Manual onboarding process using Clumio Terraform provider
This article describes how to manually onboard your AWS account to the Clumio platform using the Terraform provider.
Preparation
The following starter Terraform configuration sets up the required Clumio and AWS providers. The Clumio provider interacts with the Clumio cloud on your behalf. For permitted API base URLs, refer to the Clumio provider documentation.
Download providers using the terraform init
command.
terraform {
required_providers {
clumio = {
source = "clumio-code/clumio"
version = "~>0.5.1"
}
aws = {}
}
}
# Instantiate the Clumio provider
provider "clumio" {
clumio_api_token = "\<clumio_api_token>"
clumio_api_base_url = "\<clumio_api_base_url>"
}
The AWS provider is used by the Clumio AWS module to provision the resources required to enable data protection in the AWS account and region to be protected. As such, set the following environment variables:
$ export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID> $
export AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
# If a session token is required ...
$ export AWS_SESSION_TOKEN=<AWS_SESSION_TOKEN>
Information on other ways to provide credentials for the AWS provider can be found here.
Create an AWS connection
Next, add the following to the Terraform configuration to instantiate a Clumio connection to the AWS account associated with the AWS environment variables setup during preparation.
Note: The connection must be established before deploying the resources as the external ID attached to it is utilized while creating the resources.
# Instantiate the AWS provider
provider "aws" {
region = "us-west-2"
}
# Retrieve the effective AWS account ID and region
data aws_caller_identity current {}
data aws_region current {}
# Register a new Clumio connection for the effective AWS account ID and region
resource "clumio_aws_connection" "connection" {
account_native_id = data.aws_caller_identity.current.account_id
aws_region = data.aws_region.current.name
description = "My Clumio Connection"
}
Fetch resources required to create the stack ARNs
Next, fetch the resources required to create the stack ARNs to be deployed in the manual connection. This data can be stored in a different file or directory if required.
The resources
field to be deployed here is in stringified format and must first be converted to JSON format.
# Fetch manual resources
data "clumio_aws_manual_connection_resources" "get_resources" {
account_native_id = data.aws_caller_identity.current.account_id
aws_region = data.aws_region.current.name
asset_types_enabled = {
ebs = true
rds = true
ddb = true
s3 = true
mssql = true
}
}
Fetched resources will follow a structure like this:
"roles": {
"ClumioIAMRole": {
...content,
},
...content
},
"topics": {
"ClumioEventPub": {
...content
},
...content
},
"rules": {
"ClumioCloudtrailEventRule": {
...content
},
...content
},
"ssm_documents": {
"Clumio-AGDatabaseDetails": {
...content
},
...content
}
The Terraform resource for the same can be found here.
Complete manual connection
After creating the required stack ARNs using the above resources, provide the stack ARNs to the connection as follows:
resource "clumio_aws_manual_connection" "update_resources" {
account_id = data.aws_caller_identity.current.account_id
aws_region = data.aws_region.current.name
assets_enabled = {
ebs = true
rds = true
ddb = true
s3 = true
mssql = true
}
resources = {
clumio_iam_role_arn = "clumio_iam_role_arn"
clumio_event_pub_arn = "clumio_event_pub_arn"
clumio_support_role_arn = "clumio_support_role_arn"
event_rules = {
cloudtrail_rule_arn = "cloudtrail_rule_arn"
cloudwatch_rule_arn = "cloudwatch_rule_arn"
}
service_roles = {
s3 = {
continuous_backups_role_arn = "continuous_backups_role_arn"
}
mssql = {
ssm_notification_role_arn = "ssm_notification_role_arn"
ec2_ssm_instance_profile_arn = "ec2_ssm_instance_profile_arn"
}
}
}
}
output "external_id" {
value = jsondecode(data.clumio_aws_manual_connection_resources.test_get_resources.resources)
}
The Terraform resource for the same can be found here.
Contact [email protected] in case of any clarifications or questions.
Updated 8 months ago