Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add submodule for snapshots #8

Merged
merged 5 commits into from
Feb 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/org-terraform-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,6 @@ on:

jobs:
terraform-docs:
uses: Coalfire-CF/Actions/.github/workflows/org-terraform-docs.yml@main
uses: Coalfire-CF/Actions/.github/workflows/org-terraform-docs.yml@main
with:
recursive: true
36 changes: 21 additions & 15 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
# Ignore IDE directories
.idea
.vscode
.DS_Store

# Local .terraform directories
**/.terraform/*

Expand All @@ -7,6 +12,14 @@

# Crash log files
crash.log
crash.*.log

# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json

# Ignore override files as they are usually used to override resources locally and so
# are not checked in
Expand All @@ -15,22 +28,15 @@ override.tf.json
*_override.tf
*_override.tf.json

# Include override files you do wish to add to version control using negated pattern
# !example_override.tf

# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*

.idea
.idea/*
.vscode
.vscode/
*.iml
*.zip
.DS_Store

# NessusBurp Install files are too large to commit
**/nessusburp/*.exe
**/nessusburp/*.msi
**/nessusburp/*.txt
# Ignore CLI configuration files
.terraformrc
terraform.rc

# Ansible
*.pub
*.ppk
# Ignore Terraform lock files
.terraform.lock.hcl
9 changes: 4 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
![Coalfire](coalfire_logo.png)


# GCP VM Terraform Module
# Google Cloud VM Terraform Module

## Description

This GCP Virtual Machine module allows you to easily configure and deploy any needed instances. This module will create the virtual machine as well as setup a snapshot schedule. Coalfire has tested this module with Terraform version 1.5.0 and the Hashicorp Google provider versions 4.70 - 5.0.
This Google Cloud Virtual Machine module allows you to easily configure and deploy any needed instances. This module will create the virtual machine as well as setup a snapshot schedule. Coalfire has tested this module with Terraform version 1.5.0 and the Hashicorp Google provider versions 4.70 - 5.0.

FedRAMP Compliance: High

Expand All @@ -17,8 +16,8 @@ data "google_compute_image" "rhel_9" {
filter = "name=rhel-9-v20231010"
}

module "linux-bastion" {
source = "github.com/Coalfire-CF/terraform-gcp-vm"
module "linux_bastion" {
source = "github.com/Coalfire-CF/terraform-google-vm"

project_id = data.terraform_remote_state.bootstrap.outputs.management_project_id

Expand Down
73 changes: 73 additions & 0 deletions modules/snapshot/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
# Google Cloud VM Snapshot

## Description

This module is used to create a resource policy for scheduling persistent disk snapshots.

## Usage

The below example creates a daily snapshot schedule with a default max retention time of 14 days.

```hcl
module "snapshot_schedule" {
source = "github.com/Coalfire-CF/terraform-google-vm//modules/snapshot"

project_id = "your-project-id"
region = "your-region"
name = "daily-snapshot"
}

module "linux_bastion" {
...

snapshot_schedule = module.snapshot_schedule.self_link
}
```

To assign the snapshot schedule to a VM, use the `self_link` output from this module and pass that into the `snapshot_schedule` variable of the VM module.

<!-- BEGIN_TF_DOCS -->
## Requirements

No requirements.

## Providers

| Name | Version |
|------|---------|
| <a name="provider_google"></a> [google](#provider\_google) | n/a |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [google_compute_resource_policy.policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_resource_policy) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_days_in_cycle"></a> [days\_in\_cycle](#input\_days\_in\_cycle) | Defines a schedule with units measured in days. The value determines how many days pass between the start of each cycle. Days in cycle for snapshot schedule policy must be 1. | `number` | `1` | no |
| <a name="input_guest_flush"></a> [guest\_flush](#input\_guest\_flush) | Whether to perform a 'guest aware' snapshot. | `bool` | `true` | no |
| <a name="input_labels"></a> [labels](#input\_labels) | Labels, provided as a map | `map(string)` | `null` | no |
| <a name="input_max_retention_days"></a> [max\_retention\_days](#input\_max\_retention\_days) | Maximum age of the snapshot that is allowed to be kept. | `number` | `14` | no |
| <a name="input_name"></a> [name](#input\_name) | Name of the resource policy to create. | `string` | n/a | yes |
| <a name="input_on_source_disk_delete"></a> [on\_source\_disk\_delete](#input\_on\_source\_disk\_delete) | Specifies the behavior to apply to scheduled snapshots when the source disk is deleted. | `string` | `"KEEP_AUTO_SNAPSHOTS"` | no |
| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The project ID where the resources will be created. | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | Region where resource policy resides. | `string` | n/a | yes |
| <a name="input_schedule"></a> [schedule](#input\_schedule) | Specifies the schedule frequency. | `string` | `"daily"` | no |
| <a name="input_start_time"></a> [start\_time](#input\_start\_time) | This must be in UTC format that resolves to one of 00:00, 04:00, 08:00, 12:00, 16:00, or 20:00. For example, both 13:00-5 and 08:00 are valid. | `string` | `"00:00"` | no |
| <a name="input_storage_locations"></a> [storage\_locations](#input\_storage\_locations) | Cloud Storage bucket location to store the auto snapshot (regional or multi-regional). | `list(string)` | `null` | no |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_id"></a> [id](#output\_id) | Resource snapshot ID. |
| <a name="output_policy"></a> [policy](#output\_policy) | Resource snapshot policy details. |
| <a name="output_self_link"></a> [self\_link](#output\_self\_link) | Resource snapshot self-link. |
<!-- END_TF_DOCS -->
31 changes: 31 additions & 0 deletions modules/snapshot/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
resource "google_compute_resource_policy" "policy" {

name = var.name
project = var.project_id
region = var.region

snapshot_schedule_policy {
retention_policy {
max_retention_days = var.max_retention_days
on_source_disk_delete = var.on_source_disk_delete
}

schedule {

dynamic "daily_schedule" {
for_each = var.schedule == "daily" ? [1] : []
content {
days_in_cycle = var.days_in_cycle
start_time = var.start_time
}
}

}

snapshot_properties {
labels = var.labels
storage_locations = var.storage_locations != null ? var.storage_locations : [var.region]
guest_flush = var.guest_flush
}
}
}
14 changes: 14 additions & 0 deletions modules/snapshot/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
output "policy" {
description = "Resource snapshot policy details."
value = google_compute_resource_policy.policy
}

output "id" {
description = "Resource snapshot ID."
value = google_compute_resource_policy.policy.id
}

output "self_link" {
description = "Resource snapshot self-link."
value = google_compute_resource_policy.policy.self_link
}
68 changes: 68 additions & 0 deletions modules/snapshot/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
variable "project_id" {
type = string
description = "The project ID where the resources will be created."
}

variable "region" {
type = string
description = "Region where resource policy resides."
}

variable "name" {
type = string
description = "Name of the resource policy to create."
}

# Retention Policy

variable "max_retention_days" {
type = number
description = "Maximum age of the snapshot that is allowed to be kept."
default = 14
}

variable "on_source_disk_delete" {
type = string
description = "Specifies the behavior to apply to scheduled snapshots when the source disk is deleted."
default = "KEEP_AUTO_SNAPSHOTS"
}

# Schedule

variable "schedule" {
type = string
description = "Specifies the schedule frequency."
default = "daily"
}

variable "days_in_cycle" {
type = number
description = "Defines a schedule with units measured in days. The value determines how many days pass between the start of each cycle. Days in cycle for snapshot schedule policy must be 1."
default = 1
}

variable "start_time" {
type = string
description = "This must be in UTC format that resolves to one of 00:00, 04:00, 08:00, 12:00, 16:00, or 20:00. For example, both 13:00-5 and 08:00 are valid."
default = "00:00"
}

# Snapthot Properties

variable "labels" {
type = map(string)
description = "Labels, provided as a map"
default = null
}

variable "storage_locations" {
type = list(string)
description = "Cloud Storage bucket location to store the auto snapshot (regional or multi-regional)."
default = null
}

variable "guest_flush" {
type = bool
description = "Whether to perform a 'guest aware' snapshot."
default = true
}
Loading