Created TF module to perform AMI snapshots using Lamda Functions

cloudposse · Aug 10, 2017 · bec3b82 · bec3b82
1 parent c858f54
commit bec3b82
Show file tree

Hide file tree

Showing 4 changed files with 176 additions and 146 deletions.
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
-# Terraform config for automatic AMI create
+# Terraform module for automatic AMI creation
 
-This repo contains a terraform configuration that creates two lambda functions
-that will take AMI automatic at regular intervals. It is based on
+This repo contains a terraform module that creates two lambda functions
+that will create AMI automatically at regular intervals. It is based on
 the code at
 <https://serverlesscode.com/post/lambda-schedule-ebs-snapshot-backups/> and
 <https://serverlesscode.com/post/lambda-schedule-ebs-snapshot-backups-2/>.
@@ -10,21 +10,36 @@ the code at
 
 Include this repository as a module in your existing terraform code:
 
+Notes:
+* `ami_owner` is an AWS account id.
 
 ```
 module "lambda_ami_backup" {
   source = "git::https://github.com/cloudposse/tf_lambda_ami_backup.git?ref=master"
 
-  backup_schedule   = "cron(00 19 * * ? *)"
-  cleanup_schedule  = "cron(05 19 * * ? *)"
   name              = "${var.name}"
   stage             = "${var.stage}"
   namespace         = "${var.namespace}"
+  region            = "${var.region}"
+  ami_owner         = "${var.ami_owner}"
 }
 ```
 
 
-### Configuring your instances to be backed up
+## Variables
+
+|  Name                        |  Default       |  Description                                              | Required |
+|:----------------------------:|:--------------:|:--------------------------------------------------------:|:--------:|
+| namespace                    | ``             | Namespace (e.g. `cp` or `cloudposse`)                    | Yes      |
+| stage                        | ``             | Stage (e.g. `prod`, `dev`, `staging`                     | Yes      |
+| name                         | ``             | Name  (e.g. `bastion` or `db`)                           | Yes      |
+| region                       | ``             | AWS Region where module should operate (e.g. `us-east-1`)| Yes      |
+| ami_owner                    | ``             | AWS Account ID which is used as a filter for AMI list (e.g. `123456789012`)| Yes      |
+| backup_schedule              | `cron(00 19 * * ? *)` | The scheduling expression. (e.g. cron(0 20 * * ? *) or rate(5 minutes) | No       |
+| cleanup_schedule             | `cron(05 19 * * ? *)` | The scheduling expression. (e.g. cron(0 20 * * ? *) or rate(5 minutes) | No       |
+
+
+## Configuring your instances to be backed up
 
 Tag any instances you want to be backed up with `Snapshot = true`.
 

diff --git a/backup_function.tf b/backup_function.tf
diff --git a/main.tf b/main.tf
@@ -1,6 +1,159 @@
-module "tf_label" {
+data "aws_iam_policy_document" "default" {
+  statement {
+    sid = ""
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "lambda.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "sts:AssumeRole",
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "ami_backup" {
+  statement {
+    actions = [
+      "logs:*",
+    ]
+
+    resources = [
+      "arn:aws:logs:*:*:*",
+    ]
+  }
+
+  statement {
+    actions = [
+      "ec2:*",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+data "archive_file" "ami_backups_zip" {
+  type        = "zip"
+  source_file = "${path.module}/lambda_ami_backups.py"
+  output_path = "${path.module}/lambda_ami_backups.zip"
+}
+
+data "archive_file" "ami_cleanups_zip" {
+  type        = "zip"
+  source_file = "${path.module}/lambda_ami_cleanups.py"
+  output_path = "${path.module}/lambda_ami_cleanups.zip"
+}
+
+module "label" {
   source    = "git::https://github.com/cloudposse/tf_label.git?ref=tags/0.1.0"
   namespace = "${var.namespace}"
   stage     = "${var.stage}"
   name      = "${var.name}"
 }
+
+module "label_backup" {
+  source    = "git::https://github.com/cloudposse/tf_label.git?ref=tags/0.1.0"
+  namespace = "${var.namespace}"
+  stage     = "${var.stage}"
+  name      = "${var.name}-backup"
+}
+
+module "label_cleanup" {
+  source    = "git::https://github.com/cloudposse/tf_label.git?ref=tags/0.1.0"
+  namespace = "${var.namespace}"
+  stage     = "${var.stage}"
+  name      = "${var.name}-cleanup"
+}
+
+resource "aws_iam_role" "ami_backup" {
+  name               = "${module.label.id}"
+  assume_role_policy = "${data.aws_iam_policy_document.default.json}"
+}
+
+resource "aws_iam_role_policy" "ami_backup" {
+  name   = "${module.label.id}"
+  role   = "${aws_iam_role.ami_backup.id}"
+  policy = "${data.aws_iam_policy_document.ami_backup.json}"
+}
+
+resource "aws_lambda_function" "ami_backup" {
+  filename         = "${path.module}/lambda_ami_backups.zip"
+  function_name    = "${module.label_backup.id}"
+  description      = "Automatically backs up instances tagged with backup: true"
+  role             = "${aws_iam_role.ami_backup.arn}"
+  timeout          = 60
+  handler          = "lambda_ami_backups.lambda_handler"
+  runtime          = "python2.7"
+  source_code_hash = "${data.archive_file.ami_backups_zip.output_base64sha256}"
+
+  environment = {
+    variables = {
+      region    = "${var.region}"
+      ami_owner = "${var.ami_owner}"
+    }
+  }
+}
+
+resource "aws_lambda_function" "ami_cleanup" {
+  filename         = "${path.module}/lambda_ami_cleanups.zip"
+  function_name    = "${module.label_cleanup.id}"
+  description      = "Cleans up old AMI backups"
+  role             = "${aws_iam_role.ami_backup.arn}"
+  timeout          = 60
+  handler          = "lambda_ami_cleanups.lambda_handler"
+  runtime          = "python2.7"
+  source_code_hash = "${data.archive_file.ami_cleanups_zip.output_base64sha256}"
+
+  environment = {
+    variables = {
+      region    = "${var.region}"
+      ami_owner = "${var.ami_owner}"
+    }
+  }
+}
+
+resource "aws_cloudwatch_event_rule" "ami_backup" {
+  name                = "${module.label_backup.id}"
+  description         = "Schedule for ami snapshot backups"
+  schedule_expression = "${var.backup_schedule}"
+}
+
+resource "aws_cloudwatch_event_rule" "ami_cleanup" {
+  name                = "${module.label_cleanup.id}"
+  description         = "Schedule for ami snapshot cleanup"
+  schedule_expression = "${var.cleanup_schedule}"
+}
+
+resource "aws_cloudwatch_event_target" "ami_backup" {
+  rule      = "${aws_cloudwatch_event_rule.ami_backup.name}"
+  target_id = "schedule_ami_backups"
+  arn       = "${aws_lambda_function.ami_backup.arn}"
+}
+
+resource "aws_cloudwatch_event_target" "ami_cleanup" {
+  rule      = "${aws_cloudwatch_event_rule.ami_cleanup.name}"
+  target_id = "schedule_ami_cleanups"
+  arn       = "${aws_lambda_function.ami_cleanup.arn}"
+}
+
+resource "aws_lambda_permission" "ami_backup" {
+  statement_id  = "${module.label_backup.id}"
+  action        = "lambda:InvokeFunction"
+  function_name = "${aws_lambda_function.ami_backup.function_name}"
+  principal     = "events.amazonaws.com"
+  source_arn    = "${aws_cloudwatch_event_rule.ami_backup.arn}"
+}
+
+resource "aws_lambda_permission" "ami_cleanup" {
+  statement_id  = "${module.label_cleanup.id}"
+  action        = "lambda:InvokeFunction"
+  function_name = "${aws_lambda_function.ami_cleanup.function_name}"
+  principal     = "events.amazonaws.com"
+  source_arn    = "${aws_cloudwatch_event_rule.ami_cleanup.arn}"
+}
diff --git a/variables.tf b/variables.tf
@@ -13,7 +13,7 @@ variable "ami_owner" {
 }
 
 variable "region" {
-  default = "us-east-1"
+  default = ""
 }
 
 variable "retention" {