Skip to content

Latest commit

 

History

History
247 lines (215 loc) · 15.8 KB

README.md

File metadata and controls

247 lines (215 loc) · 15.8 KB

Terraform

terraform-aws-backup

Terraform module to create AWS Backup plans. AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services (EBS volumes, RDS databases, DynamoDB tables, EFS file systems, and Storage Gateway volumes).

Usage

You can use this module to create a simple plan using the module's rule_* variables. You can also use the rules and selections list of maps variables to build a more complete plan by defining several rules and selections at once.

Check the examples for the simple plan, complete plan, simple plan using variables and the selection by tags plan snippets.

Example (complete plan)

This example creates a plan with two rules and two selections at once. It also defines a vault key which is used by the first rule because no target_vault_name was given (null). Whereas the second rule is using the "Default" vault key.

The first selection has two assignments, the first defined by a resource ARN and the second one defined by a tag condition. The second selection has just one assignment defined by a resource ARN.

module "aws_backup_example" {

  source = "lgallard/backup/aws"

  # Vault
  vault_name = "vault-3"

  # Plan
  plan_name = "complete-plan"

  # Notifications
  notifications = {
    sns_topic_arn       = aws_sns_topic.backup_vault_notifications.arn
    backup_vault_events = ["BACKUP_JOB_STARTED", "BACKUP_JOB_COMPLETED", "BACKUP_JOB_FAILED", "RESTORE_JOB_COMPLETED"]
  }

  # Multiple rules using a list of maps
  rules = [
    {
      name                     = "rule-1"
      schedule                 = "cron(0 12 * * ? *)"
      target_vault_name        = null
      start_window             = 120
      completion_window        = 360
      enable_continuous_backup = true
      lifecycle = {
        cold_storage_after = 0
        delete_after       = 30
      },
      copy_actions = [
        {
          lifecycle = {
            cold_storage_after = 0
            delete_after       = 90
          },
          destination_vault_arn = "arn:aws:backup:us-west-2:123456789101:backup-vault:Default"
        },
      ]
      recovery_point_tags = {
        Environment = "production"
      }
    },
    {
      name                = "rule-2"
      schedule            = "cron(0 7 * * ? *)"
      target_vault_name   = "Default"
      schedule            = null
      start_window        = 120
      completion_window   = 360
      lifecycle           = {}
      copy_action         = {}
      recovery_point_tags = {}
    },
  ]

  # Multiple selections
  #  - Selection-1: By resources and tag
  #  - Selection-2: Only by resources
  #  - Selection-3: By resources and conditions
  selections = [
    {
      name      = "selection-1"
      resources     = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table1"]
      not_resources = []
      selection_tags = [
        {
          type  = "STRINGEQUALS"
          key   = "Environment"
          value = "production"
        },
        {
          type  = "STRINGEQUALS"
          key   = "Owner"
          value = "production"
        }
      ]
    },
    {
      name      = "selection-2"
      resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table2"]
    },
    {
      name          = "selection-3"
      resources     = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table3"]
      not_resources = []
      conditions = {
        string_equals = [
          {
            key   = "aws:ResourceTag/Component"
            value = "rds"
          }
          ,
          {
            key   = "aws:ResourceTag/Project"
            value = "Project1"
          }
        ]
        string_like = [
          {
            key   = "aws:ResourceTag/Application"
            value = "app*"
          }
        ]
        string_not_equals = [
          {
            key   = "aws:ResourceTag/Backup"
            value = "false"
          }
        ]
        string_not_like = [
          {
            key   = "aws:ResourceTag/Environment"
            value = "test*"
          }
        ]
      }
    }
  ]

  tags = {
    Owner       = "backup team"
    Environment = "production"
    Terraform   = true
  }
}

Requirements

Name Version
terraform >= 0.12.31
aws >= 4.26

Providers

Name Version
aws 5.15.0

Modules

No modules.

Resources

Name Type
aws_backup_plan.ab_plan resource
aws_backup_report_plan.ab_report resource
aws_backup_selection.ab_selection resource
aws_backup_vault.ab_vault resource
aws_backup_vault_lock_configuration.ab_vault_lock_configuration resource
aws_backup_vault_notifications.backup_events resource
aws_iam_policy.ab_tag_policy resource
aws_iam_role.ab_role resource
aws_iam_role_policy_attachment.ab_backup_s3_policy_attach resource
aws_iam_role_policy_attachment.ab_policy_attach resource
aws_iam_role_policy_attachment.ab_restores_policy_attach resource
aws_iam_role_policy_attachment.ab_restores_s3_policy_attach resource
aws_iam_role_policy_attachment.ab_tag_policy_attach resource
aws_sns_topic_policy.backup_events resource
aws_iam_policy_document.ab_role_assume_role_policy data source
aws_iam_policy_document.ab_tag_policy_document data source
aws_iam_policy_document.backup_events data source
aws_partition.current data source

Inputs

Name Description Type Default Required
changeable_for_days The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode number null no
enabled Change to false to avoid deploying any AWS Backup resources bool true no
iam_role_arn If configured, the module will attach this role to selections, instead of creating IAM resources by itself string null no
iam_role_name Allow to set IAM role name, otherwise use predefined default string "" no
locked Change to true to add a lock configuration for the backup vault bool false no
max_retention_days The maximum retention period that the vault retains its recovery points number null no
min_retention_days The minimum retention period that the vault retains its recovery points number null no
notifications Notification block which defines backup vault events and the SNS Topic ARN to send AWS Backup notifications to. Leave it empty to disable notifications any {} no
notifications_disable_sns_policy Disable the creation of the SNS policy. Enable if you need to manage the policy elsewhere. bool false no
plan_name The display name of a backup plan string null no
reports The default cache behavior for this distribution.
list(object({
name = string
description = optional(string, null)
formats = optional(list(string), null)
s3_bucket_name = string
s3_key_prefix = optional(string, null)
report_template = string
accounts = optional(list(string), null)
organization_units = optional(list(string), null)
regions = optional(list(string), null)
framework_arns = optional(list(string), [])
}))
[] no
rule_completion_window The amount of time AWS Backup attempts a backup before canceling the job and returning an error number null no
rule_copy_action_destination_vault_arn An Amazon Resource Name (ARN) that uniquely identifies the destination backup vault for the copied backup. string null no
rule_copy_action_lifecycle The lifecycle defines when a protected resource is copied over to a backup vault and when it expires. map(any) {} no
rule_enable_continuous_backup Enable continuous backups for supported resources. bool false no
rule_lifecycle_cold_storage_after Specifies the number of days after creation that a recovery point is moved to cold storage number null no
rule_lifecycle_delete_after Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than cold_storage_after number null no
rule_name An display name for a backup rule string null no
rule_recovery_point_tags Metadata that you can assign to help organize the resources that you create map(string) {} no
rule_schedule A CRON expression specifying when AWS Backup initiates a backup job string null no
rule_start_window The amount of time in minutes before beginning a backup number null no
rules A list of rule maps any [] no
selection_conditions A map of conditions that you define to assign resources to your backup plans using tags. map(any) {} no
selection_name The display name of a resource selection document string null no
selection_not_resources An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan. list(any) [] no
selection_resources An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan list(any) [] no
selection_tags List of tags for selection_name var, when using variable definition. list(any) [] no
selections A list of selction maps any [] no
tags A mapping of tags to assign to the resource map(string) {} no
vault_force_destroy A boolean that indicates that all recovery points stored in the vault are deleted so that the vault can be destroyed without error. bool false no
vault_kms_key_arn The server-side encryption key that is used to protect your backups string null no
vault_name Name of the backup vault to create. If not given, AWS use default string null no
windows_vss_backup Enable Windows VSS backup option and create a VSS Windows backup bool false no

Outputs

Name Description
plan_arn The ARN of the backup plan
plan_id The id of the backup plan
plan_role The service role of the backup plan
plan_version Unique, randomly generated, Unicode, UTF-8 encoded string that serves as the version ID of the backup plan
vault_arn The ARN of the vault
vault_id The name of the vault

Know Issue:

error creating Backup Vault

In case you get an error message similar to this one:

error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,

Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms and backup-storage permissions are added.