Skip to content
/ terraform-aws-backup Public

An extensive terraform child module for aws backup service. Covers every setting currently available for the aws backup service

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kunno/terraform-aws-backup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

.gitignore

.gitignore

 
 

README.md

README.md

 
 

data.tf

data.tf

 
 

iam.tf

iam.tf

 
 

locals.tf

locals.tf

 
 

main.tf

main.tf

 
 

outputs.tf

outputs.tf

 
 

provider.tf

provider.tf

 
 

sns.tf

sns.tf

 
 

variables.tf

variables.tf

 
 

vault.tf

vault.tf

 
 

Repository files navigation

terraform aws backup module

Terraform module to manage AWS Backup

Documentation Resources

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_framework https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_global_settings https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_region_settings https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_notifications https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document

Usage

The following is the minimum required params for the backup module needed to create the default backup plan, which backup RDS based resources (RDS, DocumentDB) on a daily, weekly, and monthly basis

module "backup" {
  name                = "example-name"
  backup_service_name = "example-service-name"
  environment         = "dev"
  critical            = "critical"
  bu_prefix           = ""
  kms_key_id          = "example-kms-key-id"
}

An example that overrides the default backup plan as follows:

module "backup" {
  name                = "example-name"
  backup_service_name = "example-service-name"
  environment         = "dev"
  critical            = "critical"
  bu_prefix           = ""
  kms_key_id          = "example-kms-key-id"
  backup_plan         = [{
    name                     = "daily-backup-plan"
    rule_name                = "daily-backup-plan-rule"
    schedule                 = "cron(0 9 * * ? *)"
    enable_continuous_backup = true
    completion_window        = 90
    lifecycle                = [{
      cold_store_after = 30
      delete_after     = 120
    }]
    copy_action              = [{
      destination_arn = "aws:arn:destination-vault-arn"
    }]
    backup_selection_name    = "backup-daily-selection"
    backup_resource_arn      = "aws:arn:resource-to-backup-arn"
  },
  {
    name                     = "weekly-backup-plan"
    rule_name                = "weekly-backup-plan-rule"
    schedule                 = "cron(0 9 7 * ? *)"
    enable_continuous_backup = true
    completion_window        = 90
    lifecycle                = [{
      cold_store_after = 60
      delete_after     = 180
    }]
    copy_action              = [{
      destination_arn = "aws:arn:destination-vault-arn"
    }]
    backup_selection_name    = "backup-weekly-selection"
    backup_resource_arn      = "aws:arn:resource-to-backup-arn"
  }]
}

Requirements

Name Version
terraform >= 1.0
aws >= 4.6.20

Providers

Name Version
aws >= 4.6.20

Modules

No modules.

Resources

Name Type
aws_backup_plan. resource
aws_backup_framework. resource
aws_backup_global_settings. resource
aws_backup_region_settings. resource
aws_backup_report_plan. resource
aws_backup_selection. resource
aws_backup_vault. resource
aws_backup_vault_lock_configuration. resource
aws_backup_vault_notifications. resource
aws_backup_vault_policy. resource
aws_sns_topic. resource
aws_sns_topic_policy. resource
aws_iam_role. resource
aws_iam_role_policy_attachment. resource
aws_iam_policy_document. data source

Inputs

Name Description Type Default Required
name n/a string `` yes
backup_service_name n/a string `` yes
backup_service_name n/a string `` yes
backup_service_name n/a string `` yes
environment n/a string `` yes
backup_service_name n/a string `` yes
critical n/a string `` yes
bu_prefix n/a string `` yes
kms_key_id n/a string `` yes
enable_backup_global_settings n/a bool false no
backup_global_settings n/a map(string) {
"isCrossAccountBackupEnabled" = "true"
}		 no
enable_backup_region_settings n/a bool true no
enable_vault_lock n/a bool true no
vault_lock_date number of days before vault lock. null for governance mode, specify day for compliance mode number 3 no
vault_max_retain n/a number 1200 no
vault_min_retain n/a number 7 no
enable_backup_vault_notifications n/a bool true no
backup_vault_events_to_notify n/a list(string) [
"BACKUP_JOB_STARTED",
"BACKUP_JOB_COMPLETED",
"COPY_JOB_STARTED",
"COPY_JOB_SUCCESSFUL",
"COPY_JOB_FAILED",
"RESTORE_JOB_STARTED",
"RESTORE_JOB_COMPLETED",
"RECOVERY_POINT_MODIFIED"
]		 no
backup_plan n/a set(object) [{
name = "daily-backup-plan"
rule_name = "daily-backup-plan-rule"
schedule = "cron(0 6 * * ? *)"
lifecycle = [{
delete_after = 7
}]
backup_selection_name = "daily-backup-selection"
backup_condition = [{
string_equals = [{
key = "aws:ResourceTag/Component"
value = "rds"
}]
}]
},
{
name = "weekly-backup-plan"
rule_name = "weekly-backup-plan-rule"
schedule = "cron(0 6 7 * ? *)"
lifecycle = [{
delete_after = 28
}]
backup_selection_name = "weekly-backup-selection"
backup_condition = [{
string_equals = [{
key = "aws:ResourceTag/Component"
value = "rds"
}]
}]
},
{
name = "monthly-backup-plan"
rule_name = "monthly-backup-plan-rule"
schedule = "cron(0 6 30 * ? *)"
lifecycle = [{
cold_store_after = 0
}]
copy_action = [{
destination_arn = ""
}]
backup_selection_name = "monthly-backup-selection"
backup_condition = [{
string_equals = [{
key = "aws:ResourceTag/Component"
value = "rds"
}]
}]
}]		 no
enable_region_services n/a map(any) {
"Aurora" = true
"DocumentDB" = true
"DynamoDB" = true
"EBS" = true<br "EC2" = true
"EFS" = true
"FSx" = true
"Neptune" = true
"RDS" = true
"Storage Gateway" = true
"VirtualMachine" = true
}		 no
enable_service_backup_management n/a map(any) {
"Aurora" = true
"DocumentDB" = true
"DynamoDB" = true
"EFS" = true
"RDS" = true
}		 no
backup_policy_arn n/a string arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup no
enable_backup_framework n/a bool false no
framework_control n/a set(object) [{
name = "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK"
input_param = [{
name = "requiredRetentionDays"
value = "35"
}]
},
{
name = "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK"
input_param = [{
name = "requiredFrequencyUnit"
value = "hours"
},
{
name = "requiredRetentionDays"
value = "35"
},
{
name = "requiredFrequencyValue"
value = "1"
}]
},
{
name = "BACKUP_RECOVERY_POINT_ENCRYPTED"
},
{
name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
scope = [{
resource_types = [
"RDS",
]
}]
},
{
name = "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED"
},
{
name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK"
input_param = [{
name = "maxRetentionDays"
value = "100"
},
{
name = "minRetentionDays"
value = "1"
}]
scope = [{
resource_types = [
"RDS",
]
}]
},
{
name = "BACKUP_LAST_RECOVERY_POINT_CREATED"
input_param = [{
name = "recoveryPointAgeUnit"
value = "days"
},
{
name = "recoveryPointAgeValue"
value = "1"
}]
scope = [{
resource_types = [
"RDS",
]
}]
}]		 no
enable_backup_report n/a bool false no
backup_report_format n/a list(string) [
"CSV",
"JSON"
]		 no
backup_report_s3_bucket n/a string "" no
backup_report_template n/a string BACKUP_JOB_REPORT no

Requirements

Name Version
terraform >= 1.4
aws >= 4.62.0

Providers

Name Version
aws 5.7.0
aws.west 5.7.0

Notes

aws.west should be defined in root module if var.enable_cross_region_vault is true

Modules

No modules.

Resources

Name Type
aws_backup_framework.backup_framework resource
aws_backup_global_settings.backup_global_settings resource
aws_backup_plan.backup_plan resource
aws_backup_region_settings.backup_region_settings resource
aws_backup_report_plan.backup_report resource
aws_backup_selection.backup_selection resource
aws_backup_vault.backup_cross_region_vault resource
aws_backup_vault.backup_vault resource
aws_backup_vault_lock_configuration.backup_cross_region_vault_config resource
aws_backup_vault_lock_configuration.backup_vault_config resource
aws_backup_vault_notifications.backup_vault_notifications resource
aws_backup_vault_policy.backup_cross_region_vault_policy resource
aws_backup_vault_policy.backup_vault_policy resource
aws_iam_role.backup_role resource
aws_iam_role_policy_attachment.backup_policy_attachment resource
aws_s3_bucket.backup_report_bucket resource
aws_sns_topic.backup_vault_sns resource
aws_sns_topic_policy.backup_vault_sns_policy resource
aws_sns_topic_subscription.backup_vault_sns_subscription resource
aws_iam_policy_document.backup_plan_assume_role data source
aws_iam_policy_document.backup_vault_notification_policy data source
aws_iam_policy_document.backup_vault_policy data source
aws_kms_alias.backup_primary data source
aws_kms_alias.backup_secondary data source

Inputs

Name Description Type Default Required
backup_global_settings n/a map(string) 
{
  "isCrossAccountBackupEnabled": "true"
}
 no
backup_plan n/a 
list(object({
    name                     = string
    rule_name                = string
    schedule                 = optional(string)
    enable_continuous_backup = optional(bool)
    start_window             = optional(number)
    completion_window        = optional(number)
    recovery_point_tags      = optional(map(string))
    lifecycle                = optional(set(object({
      cold_store_after = optional(number)
      delete_after     = optional(number)
    })))
    copy_action              = optional(set(object({
      destination_arn = string
    })))
    backup_selection_name    = string
    backup_condition         = optional(set(object({
      string_equals     = optional(set(object({
        key   = string
        value = string
      })))
      string_like       = optional(set(object({
        key   = string
        value = string
      })))
      string_not_equals = optional(set(object({
        key   = string
        value = string
      })))
      string_not_like   = optional(set(object({
        key   = string
        value = string
      })))
    })))
    backup_resource_arn      = optional(list(string))
    not_backup_resource_arn  = optional(list(string))
    selection_tag            = optional(set(object({
      type  = string
      key   = string
      value = string
    })))
  }))
 
[
  {
    "backup_condition": [
      {
        "string_equals": [
          {
            "key": "aws:ResourceTag/Component",
            "value": "rds"
          }
        ]
      }
    ],
    "backup_resource_arn": [
      "*"
    ],
    "backup_selection_name": "daily-backup-selection",
    "lifecycle": [
      {
        "delete_after": 7
      }
    ],
    "name": "daily-backup-plan",
    "rule_name": "daily-backup-plan-rule",
    "schedule": "cron(0 6 * * ? )"
  },
  {
    "backup_condition": [
      {
        "string_equals": [
          {
            "key": "aws:ResourceTag/Component",
            "value": "rds"
          }
        ]
      }
    ],
    "backup_resource_arn": [
      ""
    ],
    "backup_selection_name": "weekly-backup-selection",
    "lifecycle": [
      {
        "delete_after": 28
      }
    ],
    "name": "weekly-backup-plan",
    "rule_name": "weekly-backup-plan-rule",
    "schedule": "cron(0 6 7 * ? )"
  },
  {
    "backup_condition": [
      {
        "string_equals": [
          {
            "key": "aws:ResourceTag/Component",
            "value": "rds"
          }
        ]
      }
    ],
    "backup_resource_arn": [
      ""
    ],
    "backup_selection_name": "monthly-backup-selection",
    "lifecycle": [
      {
        "cold_store_after": 0
      }
    ],
    "name": "monthly-backup-plan",
    "rule_name": "monthly-backup-plan-rule",
    "schedule": "cron(0 6 30 * ? *)"
  }
]
 no
backup_policy_arn n/a string "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup" no
backup_report_format n/a list(string) 
[
  "CSV",
  "JSON"
]
 no
backup_report_s3_bucket n/a string "" no
backup_report_template n/a string "BACKUP_JOB_REPORT" no
backup_service_name n/a string n/a yes
backup_vault_events_to_notify n/a list(string) 
[
  "BACKUP_JOB_STARTED",
  "BACKUP_JOB_COMPLETED",
  "COPY_JOB_STARTED",
  "COPY_JOB_SUCCESSFUL",
  "COPY_JOB_FAILED",
  "RESTORE_JOB_STARTED",
  "RESTORE_JOB_COMPLETED",
  "RECOVERY_POINT_MODIFIED"
]
 no
bu_prefix n/a string n/a yes
critical n/a string n/a yes
cross_region_kms_key_id n/a string "" no
cross_region_vault_lock_date number of days before lock date. null for governance mode, specify for compliance mode number null no
cross_region_vault_max_retain n/a number null no
cross_region_vault_min_retain n/a number null no
enable_backup_framework n/a bool false no
enable_backup_global_settings n/a bool false no
enable_backup_region_settings n/a bool false no
enable_backup_report n/a bool false no
enable_backup_vault_notifications n/a bool true no
enable_backup_vault_sns_subscription n/a bool false no
enable_cross_region_vault n/a bool true no
enable_cross_region_vault_lock n/a bool true no
enable_region_services n/a map(any) 
{
  "Aurora": true,
  "DocumentDB": true,
  "DynamoDB": true,
  "EBS": true,
  "EC2": true,
  "EFS": true,
  "Neptune": true,
  "RDS": true,
  "Storage Gateway": true,
  "VirtualMachine": true
}
 no
enable_service_backup_management n/a map(any) 
{
  "Aurora": true,
  "DocumentDB": true,
  "DynamoDB": true,
  "EFS": true,
  "RDS": true
}
 no
enable_vault_lock n/a bool true no
environment n/a string n/a yes
framework_control n/a 
list(object({
    name        = string
    input_param = optional(set(object({
      name  = string
      value = string
    })))
    scope       = optional(set(object({
      resource_types  = list(string)
    })))
  }))
 
[
  {
    "input_param": [
      {
        "name": "requiredRetentionDays",
        "value": "35"
      }
    ],
    "name": "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK"
  },
  {
    "input_param": [
      {
        "name": "requiredFrequencyUnit",
        "value": "hours"
      },
      {
        "name": "requiredRetentionDays",
        "value": "35"
      },
      {
        "name": "requiredFrequencyValue",
        "value": "1"
      }
    ],
    "name": "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK"
  },
  {
    "name": "BACKUP_RECOVERY_POINT_ENCRYPTED"
  },
  {
    "name": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN",
    "scope": [
      {
        "resource_types": [
          "RDS"
        ]
      }
    ]
  },
  {
    "name": "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED"
  },
  {
    "input_param": [
      {
        "name": "maxRetentionDays",
        "value": "100"
      },
      {
        "name": "minRetentionDays",
        "value": "1"
      }
    ],
    "name": "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK",
    "scope": [
      {
        "resource_types": [
          "RDS"
        ]
      }
    ]
  },
  {
    "input_param": [
      {
        "name": "recoveryPointAgeUnit",
        "value": "days"
      },
      {
        "name": "recoveryPointAgeValue",
        "value": "1"
      }
    ],
    "name": "BACKUP_LAST_RECOVERY_POINT_CREATED",
    "scope": [
      {
        "resource_types": [
          "RDS"
        ]
      }
    ]
  }
]
 no
kms_key_id n/a string n/a yes
name n/a string n/a yes
sns_subscription_confirm_timeout n/a number 1 no
sns_subscription_delivery_policy n/a string "" no
sns_subscription_endpoint n/a string null no
sns_subscription_endpoint_auto_confirm n/a bool false no
sns_subscription_filter_policy n/a string "" no
sns_subscription_filter_policy_scope n/a string "" no
sns_subscription_protocol n/a string null no
sns_subscription_raw_message_delivery n/a bool false no
sns_subscription_redrive_policy n/a string "" no
sns_subscription_role_arn n/a string null no
vault_lock_date number of days before lock date. null for governance mode, specify for compliance mode number 3 no
vault_max_retain n/a number 1200 no
vault_min_retain n/a number 7 no

Outputs

Name Description
backup_framework_arn n/a
backup_plan_arns n/a
backup_report_plan_arn n/a
backup_sns_arn n/a
backup_vault_arn n/a

About

An extensive terraform child module for aws backup service. Covers every setting currently available for the aws backup service

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages