_links_ssm_parameters = [] # disable in dev as environment gets nuked
cloudwatch_metric_oam_links = [] # disable in dev as environment gets nuked
}
}

Expand Down
7 changes: 0 additions & 7 deletions terraform/environments/corporate-staff-rostering/locals_preproduction.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1110,13 +1110,6 @@ locals {
}
}

s3_buckets = {
csr-db-backup-bucket = {
custom_kms_key = module.environment.kms_keys["general"].arn
iam_policies = module.baseline_presets.s3_iam_policies
}
}

secretsmanager_secrets = {
"/oracle/database/PPIWFM" = {
secrets = {
Expand Down
10 changes: 0 additions & 10 deletions terraform/environments/corporate-staff-rostering/locals_production.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -895,16 +895,6 @@ locals {
}
}

s3_buckets = {
csr-db-backup-bucket = {
custom_kms_key = module.environment.kms_keys["general"].arn
bucket_policy_v2 = [
module.baseline_presets.s3_bucket_policies.ProdPreprodEnvironmentsReadOnlyAccessBucketPolicy,
]
iam_policies = module.baseline_presets.s3_iam_policies
}
}

secretsmanager_secrets = {
"/oracle/database/PIWFM" = {
secrets = {
Expand Down
5 changes: 0 additions & 5 deletions terraform/environments/corporate-staff-rostering/locals_test.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,6 @@ locals {
]
iam_policies = module.baseline_presets.s3_iam_policies
}

csr-db-backup-bucket = {
custom_kms_key = module.environment.kms_keys["general"].arn
iam_policies = module.baseline_presets.s3_iam_policies
}
}
}
}
9 changes: 3 additions & 6 deletions terraform/environments/nomis-combined-reporting/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ locals {

baseline_presets_all_environments = {
options = {
db_backup_bucket_name = "ncr-db-backup-bucket"
enable_azure_sas_token = true
enable_backup_plan_daily_and_weekly = true
enable_business_unit_kms_cmks = true
Expand All @@ -28,6 +29,8 @@ locals {
enable_ec2_self_provision = true
enable_ec2_oracle_enterprise_managed_server = true
enable_ec2_user_keypair = true
enable_s3_bucket = true
enable_s3_db_backup_bucket = true
iam_policies_filter = ["ImageBuilderS3BucketWriteAndDeleteAccessPolicy"]
iam_policies_ec2_default = ["EC2S3BucketWriteAndDeleteAccessPolicy", "ImageBuilderS3BucketWriteAndDeleteAccessPolicy"]
s3_iam_policies = ["EC2S3BucketWriteAndDeleteAccessPolicy"]
Expand Down Expand Up @@ -91,12 +94,6 @@ locals {
}
}

s3_buckets = {
s3-bucket = {
iam_policies = module.baseline_presets.s3_iam_policies
}
}

security_groups = local.security_groups
}
}
7 changes: 0 additions & 7 deletions terraform/environments/nomis-combined-reporting/locals_development.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,5 @@ locals {
"development.reporting.nomis.service.justice.gov.uk" = {
}
}

s3_buckets = {
ncr-db-backup-bucket = {
custom_kms_key = module.environment.kms_keys["general"].arn
iam_policies = module.baseline_presets.s3_iam_policies
}
}
}
}
7 changes: 0 additions & 7 deletions terraform/environments/nomis-combined-reporting/locals_preproduction.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -483,13 +483,6 @@ locals {
}
}

s3_buckets = {
ncr-db-backup-bucket = {
custom_kms_key = module.environment.kms_keys["general"].arn
iam_policies = module.baseline_presets.s3_iam_policies
}
}

secretsmanager_secrets = {
"/ec2/ncr-bip/pp" = local.bip_secretsmanager_secrets
"/ec2/ncr-web/pp" = local.web_secretsmanager_secrets
Expand Down
10 changes: 0 additions & 10 deletions terraform/environments/nomis-combined-reporting/locals_production.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,16 +105,6 @@ locals {
}
}

s3_buckets = {
ncr-db-backup-bucket = {
custom_kms_key = module.environment.kms_keys["general"].arn
bucket_policy_v2 = [
module.baseline_presets.s3_bucket_policies.ProdPreprodEnvironmentsReadOnlyAccessBucketPolicy,
]
iam_policies = module.baseline_presets.s3_iam_policies
}
}

secretsmanager_secrets = {
"/oracle/database/PDBIPSYS" = local.database_secretsmanager_secrets
"/oracle/database/PDBIPAUD" = local.database_secretsmanager_secrets
Expand Down
8 changes: 0 additions & 8 deletions terraform/environments/nomis-combined-reporting/locals_test.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -283,14 +283,6 @@ locals {
]
iam_policies = module.baseline_presets.s3_iam_policies
}

ncr-db-backup-bucket = {
custom_kms_key = module.environment.kms_keys["general"].arn
bucket_policy_v2 = [
module.baseline_presets.s3_bucket_policies.DevTestEnvironmentsReadOnlyAccessBucketPolicy,
]
iam_policies = module.baseline_presets.s3_iam_policies
}
}

secretsmanager_secrets = {
Expand Down
69 changes: 50 additions & 19 deletions terraform/modules/baseline_presets/s3.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,18 +54,27 @@ locals {
s3-bucket = {
iam_policies = local.requested_s3_iam_policies
lifecycle_rule = [local.s3_lifecycle_rules.default]
tags = {
backup = "false"
}
}
(local.s3_environment_specific.db_backup_bucket_name) = {
bucket_policy_v2 = local.s3_environment_specific.db_backup_bucket_policy
custom_kms_key = var.environment.kms_keys["general"].arn
iam_policies = local.requested_s3_iam_policies
lifecycle_rule = [local.s3_lifecycle_rules.default]
lifecycle_rule = [var.environment.environment == "production" ? local.s3_lifecycle_rules.rman_backup_one_year : local.s3_lifecycle_rules.rman_backup_one_month]
tags = {
backup = "false"
}
}
(local.s3_environment_specific.shared_bucket_name) = {
bucket_policy_v2 = local.s3_environment_specific.shared_bucket_policy
custom_kms_key = var.environment.kms_keys["general"].arn
iam_policies = local.requested_s3_iam_policies
lifecycle_rule = [local.s3_lifecycle_rules.default]
tags = {
backup = "false"
}
}
}

Expand All @@ -89,8 +98,11 @@ locals {
EC2S3BucketWriteAndDeleteAccessPolicy = local.iam_policy_statements_s3.S3ReadWriteDelete
}

# STANDARD_IA: transition days must be >= 30
# GLACIER: minimum storage period of 90 days
s3_lifecycle_rules = {

# the default from modernisation-platform-terraform-s3-bucket module
default = {
id = "main"
enabled = "Enabled"
Expand All @@ -103,7 +115,8 @@ locals {
{
days = 90
storage_class = "STANDARD_IA"
}, {
},
{
days = 365
storage_class = "GLACIER"
}
Expand All @@ -126,31 +139,49 @@ locals {
}
}

ninety_day_standard_ia_ten_year_expiry = {
id = "ninety_day_standard_ia_ten_year_expiry"
rman_backup_one_month = {
id = "rman_backup_one_month"
enabled = "Enabled"
prefix = ""
tags = {
rule = "log"
autoclean = "true"
}
transition = [{
days = 90
storage_class = "STANDARD_IA"
}]
expiration = {
days = 3650
transition = []
expiration = { days = 31 }
noncurrent_version_transition = []
noncurrent_version_expiration = { days = 7 }
}

rman_backup_one_year = {
id = "rman_backup_one_year"
enabled = "Enabled"
prefix = ""
tags = {
rule = "log"
autoclean = "true"
}
noncurrent_version_transition = [{
days = 90
storage_class = "STANDARD_IA"
}, {
days = 365
storage_class = "GLACIER"
}]
noncurrent_version_expiration = {
days = 3650
transition = [{ days = 30, storage_class = "GLACIER" }]
expiration = { days = 365 }
noncurrent_version_transition = []
noncurrent_version_expiration = { days = 7 }
}

ninety_day_standard_ia_ten_year_expiry = {
id = "ninety_day_standard_ia_ten_year_expiry"
enabled = "Enabled"
prefix = ""
tags = {
rule = "log"
autoclean = "true"
}
transition = [{ days = 90, storage_class = "STANDARD_IA" }]
expiration = { days = 3650 }
noncurrent_version_transition = [
{ days = 90, storage_class = "STANDARD_IA" },
{ days = 365, storage_class = "GLACIER" },
]
noncurrent_version_expiration = { days = 3650 }
}
}
}

0 comments on commit fd54a3d

Please sign in to comment.