From 1ddcaf38b9ed11127db13a6946f56a6d8f6ee534 Mon Sep 17 00:00:00 2001
From: Dmitrij Nikitenko <dmitrij@nikitenko.lv>
Date: Thu, 22 Sep 2022 19:49:02 +0300
Subject: [PATCH 1/2] chore: iam role name, pretty iam policy document,
 precommit updates

---
 .pre-commit-config.yaml | 24 +++++++--------
 README.md               |  5 +++-
 iam.tf                  | 65 ++++++++++++++++++-----------------------
 selection.tf            |  3 --
 variables.tf            |  6 ++++
 5 files changed, 51 insertions(+), 52 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index ba0c789..8b42c7a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,16 +1,16 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
 repos:
--   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.3.0
     hooks:
-    -   id: trailing-whitespace
-    -   id: end-of-file-fixer
-    -   id: check-added-large-files
-    -   id: detect-aws-credentials
-- repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.62.3 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
-  hooks:
-    - id: terraform_fmt
-    - id: terraform_validate
-    - id: terraform_docs
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-added-large-files
+      - id: detect-aws-credentials
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.75.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_docs
diff --git a/README.md b/README.md
index 03429d1..8c13e3f 100644
--- a/README.md
+++ b/README.md
@@ -155,7 +155,7 @@ module "aws_backup_example" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.75.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.31.0 |
 
 ## Modules
 
@@ -177,6 +177,8 @@ No modules.
 | [aws_iam_role_policy_attachment.ab_restores_s3_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ab_tag_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_sns_topic_policy.backup_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_iam_policy_document.ab_role_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ab_tag_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.backup_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
@@ -186,6 +188,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Change to false to avoid deploying any AWS Backup resources | `bool` | `true` | no |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | If configured, the module will attach this role to selections, instead of creating IAM resources by itself | `string` | `null` | no |
+| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Allow to set IAM role name, otherwise use predefined default | `string` | `""` | no |
 | <a name="input_notifications"></a> [notifications](#input\_notifications) | Notification block which defines backup vault events and the SNS Topic ARN to send AWS Backup notifications to. Leave it empty to disable notifications | `any` | `{}` | no |
 | <a name="input_plan_name"></a> [plan\_name](#input\_plan\_name) | The display name of a backup plan | `string` | n/a | yes |
 | <a name="input_rule_completion_window"></a> [rule\_completion\_window](#input\_rule\_completion\_window) | The amount of time AWS Backup attempts a backup before canceling the job and returning an error | `number` | `null` | no |
diff --git a/iam.tf b/iam.tf
index f7259e0..6fedd6b 100644
--- a/iam.tf
+++ b/iam.tf
@@ -1,22 +1,21 @@
 data "aws_partition" "current" {}
 
-resource "aws_iam_role" "ab_role" {
-  count              = var.enabled && var.iam_role_arn == null ? 1 : 0
-  name               = "aws-backup-plan-${var.plan_name}-role"
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": ["sts:AssumeRole"],
-      "Effect": "allow",
-      "Principal": {
-        "Service": ["backup.amazonaws.com"]
-      }
+data "aws_iam_policy_document" "ab_role_assume_role_policy" {
+  count = var.enabled && var.iam_role_arn == null ? 1 : 0
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["backup.amazonaws.com"]
     }
-  ]
+  }
 }
-POLICY
+
+resource "aws_iam_role" "ab_role" {
+  count              = var.enabled && var.iam_role_arn == null ? 1 : 0
+  name               = var.iam_role_name == "" ? "aws-backup-plan-${var.plan_name}-role" : var.iam_role_name
+  assume_role_policy = data.aws_iam_policy_document.ab_role_assume_role_policy[0].json
 
   tags = var.tags
 }
@@ -34,30 +33,25 @@ resource "aws_iam_role_policy_attachment" "ab_backup_s3_policy_attach" {
 }
 
 # Tag policy
-resource "aws_iam_policy" "ab_tag_policy" {
+data "aws_iam_policy_document" "ab_tag_policy_document" {
+  count = var.enabled && var.iam_role_arn == null ? 1 : 0
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+    actions = [
+      "backup:TagResource",
+      "backup:ListTags",
+      "backup:UntagResource",
+      "tag:GetResources"
+    ]
+  }
+}
 
+resource "aws_iam_policy" "ab_tag_policy" {
   count       = var.enabled && var.iam_role_arn == null ? 1 : 0
   description = "AWS Backup Tag policy"
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-        "Effect": "Allow",
-        "Action": [
-            "backup:TagResource",
-            "backup:ListTags",
-            "backup:UntagResource",
-            "tag:GetResources"
-        ],
-        "Resource": "*"
-    }
-  ]
+  policy      = data.aws_iam_policy_document.ab_tag_policy_document[0].json
 }
-EOF
-}
-
 
 resource "aws_iam_role_policy_attachment" "ab_tag_policy_attach" {
   count      = var.enabled && var.iam_role_arn == null ? 1 : 0
@@ -65,7 +59,6 @@ resource "aws_iam_role_policy_attachment" "ab_tag_policy_attach" {
   role       = aws_iam_role.ab_role[0].name
 }
 
-
 # Restores policy
 resource "aws_iam_role_policy_attachment" "ab_restores_policy_attach" {
   count      = var.enabled && var.iam_role_arn == null ? 1 : 0
diff --git a/selection.tf b/selection.tf
index 7f65f06..03bf647 100644
--- a/selection.tf
+++ b/selection.tf
@@ -1,5 +1,4 @@
 resource "aws_backup_selection" "ab_selection" {
-
   count = var.enabled ? length(local.selections) : 0
 
   iam_role_arn = var.iam_role_arn != null ? var.iam_role_arn : aws_iam_role.ab_role[0].arn
@@ -68,6 +67,4 @@ locals {
 
   # Make sure the role can get tag resources
   depends_on = [aws_iam_role_policy_attachment.ab_tag_policy_attach]
-
-
 }
diff --git a/variables.tf b/variables.tf
index b19b90b..ae85d1b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -166,3 +166,9 @@ variable "iam_role_arn" {
   type        = string
   default     = null
 }
+
+variable "iam_role_name" {
+  description = "Allow to set IAM role name, otherwise use predefined default"
+  type        = string
+  default     = ""
+}

From b8a0b89ec759699f3200a7606cd7693d28da24b9 Mon Sep 17 00:00:00 2001
From: Dmitrij Nikitenko <dmitrij@nikitenko.lv>
Date: Fri, 23 Sep 2022 10:11:58 +0300
Subject: [PATCH 2/2] chore: optional effect allow

---
 iam.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iam.tf b/iam.tf
index 6fedd6b..187636e 100644
--- a/iam.tf
+++ b/iam.tf
@@ -4,7 +4,7 @@ data "aws_iam_policy_document" "ab_role_assume_role_policy" {
   count = var.enabled && var.iam_role_arn == null ? 1 : 0
   statement {
     actions = ["sts:AssumeRole"]
-
+    effect  = "Allow"
     principals {
       type        = "Service"
       identifiers = ["backup.amazonaws.com"]