From 270a1e1593a99d0288ac28d28b056cad581e0dcb Mon Sep 17 00:00:00 2001 From: "Vincent.Cheung" Date: Thu, 17 Oct 2024 09:34:52 +0100 Subject: [PATCH 1/3] TM-586 Add production backup rules --- terraform/environments/apex/backups.tf | 71 +++++++++++++++++++++++++- terraform/environments/apex/ec2.tf | 50 +++++++++--------- terraform/environments/apex/locals.tf | 1 + 3 files changed, 96 insertions(+), 26 deletions(-) diff --git a/terraform/environments/apex/backups.tf b/terraform/environments/apex/backups.tf index 9fa237b1460..b7395c01530 100644 --- a/terraform/environments/apex/backups.tf +++ b/terraform/environments/apex/backups.tf @@ -1,5 +1,5 @@ ############################################################################ -## This file is used to create a backup vault for migrating EFS data only +## This following is used to create a backup vault for migrating EFS data only ## Resources here can be removed after data migration ############################################################################ @@ -55,3 +55,72 @@ resource "aws_backup_vault_policy" "apex" { backup_vault_name = aws_backup_vault.apex.name policy = data.aws_iam_policy_document.apex.json } + +############################################################################ +## This following is required for setting up hourly backup for production +############################################################################ + + +resource "aws_backup_vault" "prod_apex" { + count = local.environment == "production" ? 1 : 0 + name = "${local.application_name}-production-backup-vault" + tags = merge( + local.tags, + { "Name" = "${local.application_name}-production-backup-vault" }, + ) +} + +resource "aws_backup_plan" "prod_apex" { + count = local.environment == "production" ? 1 : 0 + name = "${local.application_name}-backup-hourly-retain-35-days" + + rule { + rule_name = "${local.application_name}-backup-hourly-retain-35-days" + target_vault_name = aws_backup_vault.prod_apex.name + + # Backup every day at 12:00am + schedule = "cron(0 * * * ? *)" + + # The amount of time in minutes to start and finish a backup + ## Start the backup within 1 hour of the schedule + start_window = (1 * 60) + ## Complete the backup within 6 hours of starting + completion_window = (6 * 60) + + lifecycle { + delete_after = 35 + } + } + + advanced_backup_setting { + backup_options = { + WindowsVSS = "enabled" + } + resource_type = "EC2" + } + + tags = merge( + local.tags, + { "Name" = "${local.application_name}-backup-plan" }, + ) +} + +resource "aws_backup_selection" "prod_apex" { + count = local.environment == "production" ? 1 : 0 + name = "${local.application_name}-production-backup" + iam_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/AWSBackup" + plan_id = aws_backup_plan.prod_apex[0].id + resources = ["*"] + + condition { + string_equals { + key = "aws:ResourceTag/snapshot-with-hourly-35-day-retention" + value = "yes" + } + # TODO tags required to be confirmed + # string_equals { + # key = "aws:ResourceTag/is-production" + # value = "true" + # } + } +} \ No newline at end of file diff --git a/terraform/environments/apex/ec2.tf b/terraform/environments/apex/ec2.tf index 945972f0570..4629c3cb4fe 100644 --- a/terraform/environments/apex/ec2.tf +++ b/terraform/environments/apex/ec2.tf @@ -33,7 +33,7 @@ resource "aws_instance" "apex_db_instance" { local.tags, { "Name" = local.database_ec2_name }, { "instance-scheduling" = "skip-scheduling" }, - { "snapshot-with-daily-7-day-retention" = "yes" } + local.backup_schedule_tags ) } @@ -63,14 +63,14 @@ resource "aws_vpc_security_group_ingress_rule" "db_ecs" { to_port = 1521 } -resource "aws_vpc_security_group_ingress_rule" "db_mp_vpc" { - security_group_id = aws_security_group.database.id - description = "Allow MP VPC (OAS) to access database instance" - cidr_ipv4 = data.aws_vpc.shared.cidr_block - from_port = 1521 - ip_protocol = "tcp" - to_port = 1521 -} +# resource "aws_vpc_security_group_ingress_rule" "db_mp_vpc" { +# security_group_id = aws_security_group.database.id +# description = "Allow MP VPC (OAS) to access database instance" +# cidr_ipv4 = data.aws_vpc.shared.cidr_block +# from_port = 1521 +# ip_protocol = "tcp" +# to_port = 1521 +# } resource "aws_vpc_security_group_ingress_rule" "db_lambda" { security_group_id = aws_security_group.database.id @@ -81,24 +81,24 @@ resource "aws_vpc_security_group_ingress_rule" "db_lambda" { to_port = 22 } -resource "aws_vpc_security_group_ingress_rule" "db_workspace" { - security_group_id = aws_security_group.database.id - description = "Database listener port access to Workspaces" - cidr_ipv4 = local.application_data.accounts[local.environment].workspace_cidr - from_port = 1521 - ip_protocol = "tcp" - to_port = 1521 -} +# resource "aws_vpc_security_group_ingress_rule" "db_workspace" { +# security_group_id = aws_security_group.database.id +# description = "Database listener port access to Workspaces" +# cidr_ipv4 = local.application_data.accounts[local.environment].workspace_cidr +# from_port = 1521 +# ip_protocol = "tcp" +# to_port = 1521 +# } # This is a temp rule whilst OAS resides in LZ -resource "aws_vpc_security_group_ingress_rule" "oas_lz" { - security_group_id = aws_security_group.database.id - description = "Allow OAS in LZ to access APEX" - cidr_ipv4 = local.application_data.accounts[local.environment].oas_lz_cidr - from_port = 1521 - ip_protocol = "tcp" - to_port = 1521 -} +# resource "aws_vpc_security_group_ingress_rule" "oas_lz" { +# security_group_id = aws_security_group.database.id +# description = "Allow OAS in LZ to access APEX" +# cidr_ipv4 = local.application_data.accounts[local.environment].oas_lz_cidr +# from_port = 1521 +# ip_protocol = "tcp" +# to_port = 1521 +# } resource "aws_vpc_security_group_egress_rule" "db_outbound" { security_group_id = aws_security_group.database.id diff --git a/terraform/environments/apex/locals.tf b/terraform/environments/apex/locals.tf index e2c997dfec1..6de0178eed1 100644 --- a/terraform/environments/apex/locals.tf +++ b/terraform/environments/apex/locals.tf @@ -78,6 +78,7 @@ locals { app_db_password_name = "APP_APEX_DBPASSWORD_TAD" db_hostname = "db.${local.application_name}" + backup_schedule_tags = local.environment == "production" ? { "snapshot-with-hourly-35-day-retention" = "yes" } : { "snapshot-with-daily-7-day-retention" = "yes" } database-instance-userdata = < Date: Thu, 17 Oct 2024 09:37:59 +0100 Subject: [PATCH 2/3] Fix indexing issue for backup --- terraform/environments/apex/backups.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/apex/backups.tf b/terraform/environments/apex/backups.tf index b7395c01530..f5bc06ba8bf 100644 --- a/terraform/environments/apex/backups.tf +++ b/terraform/environments/apex/backups.tf @@ -76,7 +76,7 @@ resource "aws_backup_plan" "prod_apex" { rule { rule_name = "${local.application_name}-backup-hourly-retain-35-days" - target_vault_name = aws_backup_vault.prod_apex.name + target_vault_name = aws_backup_vault.prod_apex[0].name # Backup every day at 12:00am schedule = "cron(0 * * * ? *)" From 602bb83c7116fe9f42f0de919480d0b7025fac09 Mon Sep 17 00:00:00 2001 From: "Vincent.Cheung" Date: Thu, 17 Oct 2024 14:06:36 +0100 Subject: [PATCH 3/3] TM-586 Correct backup schedule and update tags on EBS instead --- terraform/environments/apex/backups.tf | 10 +++++----- terraform/environments/apex/ec2.tf | 8 ++++++-- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/terraform/environments/apex/backups.tf b/terraform/environments/apex/backups.tf index f5bc06ba8bf..47887a15f11 100644 --- a/terraform/environments/apex/backups.tf +++ b/terraform/environments/apex/backups.tf @@ -78,14 +78,14 @@ resource "aws_backup_plan" "prod_apex" { rule_name = "${local.application_name}-backup-hourly-retain-35-days" target_vault_name = aws_backup_vault.prod_apex[0].name - # Backup every day at 12:00am + # Backup hourly schedule = "cron(0 * * * ? *)" # The amount of time in minutes to start and finish a backup - ## Start the backup within 1 hour of the schedule - start_window = (1 * 60) - ## Complete the backup within 6 hours of starting - completion_window = (6 * 60) + ## Start the backup within 10 minutes of the schedule + start_window = (10) + ## Complete the backup within 30 minutes of starting + completion_window = (30) lifecycle { delete_after = 35 diff --git a/terraform/environments/apex/ec2.tf b/terraform/environments/apex/ec2.tf index 4629c3cb4fe..85bdd2c5873 100644 --- a/terraform/environments/apex/ec2.tf +++ b/terraform/environments/apex/ec2.tf @@ -26,14 +26,14 @@ resource "aws_instance" "apex_db_instance" { tags = merge( local.tags, { "Name" = "${local.application_name}db-ec2-root" }, + local.backup_schedule_tags ) } tags = merge( local.tags, { "Name" = local.database_ec2_name }, - { "instance-scheduling" = "skip-scheduling" }, - local.backup_schedule_tags + { "instance-scheduling" = "skip-scheduling" } ) } @@ -177,6 +177,7 @@ resource "aws_ebs_volume" "u01-orahome" { tags = merge( local.tags, { "Name" = "${local.application_name}db-ec2-u01-orahome" }, + local.backup_schedule_tags ) } resource "aws_volume_attachment" "u01-orahome" { @@ -198,6 +199,7 @@ resource "aws_ebs_volume" "u02-oradata" { tags = merge( local.tags, { "Name" = "${local.application_name}db-ec2-u02-oradata" }, + local.backup_schedule_tags ) } @@ -222,6 +224,7 @@ resource "aws_ebs_volume" "u03-redo" { tags = merge( local.tags, { "Name" = "${local.application_name}db-ec2-u03-redo" }, + local.backup_schedule_tags ) } resource "aws_volume_attachment" "u03-redo" { @@ -243,6 +246,7 @@ resource "aws_ebs_volume" "u04-arch" { tags = merge( local.tags, { "Name" = "${local.application_name}db-ec2-u04-arch" }, + local.backup_schedule_tags ) } resource "aws_volume_attachment" "u04-arch" {