Terraform module to manage AWS Backup
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_framework https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_global_settings https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_region_settings https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_lock_configuration https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_notifications https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
The following is the minimum required params for the backup module needed to create the default backup plan, which backup RDS based resources (RDS, DocumentDB) on a daily, weekly, and monthly basis
module "backup" {
name = "example-name"
backup_service_name = "example-service-name"
environment = "dev"
critical = "critical"
bu_prefix = ""
kms_key_id = "example-kms-key-id"
}
An example that overrides the default backup plan as follows:
module "backup" {
name = "example-name"
backup_service_name = "example-service-name"
environment = "dev"
critical = "critical"
bu_prefix = ""
kms_key_id = "example-kms-key-id"
backup_plan = [{
name = "daily-backup-plan"
rule_name = "daily-backup-plan-rule"
schedule = "cron(0 9 * * ? *)"
enable_continuous_backup = true
completion_window = 90
lifecycle = [{
cold_store_after = 30
delete_after = 120
}]
copy_action = [{
destination_arn = "aws:arn:destination-vault-arn"
}]
backup_selection_name = "backup-daily-selection"
backup_resource_arn = "aws:arn:resource-to-backup-arn"
},
{
name = "weekly-backup-plan"
rule_name = "weekly-backup-plan-rule"
schedule = "cron(0 9 7 * ? *)"
enable_continuous_backup = true
completion_window = 90
lifecycle = [{
cold_store_after = 60
delete_after = 180
}]
copy_action = [{
destination_arn = "aws:arn:destination-vault-arn"
}]
backup_selection_name = "backup-weekly-selection"
backup_resource_arn = "aws:arn:resource-to-backup-arn"
}]
}
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 4.6.20 |
Name | Version |
---|---|
aws | >= 4.6.20 |
No modules.
Name | Type |
---|---|
aws_backup_plan. | resource |
aws_backup_framework. | resource |
aws_backup_global_settings. | resource |
aws_backup_region_settings. | resource |
aws_backup_report_plan. | resource |
aws_backup_selection. | resource |
aws_backup_vault. | resource |
aws_backup_vault_lock_configuration. | resource |
aws_backup_vault_notifications. | resource |
aws_backup_vault_policy. | resource |
aws_sns_topic. | resource |
aws_sns_topic_policy. | resource |
aws_iam_role. | resource |
aws_iam_role_policy_attachment. | resource |
aws_iam_policy_document. | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
name | n/a | string |
`` | yes |
backup_service_name | n/a | string |
`` | yes |
backup_service_name | n/a | string |
`` | yes |
backup_service_name | n/a | string |
`` | yes |
environment | n/a | string |
`` | yes |
backup_service_name | n/a | string |
`` | yes |
critical | n/a | string |
`` | yes |
bu_prefix | n/a | string |
`` | yes |
kms_key_id | n/a | string |
`` | yes |
enable_backup_global_settings | n/a | bool |
false |
no |
backup_global_settings | n/a | map(string) |
{ "isCrossAccountBackupEnabled" = "true" } |
no |
enable_backup_region_settings | n/a | bool |
true |
no |
enable_vault_lock | n/a | bool |
true |
no |
vault_lock_date | number of days before vault lock. null for governance mode, specify day for compliance mode | number |
3 |
no |
vault_max_retain | n/a | number |
1200 |
no |
vault_min_retain | n/a | number |
7 |
no |
enable_backup_vault_notifications | n/a | bool |
true |
no |
backup_vault_events_to_notify | n/a | list(string) |
[ "BACKUP_JOB_STARTED", "BACKUP_JOB_COMPLETED", "COPY_JOB_STARTED", "COPY_JOB_SUCCESSFUL", "COPY_JOB_FAILED", "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", "RECOVERY_POINT_MODIFIED" ] |
no |
backup_plan | n/a | set(object) |
[{ name = "daily-backup-plan" rule_name = "daily-backup-plan-rule" schedule = "cron(0 6 * * ? *)" lifecycle = [{ delete_after = 7 }] backup_selection_name = "daily-backup-selection" backup_condition = [{ string_equals = [{ key = "aws:ResourceTag/Component" value = "rds" }] }] }, { name = "weekly-backup-plan" rule_name = "weekly-backup-plan-rule" schedule = "cron(0 6 7 * ? *)" lifecycle = [{ delete_after = 28 }] backup_selection_name = "weekly-backup-selection" backup_condition = [{ string_equals = [{ key = "aws:ResourceTag/Component" value = "rds" }] }] }, { name = "monthly-backup-plan" rule_name = "monthly-backup-plan-rule" schedule = "cron(0 6 30 * ? *)" lifecycle = [{ cold_store_after = 0 }] copy_action = [{ destination_arn = "" }] backup_selection_name = "monthly-backup-selection" backup_condition = [{ string_equals = [{ key = "aws:ResourceTag/Component" value = "rds" }] }] }] |
no |
enable_region_services | n/a | map(any) |
{ "Aurora" = true "DocumentDB" = true "DynamoDB" = true "EBS" = true<br "EC2" = true "EFS" = true "FSx" = true "Neptune" = true "RDS" = true "Storage Gateway" = true "VirtualMachine" = true } |
no |
enable_service_backup_management | n/a | map(any) |
{ "Aurora" = true "DocumentDB" = true "DynamoDB" = true "EFS" = true "RDS" = true } |
no |
backup_policy_arn | n/a | string |
arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup |
no |
enable_backup_framework | n/a | bool |
false |
no |
framework_control | n/a | set(object) |
[{ name = "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK" input_param = [{ name = "requiredRetentionDays" value = "35" }] }, { name = "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK" input_param = [{ name = "requiredFrequencyUnit" value = "hours" }, { name = "requiredRetentionDays" value = "35" }, { name = "requiredFrequencyValue" value = "1" }] }, { name = "BACKUP_RECOVERY_POINT_ENCRYPTED" }, { name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN" scope = [{ resource_types = [ "RDS", ] }] }, { name = "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED" }, { name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_VAULT_LOCK" input_param = [{ name = "maxRetentionDays" value = "100" }, { name = "minRetentionDays" value = "1" }] scope = [{ resource_types = [ "RDS", ] }] }, { name = "BACKUP_LAST_RECOVERY_POINT_CREATED" input_param = [{ name = "recoveryPointAgeUnit" value = "days" }, { name = "recoveryPointAgeValue" value = "1" }] scope = [{ resource_types = [ "RDS", ] }] }] |
no |
enable_backup_report | n/a | bool |
false |
no |
backup_report_format | n/a | list(string) |
[ "CSV", "JSON" ] |
no |
backup_report_s3_bucket | n/a | string |
"" |
no |
backup_report_template | n/a | string |
BACKUP_JOB_REPORT |
no |
Name | Version |
---|---|
terraform | >= 1.4 |
aws | >= 4.62.0 |
Name | Version |
---|---|
aws | 5.7.0 |
aws.west | 5.7.0 |
aws.west should be
defined in root module if var.enable_cross_region_vault
is true
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
backup_global_settings | n/a | map(string) |
{ |
no |
backup_plan | n/a | list(object({ |
[ |
no |
backup_policy_arn | n/a | string |
"arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup" |
no |
backup_report_format | n/a | list(string) |
[ |
no |
backup_report_s3_bucket | n/a | string |
"" |
no |
backup_report_template | n/a | string |
"BACKUP_JOB_REPORT" |
no |
backup_service_name | n/a | string |
n/a | yes |
backup_vault_events_to_notify | n/a | list(string) |
[ |
no |
bu_prefix | n/a | string |
n/a | yes |
critical | n/a | string |
n/a | yes |
cross_region_kms_key_id | n/a | string |
"" |
no |
cross_region_vault_lock_date | number of days before lock date. null for governance mode, specify for compliance mode | number |
null |
no |
cross_region_vault_max_retain | n/a | number |
null |
no |
cross_region_vault_min_retain | n/a | number |
null |
no |
enable_backup_framework | n/a | bool |
false |
no |
enable_backup_global_settings | n/a | bool |
false |
no |
enable_backup_region_settings | n/a | bool |
false |
no |
enable_backup_report | n/a | bool |
false |
no |
enable_backup_vault_notifications | n/a | bool |
true |
no |
enable_backup_vault_sns_subscription | n/a | bool |
false |
no |
enable_cross_region_vault | n/a | bool |
true |
no |
enable_cross_region_vault_lock | n/a | bool |
true |
no |
enable_region_services | n/a | map(any) |
{ |
no |
enable_service_backup_management | n/a | map(any) |
{ |
no |
enable_vault_lock | n/a | bool |
true |
no |
environment | n/a | string |
n/a | yes |
framework_control | n/a | list(object({ |
[ |
no |
kms_key_id | n/a | string |
n/a | yes |
name | n/a | string |
n/a | yes |
sns_subscription_confirm_timeout | n/a | number |
1 |
no |
sns_subscription_delivery_policy | n/a | string |
"" |
no |
sns_subscription_endpoint | n/a | string |
null |
no |
sns_subscription_endpoint_auto_confirm | n/a | bool |
false |
no |
sns_subscription_filter_policy | n/a | string |
"" |
no |
sns_subscription_filter_policy_scope | n/a | string |
"" |
no |
sns_subscription_protocol | n/a | string |
null |
no |
sns_subscription_raw_message_delivery | n/a | bool |
false |
no |
sns_subscription_redrive_policy | n/a | string |
"" |
no |
sns_subscription_role_arn | n/a | string |
null |
no |
vault_lock_date | number of days before lock date. null for governance mode, specify for compliance mode | number |
3 |
no |
vault_max_retain | n/a | number |
1200 |
no |
vault_min_retain | n/a | number |
7 |
no |
Name | Description |
---|---|
backup_framework_arn | n/a |
backup_plan_arns | n/a |
backup_report_plan_arn | n/a |
backup_sns_arn | n/a |
backup_vault_arn | n/a |