fix: Velero backup_location to allow s3:actions with or without b…

…ucket prefix declaration. (#145)
aws-ia · Apr 27, 2023 · 06fedfe · 06fedfe
1 parent 1f0032a
commit 06fedfe
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 42 deletions.
diff --git a/main.tf b/main.tf
@@ -2731,12 +2731,13 @@ module "vpa" {
 ################################################################################
 # Velero
 ################################################################################
-
 locals {
-  velero_service_account         = try(var.velero.service_account_name, "velero-sa")
-  velero_backup_s3_bucket        = split(":", var.velero.s3_bucket_arn)
-  velero_backup_s3_bucket_name   = split("/", local.velero_backup_s3_bucket[5])
-  velero_backup_s3_bucket_prefix = split("/", var.velero.s3_bucket_arn)
+  velero_name                    = "velero"
+  velero_service_account         = try(var.velero.service_account_name, "${local.velero_name}-sa")
+  velero_backup_s3_bucket        = split(":", var.velero.s3_backup_location)
+  velero_backup_s3_bucket_arn    = try(split("/", var.velero.s3_backup_location)[0], var.velero.s3_backup_location)
+  velero_backup_s3_bucket_name   = try(split("/", local.velero_backup_s3_bucket[5])[1], local.velero_backup_s3_bucket[5])
+  velero_backup_s3_bucket_prefix = try(split("/", var.velero.s3_backup_location)[1], "")
 }
 
 # https://github.com/vmware-tanzu/velero-plugin-for-aws#option-1-set-permissions-with-an-iam-user
@@ -2773,12 +2774,12 @@ data "aws_iam_policy_document" "velero" {
       "s3:ListMultipartUploadParts",
       "s3:PutObject",
     ]
-    resources = [var.velero.s3_bucket_arn]
+    resources = [local.velero_backup_s3_bucket_prefix == "" ? "${var.velero.s3_backup_location}/*" : var.velero.s3_backup_location]
   }
 
   statement {
     actions   = ["s3:ListBucket"]
-    resources = [local.velero_backup_s3_bucket_prefix[0]]
+    resources = [local.velero_backup_s3_bucket_arn]
   }
 }
 
@@ -2847,11 +2848,11 @@ module "velero" {
     },
     {
       name  = "configuration.backupStorageLocation.prefix"
-      value = local.velero_backup_s3_bucket_prefix[1]
+      value = local.velero_backup_s3_bucket_prefix
     },
     {
       name  = "configuration.backupStorageLocation.bucket"
-      value = local.velero_backup_s3_bucket_name[0]
+      value = local.velero_backup_s3_bucket_name
     },
     {
       name  = "configuration.volumeSnapshotLocation.config.region"

diff --git a/tests/complete/main.tf b/tests/complete/main.tf
@@ -166,9 +166,12 @@ module "eks_blueprints_addons" {
   }
 
   enable_velero = true
-  # bucket is required
+  # An S3 Bucket ARN is required. This can be declared with or without a Prefix.
   velero = {
-    s3_bucket_arn = module.velero_backup_s3_bucket.s3_bucket_arn
+    # S3 Bucket ARN provided by an S3 Module (module.velero_backup_s3_bucket declared below), without prefix.
+    #s3_backup_location = module.velero_backup_s3_bucket.s3_bucket_arn
+    # S3 Bucket ARN for an already existing Bucket provided with prefix.
+    s3_backup_location = "arn:aws:s3:::backup/dev"
   }
 
   tags = local.tags
@@ -203,44 +206,45 @@ module "vpc" {
   tags = local.tags
 }
 
-module "velero_backup_s3_bucket" {
-  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "~> 3.0"
 
-  bucket_prefix = "${local.name}-"
+# module "velero_backup_s3_bucket" {
+#   source  = "terraform-aws-modules/s3-bucket/aws"
+#   version = "~> 3.0"
 
-  # Allow deletion of non-empty bucket
-  # NOTE: This is enabled for example usage only, you should not enable this for production workloads
-  force_destroy = true
+#   bucket_prefix = "${local.name}-"
 
-  attach_deny_insecure_transport_policy = true
-  attach_require_latest_tls_policy      = true
+#   # Allow deletion of non-empty bucket
+#   # NOTE: This is enabled for example usage only, you should not enable this for production workloads
+#   force_destroy = true
 
-  acl = "private"
+#   attach_deny_insecure_transport_policy = true
+#   attach_require_latest_tls_policy      = true
 
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
+#   acl = "private"
 
-  control_object_ownership = true
-  object_ownership         = "BucketOwnerPreferred"
+#   block_public_acls       = true
+#   block_public_policy     = true
+#   ignore_public_acls      = true
+#   restrict_public_buckets = true
 
-  versioning = {
-    status     = true
-    mfa_delete = false
-  }
+#   control_object_ownership = true
+#   object_ownership         = "BucketOwnerPreferred"
 
-  server_side_encryption_configuration = {
-    rule = {
-      apply_server_side_encryption_by_default = {
-        sse_algorithm = "AES256"
-      }
-    }
-  }
+#   versioning = {
+#     status     = true
+#     mfa_delete = false
+#   }
 
-  tags = local.tags
-}
+#   server_side_encryption_configuration = {
+#     rule = {
+#       apply_server_side_encryption_by_default = {
+#         sse_algorithm = "AES256"
+#       }
+#     }
+#   }
+
+#   tags = local.tags
+# }
 
 module "ebs_csi_driver_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"

diff --git a/variables.tf b/variables.tf
@@ -477,7 +477,6 @@ variable "vpa" {
 ################################################################################
 # Velero
 ################################################################################
-
 variable "enable_velero" {
   description = "Enable Kubernetes Dashboard add-on"
   type        = bool
@@ -493,7 +492,6 @@ variable "velero" {
 ################################################################################
 # Fargate Fluentbit
 ################################################################################
-
 variable "enable_fargate_fluentbit" {
   description = "Enable Fargate FluentBit add-on"
   type        = bool