odin: rename backup notifications key arn and make optional

.gitignore

@@ -6,10 +6,10 @@
 *vulnerabilities*report*.json
 *report*json.zip
 .version
-
+.idea/
 *.code-workspace
 !project.code-workspace
 
 # Please, add your custom content below!
 
-.DS_Store
+.DS_Store

.pre-commit-config.yaml

@@ -0,0 +1,67 @@
+fail_fast: false
+exclude: '^.venv/.*'
+default_install_hook_types: [pre-commit, pre-push, commit-msg, prepare-commit-msg]
+default_stages: [pre-commit]
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-ast
+      - id: check-toml
+      - id: check-yaml
+      - id: check-json
+      - id: end-of-file-fixer
+      - id: fix-byte-order-marker
+      - id: trailing-whitespace
+      - id: check-executables-have-shebangs
+      - id: check-symlinks
+      - id: destroyed-symlinks
+      - id: mixed-line-ending
+      - id: detect-aws-credentials
+      - id: detect-private-key
+      - id: fix-byte-order-marker
+      - id: requirements-txt-fixer
+
+  - repo: local
+    hooks:
+      - id: trivy
+        name: trivy
+        entry: make tf-trivy
+        language: system
+        files: \.tf(vars)?$
+        pass_filenames: false
+      - id: tf-format
+        name: tf-format
+        entry: make tf-format
+        language: system
+        files: (\.tf|\.tfvars)$
+        exclude: \.terraform/.*$
+        pass_filenames: false
+      - id: tf-lint
+        name: tf-lint
+        entry: make tf-lint
+        language: system
+        files: (\.tf|\.tfvars)$
+        exclude: \.terraform/.*$
+        pass_filenames: false
+      - id: shellcheck
+        name: shellcheck
+        entry: make shellcheck
+        language: system
+        files: (\.sh)$
+        pass_filenames: false
+      - id: secrets
+        name: git secrets
+        entry: scripts/check-secrets.sh
+        language: script
+        pass_filenames: false
+      - id: secrets-commit-msg
+        name: git secrets check commit message
+        entry: scripts/check-secrets.sh commit-msg
+        language: system
+        stages: [commit-msg]
+      - id: secrets-prep-commit-msg
+        name: git secrets pre check commit message
+        entry: scripts/check-secrets.sh commit-msg
+        language: system
+        stages: [prepare-commit-msg]

.tflint.hcl

@@ -0,0 +1,14 @@
+
+plugin "aws" {
+  enabled = true
+  version = "0.41.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+config {
+  plugin_dir = "~/.tflint.d/plugins"
+  call_module_type = "local"
+  ignore_module = {
+    "does-not-work" = true
+  }
+}

.tool-versions

@@ -1,7 +1,9 @@
 # This file is for you! Please, updated to the versions agreed by your team.
 
-terraform 1.7.0
 pre-commit 3.6.0
+terraform 1.7.0
+trivy 0.64.1
+tflint 0.58.1
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

CONTRIBUTING.md

@@ -0,0 +1,42 @@
+# Contributing
+
+## dependencies
+tools used:
+- make
+- git
+- [asdf version manager](https://asdf-vm.com/guide/getting-started.html)
+
+## first run ...
+
+### install project tools
+use asdf to ensure required tools are installed ... configured tools are in  [.tool-versions](.tool-versions)
+```bash
+cd ~/work/terraform-aws-backup
+for plugin in $(grep -E '^\w+' .tool-versions | cut -d' ' -f1); do asdf plugin add $plugin; done
+asdf install
+```
+
+### setup git-secrets
+git secrets scanning uses the awslabs https://github.com/awslabs/git-secrets there are options on how to install but
+```bash
+# if the command `git secrets` does not work in your repo
+# the git-secrets script needs to be added to somewhere in your PATH
+# for example if $HOME/.local/bin is in your PATH environment variable
+# then:
+wget https://raw.githubusercontent.com/awslabs/git-secrets/refs/heads/master/git-secrets -O ~/.local/bin/git-secrets
+chmod +x ~/.local/bin/git-secrets
+```
+
+### install pre-commit hooks
+```shell
+pre-commit install
+```
+
+
+### secrets
+the git-secrets script will try and avoid accidental committing of secrets
+patterns are excluded using  [.gitdisallowed](.gitdisallowed) and allow listed using  [.gitallowed](.gitallowed)
+You can check for secrets / test patterns at any time though with
+```shell
+make check-secrets-all
+```

Makefile

@@ -0,0 +1,52 @@
+SHELL:=/bin/bash -o pipefail -O globstar
+.SHELLFLAGS = -ec
+.PHONY: build dist
+.DEFAULT_GOAL := list
+make := make --no-print-directory
+
+list:
+	@grep '^[^#[:space:]].*:' Makefile
+
+
+guard-%:
+	@if [[ "${${*}}" == "" ]]; then \
+		echo "env var: $* not set"; \
+		exit 1; \
+	fi
+
+########################################################################################################################
+##
+## Makefile for this project things
+##
+########################################################################################################################
+pwd := ${PWD}
+dirname := $(notdir $(patsubst %/,%,$(CURDIR)))
+
+tf-lint:
+	tflint --chdir=modules/aws-backup-source --config "$(pwd)/.tflint.hcl"
+	tflint --chdir=modules/aws-backup-destination --config "$(pwd)/.tflint.hcl"
+	tflint --chdir=examples/source --config "$(pwd)/.tflint.hcl"
+	tflint --chdir=examples/destination --config "$(pwd)/.tflint.hcl"
+
+tf-format-check:
+	terraform fmt -check -recursive
+
+tf-format:
+	terraform fmt --recursive
+
+tf-trivy:
+	trivy conf --exit-code 1 ./ --skip-dirs "**/.terraform"
+
+shellcheck:
+	@docker run --rm -i -v ${PWD}:/mnt:ro koalaman/shellcheck -f gcc -e SC1090,SC1091 `find . \( -path "*/.venv/*" -prune -o -path "*/build/*" -prune -o -path "*/dist/*" -prune  -o -path "*/.tox/*" -prune \) -o -type f -name '*.sh' -print`
+
+lint: tf-lint tf-trivy shellcheck
+
+check-secrets:
+	scripts/check-secrets.sh
+
+check-secrets-all:
+	scripts/check-secrets.sh unstaged
+
+.env:
+	echo "LOCALSTACK_PORT=$$(python -c 'import socket; s=socket.socket(); s.bind(("", 0)); print(s.getsockname()[1])')" > .env

examples/destination/aws-backups.tf

@@ -1,4 +1,5 @@
-provider  "aws" {
+
+provider "aws" {
   alias  = "source"
   region = "eu-west-2"
 }
@@ -16,10 +17,8 @@ data "aws_caller_identity" "current" {}
 
 locals {
   # Adjust these as required
-  project_name = "my-shiny-project"
-  environment_name = "dev"
-
-  source_account_id = data.aws_arn.source_terraform_role.account
+  project_name           = "my-shiny-project"
+  source_account_id      = data.aws_arn.source_terraform_role.account
   destination_account_id = data.aws_caller_identity.current.account_id
 }
 
@@ -39,13 +38,18 @@ resource "aws_kms_key" "destination_backup_key" {
         Principal = {
           AWS = "arn:aws:iam::${local.destination_account_id}:root"
         }
-        Action = "kms:*"
+        Action   = "kms:*"
         Resource = "*"
       }
     ]
   })
 }
 
+resource "aws_kms_alias" "destination_backup" {
+  target_key_id = aws_kms_key.destination_backup_key.id
+  name          = "alias/${local.project_name}-backup-destination"
+}
+
 module "destination" {
   source = "../../modules/aws-backup-destination"
 

examples/destination/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+
+    aws = {
+      source  = "hashicorp/aws"
+      version = "> 5"
+    }
+
+  }
+
+  required_version = ">= 1.9.5"
+}

examples/source-bootstrap/permissions.tf

@@ -85,5 +85,5 @@ resource "aws_iam_policy" "source_account_backup_permissions" {
 
 resource "aws_iam_role_policy_attachment" "source_account_backup_permissions" {
   policy_arn = aws_iam_policy.source_account_backup_permissions.arn
-  role = var.terraform_apply_role_name
+  role       = var.terraform_apply_role_name
 }