terraform-aws-backup
Terraform module to create AWS Backup plans. AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services (EBS volumes, RDS databases, DynamoDB tables, EFS file systems, and Storage Gateway volumes).
Usage
You can use this module to create a simple plan using the module's rule_* variables. You can also use the rules and selections list of maps variables to build a more complete plan by defining several rules and selections at once.
Check the examples for the simple plan, complete plan, simple plan using variables and the selection by tags plan snippets.
Example (complete plan)
This example creates a plan with two rules and two selections at once. It also defines a vault key which is used by the first rule because no target_vault_name was given (null). Whereas the second rule is using the "Default" vault key.
The first selection has two assignments, the first defined by a resource ARN and the second one defined by a tag condition. The second selection has just one assignment defined by a resource ARN.
module "aws_backup_example" {
source = "lgallard/backup/aws"
# Vault
vault_name = "vault-3"
# Plan
plan_name = "complete-plan"
# Notifications
notifications = {
sns_topic_arn = aws_sns_topic.backup_vault_notifications.arn
backup_vault_events = ["BACKUP_JOB_STARTED", "BACKUP_JOB_COMPLETED", "BACKUP_JOB_FAILED", "RESTORE_JOB_COMPLETED"]
}
# Multiple rules using a list of maps
rules = [
{
name = "rule-1"
schedule = "cron(0 12 * * ? *)"
target_vault_name = null
start_window = 120
completion_window = 360
enable_continuous_backup = true
lifecycle = {
cold_storage_after = 0
delete_after = 30
},
copy_actions = [
{
lifecycle = {
cold_storage_after = 0
delete_after = 90
},
destination_vault_arn = "arn:aws:backup:us-west-2:123456789101:backup-vault:Default"
},
]
recovery_point_tags = {
Environment = "production"
}
},
{
name = "rule-2"
schedule = "cron(0 7 * * ? *)"
target_vault_name = "Default"
schedule = null
start_window = 120
completion_window = 360
lifecycle = {}
copy_action = {}
recovery_point_tags = {}
},
]
# Multiple selections
# - Selection-1: By resources and tag
# - Selection-2: Only by resources
# - Selection-3: By resources and conditions
selections = [
{
name = "selection-1"
resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table1"]
not_resources = []
selection_tags = [
{
type = "STRINGEQUALS"
key = "Environment"
value = "production"
},
{
type = "STRINGEQUALS"
key = "Owner"
value = "production"
}
]
},
{
name = "selection-2"
resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table2"]
},
{
name = "selection-3"
resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table3"]
not_resources = []
conditions = {
string_equals = [
{
key = "aws:ResourceTag/Component"
value = "rds"
}
,
{
key = "aws:ResourceTag/Project"
value = "Project1"
}
]
string_like = [
{
key = "aws:ResourceTag/Application"
value = "app*"
}
]
string_not_equals = [
{
key = "aws:ResourceTag/Backup"
value = "false"
}
]
string_not_like = [
{
key = "aws:ResourceTag/Environment"
value = "test*"
}
]
}
}
]
tags = {
Owner = "backup team"
Environment = "production"
Terraform = true
}
}
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.12.31 |
| aws | >= 4.26 |
Providers
| Name | Version |
|---|---|
| aws | 4.61.0 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_backup_plan.ab_plan | resource |
| aws_backup_selection.ab_selection | resource |
| aws_backup_vault.ab_vault | resource |
| aws_backup_vault_lock_configuration.ab_vault_lock_configuration | resource |
| aws_backup_vault_notifications.backup_events | resource |
| aws_iam_policy.ab_tag_policy | resource |
| aws_iam_role.ab_role | resource |
| aws_iam_role_policy_attachment.ab_backup_s3_policy_attach | resource |
| aws_iam_role_policy_attachment.ab_policy_attach | resource |
| aws_iam_role_policy_attachment.ab_restores_policy_attach | resource |
| aws_iam_role_policy_attachment.ab_restores_s3_policy_attach | resource |
| aws_iam_role_policy_attachment.ab_tag_policy_attach | resource |
| aws_sns_topic_policy.backup_events | resource |
| aws_iam_policy_document.ab_role_assume_role_policy | data source |
| aws_iam_policy_document.ab_tag_policy_document | data source |
| aws_iam_policy_document.backup_events | data source |
| aws_partition.current | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| changeable_for_days | The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode | number |
null |
no |
| enabled | Change to false to avoid deploying any AWS Backup resources | bool |
true |
no |
| iam_role_arn | If configured, the module will attach this role to selections, instead of creating IAM resources by itself | string |
null |
no |
| iam_role_name | Allow to set IAM role name, otherwise use predefined default | string |
"" |
no |
| locked | Change to true to add a lock configuration for the backup vault | bool |
false |
no |
| max_retention_days | The maximum retention period that the vault retains its recovery points | number |
null |
no |
| min_retention_days | The minimum retention period that the vault retains its recovery points | number |
null |
no |
| notifications | Notification block which defines backup vault events and the SNS Topic ARN to send AWS Backup notifications to. Leave it empty to disable notifications | any |
{} |
no |
| plan_name | The display name of a backup plan | string |
n/a | yes |
| rule_completion_window | The amount of time AWS Backup attempts a backup before canceling the job and returning an error | number |
null |
no |
| rule_copy_action_destination_vault_arn | An Amazon Resource Name (ARN) that uniquely identifies the destination backup vault for the copied backup. | string |
null |
no |
| rule_copy_action_lifecycle | The lifecycle defines when a protected resource is copied over to a backup vault and when it expires. | map(any) |
{} |
no |
| rule_enable_continuous_backup | Enable continuous backups for supported resources. | bool |
false |
no |
| rule_lifecycle_cold_storage_after | Specifies the number of days after creation that a recovery point is moved to cold storage | number |
null |
no |
| rule_lifecycle_delete_after | Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than cold_storage_after |
number |
null |
no |
| rule_name | An display name for a backup rule | string |
null |
no |
| rule_recovery_point_tags | Metadata that you can assign to help organize the resources that you create | map(string) |
{} |
no |
| rule_schedule | A CRON expression specifying when AWS Backup initiates a backup job | string |
null |
no |
| rule_start_window | The amount of time in minutes before beginning a backup | number |
null |
no |
| rules | A list of rule maps | any |
[] |
no |
| selection_conditions | A map of conditions that you define to assign resources to your backup plans using tags. | map(any) |
{} |
no |
| selection_name | The display name of a resource selection document | string |
null |
no |
| selection_not_resources | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan. | list(any) |
[] |
no |
| selection_resources | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan | list(any) |
[] |
no |
| selection_tags | List of tags for selection_name var, when using variable definition. |
list(any) |
[] |
no |
| selections | A list of selction maps | any |
[] |
no |
| tags | A mapping of tags to assign to the resource | map(string) |
{} |
no |
| vault_force_destroy | A boolean that indicates that all recovery points stored in the vault are deleted so that the vault can be destroyed without error. | bool |
false |
no |
| vault_kms_key_arn | The server-side encryption key that is used to protect your backups | string |
null |
no |
| vault_name | Name of the backup vault to create. If not given, AWS use default | string |
null |
no |
| windows_vss_backup | Enable Windows VSS backup option and create a VSS Windows backup | bool |
false |
no |
Outputs
| Name | Description |
|---|---|
| plan_arn | The ARN of the backup plan |
| plan_id | The id of the backup plan |
| plan_role | The service role of the backup plan |
| plan_version | Unique, randomly generated, Unicode, UTF-8 encoded string that serves as the version ID of the backup plan |
| vault_arn | The ARN of the vault |
| vault_id | The name of the vault |
Know Issue:
error creating Backup Vault
In case you get an error message similar to this one:
error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms and backup-storage permissions are added.