Manual onboarding process using Clumio Terraform provider

This article describes how to manually onboard your AWS account to the Clumio platform using the Terraform provider.

Step 1 - Preparation

The following starter Terraform configuration sets up the required Clumio and AWS providers. The Clumio provider interacts with the Clumio cloud on your behalf. For allowed API base URLs, please refer to the Clumio provider documentation.

Download providers using the terraform init command.

terraform {  
  required_providers {  
    clumio = {  
      source  = "clumio-code/clumio"  
      version = "~>0.5.1"  
    }  
    aws = {}  
  }  
}
# Instantiate the Clumio provider

provider "clumio" {  
  clumio_api_token    = "\<clumio_api_token>"  
  clumio_api_base_url = "\<clumio_api_base_url>"  
}

The AWS provider is used by the Clumio AWS module to provision the resources required to enable data protection in the AWS account and region to be protected. As such, set the following environment variables:

$ export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID> $ 
export AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY> 

# If a session token is required ... 
$ export AWS_SESSION_TOKEN=<AWS_SESSION_TOKEN>

Information on other ways to provide credentials for the AWS provider can be found here.

Step 2 - Create an AWS connection

Next, add the following to the Terraform configuration to instantiate a Clumio connection to the AWS account associated with the AWS environment variables setup during Preparation.

NOTE: The connection must be established before deploying the resources as the external ID attached to it is utilized while creating the resources.

# Instantiate the AWS provider
provider "aws" {
  region = "us-west-2"
}

# Retrieve the effective AWS account ID and region
data aws_caller_identity current {}
data aws_region current {}

# Register a new Clumio connection for the effective AWS account ID and region
resource "clumio_aws_connection" "connection" {
  account_native_id = data.aws_caller_identity.current.account_id
  aws_region        = data.aws_region.current.name
  description       = "My Clumio Connection"
}

Step 3 - Fetch resources required to create the stack ARNs

Next, fetch the resources required to create the stack ARNs to be deployed in the manual connection. This data can be stored in a different file or directory if required.

The resources field to be deployed here is in stringified format and must first be converted to JSON format.

# Fetch manual resources
data "clumio_aws_manual_connection_resources" "get_resources" {
  account_native_id = data.aws_caller_identity.current.account_id
  aws_region = data.aws_region.current.name
  asset_types_enabled = {
    ebs = true
    rds = true
    ddb = true
    s3 = true
    mssql = true
  }
}

Fetched resources will follow a structure like this:

"roles": {
	"ClumioIAMRole": {
		...content,
	},
	...content
},
"topics": {
"ClumioEventPub": {
	...content
},
...content
},
"rules": {
	"ClumioCloudtrailEventRule": {
		...content
	},
	...content
},
"ssm_documents": {
	"Clumio-AGDatabaseDetails": {
		...content
	},
	...content
}

The Terraform resource for the same can be found here.

Step 4 - Complete manual connection

After creating the required stack ARNs using the above resources, provide the stack ARNs to the connection as follows:

resource "clumio_aws_manual_connection" "update_resources" {

  account_id = data.aws_caller_identity.current.account_id
  aws_region = data.aws_region.current.name
  assets_enabled = {
    ebs = true
    rds = true
    ddb = true
    s3 = true
    mssql = true
  }
  resources = {
    clumio_iam_role_arn = "clumio_iam_role_arn"
    clumio_event_pub_arn = "clumio_event_pub_arn"
    clumio_support_role_arn = "clumio_support_role_arn"
    event_rules = {
      cloudtrail_rule_arn = "cloudtrail_rule_arn"
      cloudwatch_rule_arn = "cloudwatch_rule_arn"
    }

    service_roles = {
      s3 = {
        continuous_backups_role_arn = "continuous_backups_role_arn"
      }
      mssql = {
        ssm_notification_role_arn = "ssm_notification_role_arn"
        ec2_ssm_instance_profile_arn = "ec2_ssm_instance_profile_arn"
      }
    }
  }
}

output "external_id" {
  value = jsondecode(data.clumio_aws_manual_connection_resources.test_get_resources.resources)
}

The Terraform resource for the same can be found here.