1  /* Prod EBS Backups -----------------------------*/
 2  
 3  resource "aws_iam_role" "prod_snapshots" {
 4    name = "dap-ps-prod-snapshots-role"
 5  
 6    assume_role_policy = <<EOF
 7  {
 8    "Version": "2012-10-17",
 9    "Statement": [
10      {
11        "Action": "sts:AssumeRole",
12        "Principal": {
13          "Service": "dlm.amazonaws.com"
14        },
15        "Effect": "Allow",
16        "Sid": ""
17      }
18    ]
19  }
20  EOF
21  }
22  
23  resource "aws_iam_role_policy" "prod_snapshots" {
24    name = "dap-ps-prod-snapshots-policy"
25    role = aws_iam_role.prod_snapshots.id
26  
27    policy = <<EOF
28  {
29     "Version": "2012-10-17",
30     "Statement": [
31        {
32           "Effect": "Allow",
33           "Action": [
34              "ec2:CreateSnapshot",
35              "ec2:DeleteSnapshot",
36              "ec2:DescribeVolumes",
37              "ec2:DescribeSnapshots"
38           ],
39           "Resource": "*"
40        },
41        {
42           "Effect": "Allow",
43           "Action": [
44              "ec2:CreateTags"
45           ],
46           "Resource": "arn:aws:ec2:*::snapshot/*"
47        }
48     ]
49  }
50  EOF
51  }
52  
53  resource "aws_dlm_lifecycle_policy" "prod_snapshots" {
54    description        = "dap-ps prod DB DLM lifecycle policy"
55    execution_role_arn = aws_iam_role.prod_snapshots.arn
56    state              = "ENABLED"
57  
58    policy_details {
59      resource_types = ["VOLUME"]
60  
61      schedule {
62        name = "one week of daily snapshots"
63  
64        create_rule {
65          interval      = 24
66          interval_unit = "HOURS"
67          times         = ["23:45"]
68        }
69  
70        retain_rule {
71          count = 7
72        }
73  
74        tags_to_add = {
75          Source = "DLM lifecycle policy"
76        }
77  
78        copy_tags = true
79      }
80  
81      target_tags = {
82        Fleet = "db.prod"
83      }
84    }
85  }