diff --git a/README.md b/README.md
index d16898a..84f8ddb 100644
--- a/README.md
+++ b/README.md
@@ -31,10 +31,9 @@ module "immutable_aws_backup" {
deployments = {
"website-service" = {
- targets = ["ou-abcd-defghijk"]
+ backup_targets = ["ou-abcd-defghijk"]
min_retention_days = 7
max_retention_days = 90
- restores_enabled = false
backup_tag_key = "BackupPlan"
plans = {
"GFS-7-28-90" : {
diff --git a/docs/index.md b/docs/index.md
index d16898a..84f8ddb 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -31,10 +31,9 @@ module "immutable_aws_backup" {
deployments = {
"website-service" = {
- targets = ["ou-abcd-defghijk"]
+ backup_targets = ["ou-abcd-defghijk"]
min_retention_days = 7
max_retention_days = 90
- restores_enabled = false
backup_tag_key = "BackupPlan"
plans = {
"GFS-7-28-90" : {
diff --git a/docs/usage.md b/docs/usage.md
index 1120ad4..8259428 100644
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -30,13 +30,13 @@ A deployment is an instance of the backup solution. Within the deployment accoun
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|----------|
| [admin\_role\_names](#deployments\_admin\_role\_names) | A list of role names that will have administrator abilities in member accounts. For example, administering the Backup Vaults. | `list(string)` | `[]` | no |
+| [allow\_backup\_targets\_to\_restore](#deployments\_allow\_backup\_targets\_to\_restore) | Allow restores within the `backup_targets` workload accounts. This will share the LAG Vault back to workload accounts through AWS RAM. | `bool` | `false` | no |
| [backup\_tag\_key](#deployments\_backup\_tag\_key) | The tag key to query when `require_plan_name_resource_tag` is enabled within a plan. | `string` | `null` | no |
+| [backup\_targets](#deployments\_backup\_targets) | A list of Organizational Unit IDs to deploy the backup solution to. The module will deploy to all accounts within these OUs. | `list(string)` | | yes |
| [max\_retention\_days](#deployments\_max\_retention\_days) | The maximum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | `number` | `null` | no |
| [min\_retention\_days](#deployments\_min\_retention\_days) | The minimum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | `number` | `null` | no |
| [plans](#deployments\_plans) | A map of backup plans to implement, see [Plans](#plans). | `map(object)` | | yes |
-| [restores\_enabled](#deployments\_restores\_enabled) | Allow restores within workload accounts. This will share the LAG Vault back to workload accounts through AWS RAM. | `bool` | `false` | no |
| [retained_vaults](#deployments\_retained\_vaults) | A list of previously deployed Backup Vault configurations. This is used to retain Vaults that were previously configured and are now locked, preventing deletion. This is useful when changing the configuration of a deployment, such as changing the minimum or maximum retention days. | `list(object({ min_retention_days = number, max_retention_days = number, use_logically_air_gapped_vault = optional(bool, false) }))` | `[]` | no |
-| [targets](#deployments\_targets) | A list of Organizational Unit IDs to deploy the backup solution to. The module will deploy to all accounts within these OUs. | `list(string)` | | yes |
### Plans
diff --git a/examples/tags/main.tf b/examples/tags/main.tf
index dd30e8b..fd1ad29 100644
--- a/examples/tags/main.tf
+++ b/examples/tags/main.tf
@@ -8,12 +8,12 @@ module "aws_backup" {
terraform_state_bucket_name = var.terraform_state_bucket
deployments = {
"ca-prod" = {
- targets = [module.ou_data_lookup.by_name_path["Workloads / Serverless / CA / RSA CA"].id]
- min_retention_days = 7
- max_retention_days = 12
- restores_enabled = true
- backup_tag_key = "BackupPolicy"
- plans = local.ca_default_plans
+ backup_targets = [module.ou_data_lookup.by_name_path["Workloads / Serverless / CA / RSA CA"].id]
+ min_retention_days = 7
+ max_retention_days = 12
+ allow_backup_targets_to_restore = true
+ backup_tag_key = "BackupPolicy"
+ plans = local.ca_default_plans
}
}
}
diff --git a/main.tf b/main.tf
index 334db71..8dfd39e 100644
--- a/main.tf
+++ b/main.tf
@@ -31,11 +31,11 @@ module "deployment" {
service_name = each.key
admin_role_names = each.value.admin_role_names
backup_tag_key = each.value.backup_tag_key
- deployment_targets = each.value.targets
+ deployment_targets = each.value.backup_targets
max_retention_days = each.value.max_retention_days
min_retention_days = each.value.min_retention_days
plans = each.value.plans
- restores_enabled = each.value.restores_enabled
+ restores_enabled = each.value.allow_backup_targets_to_restore
retained_vaults = each.value.retained_vaults
current = {
diff --git a/variables.tf b/variables.tf
index b3580de..b8e7cb1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -5,18 +5,20 @@ variable "central_account_resource_name_prefix" {
variable "deployments" {
type = map(object({
- admin_role_names = optional(list(string), []) # Names of IAM roles that have admin access to the deployment. E.g. can manage the backup vaults in member accounts.
- backup_tag_key = optional(string)
- max_retention_days = optional(number)
- min_retention_days = optional(number)
+ admin_role_names = optional(list(string), []) # Names of IAM roles that have admin access to the deployment. E.g. can manage the backup vaults in member accounts.
+ allow_backup_targets_to_restore = optional(bool, false)
+ backup_tag_key = optional(string)
+ backup_targets = list(string)
+ max_retention_days = optional(number)
+ min_retention_days = optional(number)
plans = map(object({
complete_backup_window_minutes = optional(number)
continuous_backup_schedule_expression = optional(string, "cron(0 0 ? * * *)") # Schedule for creating continuous backups, if enabled.
create_continuous_backups = optional(bool, false) # Create continuous backups for resources that support it to enable local PITR, there is no copy action for these backups.
- intermediate_retention_days = optional(number), # Number of days to retain backups in the intermediate vault.
- local_retention_days = optional(number), # Number of days to retain backups in the member account vault. If not specified, defaults to delete_after_days.
+ intermediate_retention_days = optional(number) # Number of days to retain backups in the intermediate vault.
+ local_retention_days = optional(number) # Number of days to retain backups in the member account vault. If not specified, defaults to delete_after_days.
require_plan_name_resource_tag = optional(bool, true)
- snapshot_from_continuous_backups = optional(bool, true), # Generate continuous backups for resources that support it and then snapshot from them. These backups do not copy but act as a source for the backup jobs created by the rules. Currently only S3 is supported.
+ snapshot_from_continuous_backups = optional(bool, true) # Generate continuous backups for resources that support it and then snapshot from them. These backups do not copy but act as a source for the backup jobs created by the rules. Currently only S3 is supported.
start_backup_window_minutes = optional(number)
use_logically_air_gapped_vault = optional(bool, false)
rules = list(object({
@@ -25,17 +27,15 @@ variable "deployments" {
intermediate_retention_days = optional(number) # Number of days to retain backups in the intermediate vault, overrides the plan's intermediate_retention_days.
local_retention_days = optional(number) # Number of days to retain backups in the member account vault. If not specified, defaults to delete_after_days.
name = optional(string)
- schedule_expression = string,
+ schedule_expression = string
start_backup_window_minutes = optional(number)
}))
}))
- restores_enabled = bool,
retained_vaults = optional(list(object({
- min_retention_days = number,
- max_retention_days = number,
+ min_retention_days = number
+ max_retention_days = number
use_logically_air_gapped_vault = optional(bool, false)
})), [])
- targets = list(string)
}))
}