-
Notifications
You must be signed in to change notification settings - Fork 10
/
main.tf
47 lines (40 loc) · 1.63 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
/**
* # aws-terraform-backup / iam_default
*
* When controlling an account with Terraform you may not manually intereact with the AWS Backup console. If creating resources via the console the first time you state you want to use the default AWS Backup role it creates it for you. This module replicates that role exactly. Call this once per account and use the name in any AWS Backup selections where the default role is appropriate for your use case.
*
* ```HCL
* module "backup_iam_role" {
* source = "[email protected]:rackspace-infrastructure-automation/aws-terraform-backup//modules/iam_default/?ref=v0.12.0"
* }
* ```
*/
terraform {
required_version = ">= 0.12"
required_providers {
aws = ">= 2.34.0"
}
}
data "aws_iam_policy_document" "backup_assume" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["backup.amazonaws.com"]
}
}
}
resource "aws_iam_role" "backup_service" {
name = "AWSBackupDefaultServiceRole"
description = "Provides AWS Backup permission to create backups and perform restores on your behalf across AWS services."
path = "/service-role/"
assume_role_policy = data.aws_iam_policy_document.backup_assume.json
}
resource "aws_iam_role_policy_attachment" "backup" {
role = aws_iam_role.backup_service.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
}
resource "aws_iam_role_policy_attachment" "restore" {
role = aws_iam_role.backup_service.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores"
}