From 801048654f7b77b6110933ec5cdc9f9705b027c4 Mon Sep 17 00:00:00 2001
From: Kurtis Mash <24705116+kurtismash@users.noreply.github.com>
Date: Tue, 15 Jul 2025 17:32:19 +0100
Subject: [PATCH 1/3] Rename `deployments.targets` to
`deployments.backup_targets` Allows for the addition of `restore_targets` in
future, which won't receive Backup Plans.
---
README.md | 2 +-
docs/index.md | 2 +-
docs/usage.md | 2 +-
examples/tags/main.tf | 2 +-
main.tf | 2 +-
variables.tf | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/README.md b/README.md
index d16898a..5544f35 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ module "immutable_aws_backup" {
deployments = {
"website-service" = {
- targets = ["ou-abcd-defghijk"]
+ backup_targets = ["ou-abcd-defghijk"]
min_retention_days = 7
max_retention_days = 90
restores_enabled = false
diff --git a/docs/index.md b/docs/index.md
index d16898a..5544f35 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -31,7 +31,7 @@ module "immutable_aws_backup" {
deployments = {
"website-service" = {
- targets = ["ou-abcd-defghijk"]
+ backup_targets = ["ou-abcd-defghijk"]
min_retention_days = 7
max_retention_days = 90
restores_enabled = false
diff --git a/docs/usage.md b/docs/usage.md
index 1120ad4..32350ab 100644
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -31,12 +31,12 @@ A deployment is an instance of the backup solution. Within the deployment accoun
|------|-------------|------|---------|----------|
| [admin\_role\_names](#deployments\_admin\_role\_names) | A list of role names that will have administrator abilities in member accounts. For example, administering the Backup Vaults. | `list(string)` | `[]` | no |
| [backup\_tag\_key](#deployments\_backup\_tag\_key) | The tag key to query when `require_plan_name_resource_tag` is enabled within a plan. | `string` | `null` | no |
+| [backup\_targets](#deployments\_backup\_targets) | A list of Organizational Unit IDs to deploy the backup solution to. The module will deploy to all accounts within these OUs. | `list(string)` | | yes |
| [max\_retention\_days](#deployments\_max\_retention\_days) | The maximum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | `number` | `null` | no |
| [min\_retention\_days](#deployments\_min\_retention\_days) | The minimum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | `number` | `null` | no |
| [plans](#deployments\_plans) | A map of backup plans to implement, see [Plans](#plans). | `map(object)` | | yes |
| [restores\_enabled](#deployments\_restores\_enabled) | Allow restores within workload accounts. This will share the LAG Vault back to workload accounts through AWS RAM. | `bool` | `false` | no |
| [retained_vaults](#deployments\_retained\_vaults) | A list of previously deployed Backup Vault configurations. This is used to retain Vaults that were previously configured and are now locked, preventing deletion. This is useful when changing the configuration of a deployment, such as changing the minimum or maximum retention days. | `list(object({ min_retention_days = number, max_retention_days = number, use_logically_air_gapped_vault = optional(bool, false) }))` | `[]` | no |
-| [targets](#deployments\_targets) | A list of Organizational Unit IDs to deploy the backup solution to. The module will deploy to all accounts within these OUs. | `list(string)` | | yes |
### Plans
diff --git a/examples/tags/main.tf b/examples/tags/main.tf
index dd30e8b..004901b 100644
--- a/examples/tags/main.tf
+++ b/examples/tags/main.tf
@@ -8,7 +8,7 @@ module "aws_backup" {
terraform_state_bucket_name = var.terraform_state_bucket
deployments = {
"ca-prod" = {
- targets = [module.ou_data_lookup.by_name_path["Workloads / Serverless / CA / RSA CA"].id]
+ backup_targets = [module.ou_data_lookup.by_name_path["Workloads / Serverless / CA / RSA CA"].id]
min_retention_days = 7
max_retention_days = 12
restores_enabled = true
diff --git a/main.tf b/main.tf
index 334db71..d6042e6 100644
--- a/main.tf
+++ b/main.tf
@@ -31,7 +31,7 @@ module "deployment" {
service_name = each.key
admin_role_names = each.value.admin_role_names
backup_tag_key = each.value.backup_tag_key
- deployment_targets = each.value.targets
+ deployment_targets = each.value.backup_targets
max_retention_days = each.value.max_retention_days
min_retention_days = each.value.min_retention_days
plans = each.value.plans
diff --git a/variables.tf b/variables.tf
index b3580de..bd9087f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -7,6 +7,7 @@ variable "deployments" {
type = map(object({
admin_role_names = optional(list(string), []) # Names of IAM roles that have admin access to the deployment. E.g. can manage the backup vaults in member accounts.
backup_tag_key = optional(string)
+ backup_targets = list(string)
max_retention_days = optional(number)
min_retention_days = optional(number)
plans = map(object({
@@ -35,7 +36,6 @@ variable "deployments" {
max_retention_days = number,
use_logically_air_gapped_vault = optional(bool, false)
})), [])
- targets = list(string)
}))
}
From 0eb8730d118a99d4d029435a31401fad63d817f1 Mon Sep 17 00:00:00 2001
From: Kurtis Mash <24705116+kurtismash@users.noreply.github.com>
Date: Tue, 15 Jul 2025 20:54:07 +0100
Subject: [PATCH 2/3] Rename `deployments.restores_enabled` to
`deployments.allow_backup_targets_to_restore`
---
README.md | 1 -
docs/index.md | 1 -
docs/usage.md | 2 +-
examples/tags/main.tf | 12 ++++++------
main.tf | 2 +-
variables.tf | 12 ++++++------
6 files changed, 14 insertions(+), 16 deletions(-)
diff --git a/README.md b/README.md
index 5544f35..84f8ddb 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,6 @@ module "immutable_aws_backup" {
backup_targets = ["ou-abcd-defghijk"]
min_retention_days = 7
max_retention_days = 90
- restores_enabled = false
backup_tag_key = "BackupPlan"
plans = {
"GFS-7-28-90" : {
diff --git a/docs/index.md b/docs/index.md
index 5544f35..84f8ddb 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -34,7 +34,6 @@ module "immutable_aws_backup" {
backup_targets = ["ou-abcd-defghijk"]
min_retention_days = 7
max_retention_days = 90
- restores_enabled = false
backup_tag_key = "BackupPlan"
plans = {
"GFS-7-28-90" : {
diff --git a/docs/usage.md b/docs/usage.md
index 32350ab..8259428 100644
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -30,12 +30,12 @@ A deployment is an instance of the backup solution. Within the deployment accoun
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|----------|
| [admin\_role\_names](#deployments\_admin\_role\_names) | A list of role names that will have administrator abilities in member accounts. For example, administering the Backup Vaults. | `list(string)` | `[]` | no |
+| [allow\_backup\_targets\_to\_restore](#deployments\_allow\_backup\_targets\_to\_restore) | Allow restores within the `backup_targets` workload accounts. This will share the LAG Vault back to workload accounts through AWS RAM. | `bool` | `false` | no |
| [backup\_tag\_key](#deployments\_backup\_tag\_key) | The tag key to query when `require_plan_name_resource_tag` is enabled within a plan. | `string` | `null` | no |
| [backup\_targets](#deployments\_backup\_targets) | A list of Organizational Unit IDs to deploy the backup solution to. The module will deploy to all accounts within these OUs. | `list(string)` | | yes |
| [max\_retention\_days](#deployments\_max\_retention\_days) | The maximum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | `number` | `null` | no |
| [min\_retention\_days](#deployments\_min\_retention\_days) | The minimum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | `number` | `null` | no |
| [plans](#deployments\_plans) | A map of backup plans to implement, see [Plans](#plans). | `map(object)` | | yes |
-| [restores\_enabled](#deployments\_restores\_enabled) | Allow restores within workload accounts. This will share the LAG Vault back to workload accounts through AWS RAM. | `bool` | `false` | no |
| [retained_vaults](#deployments\_retained\_vaults) | A list of previously deployed Backup Vault configurations. This is used to retain Vaults that were previously configured and are now locked, preventing deletion. This is useful when changing the configuration of a deployment, such as changing the minimum or maximum retention days. | `list(object({ min_retention_days = number, max_retention_days = number, use_logically_air_gapped_vault = optional(bool, false) }))` | `[]` | no |
diff --git a/examples/tags/main.tf b/examples/tags/main.tf
index 004901b..fd1ad29 100644
--- a/examples/tags/main.tf
+++ b/examples/tags/main.tf
@@ -8,12 +8,12 @@ module "aws_backup" {
terraform_state_bucket_name = var.terraform_state_bucket
deployments = {
"ca-prod" = {
- backup_targets = [module.ou_data_lookup.by_name_path["Workloads / Serverless / CA / RSA CA"].id]
- min_retention_days = 7
- max_retention_days = 12
- restores_enabled = true
- backup_tag_key = "BackupPolicy"
- plans = local.ca_default_plans
+ backup_targets = [module.ou_data_lookup.by_name_path["Workloads / Serverless / CA / RSA CA"].id]
+ min_retention_days = 7
+ max_retention_days = 12
+ allow_backup_targets_to_restore = true
+ backup_tag_key = "BackupPolicy"
+ plans = local.ca_default_plans
}
}
}
diff --git a/main.tf b/main.tf
index d6042e6..8dfd39e 100644
--- a/main.tf
+++ b/main.tf
@@ -35,7 +35,7 @@ module "deployment" {
max_retention_days = each.value.max_retention_days
min_retention_days = each.value.min_retention_days
plans = each.value.plans
- restores_enabled = each.value.restores_enabled
+ restores_enabled = each.value.allow_backup_targets_to_restore
retained_vaults = each.value.retained_vaults
current = {
diff --git a/variables.tf b/variables.tf
index bd9087f..7735ace 100644
--- a/variables.tf
+++ b/variables.tf
@@ -5,11 +5,12 @@ variable "central_account_resource_name_prefix" {
variable "deployments" {
type = map(object({
- admin_role_names = optional(list(string), []) # Names of IAM roles that have admin access to the deployment. E.g. can manage the backup vaults in member accounts.
- backup_tag_key = optional(string)
- backup_targets = list(string)
- max_retention_days = optional(number)
- min_retention_days = optional(number)
+ admin_role_names = optional(list(string), []) # Names of IAM roles that have admin access to the deployment. E.g. can manage the backup vaults in member accounts.
+ allow_backup_targets_to_restore = bool,
+ backup_tag_key = optional(string)
+ backup_targets = list(string)
+ max_retention_days = optional(number)
+ min_retention_days = optional(number)
plans = map(object({
complete_backup_window_minutes = optional(number)
continuous_backup_schedule_expression = optional(string, "cron(0 0 ? * * *)") # Schedule for creating continuous backups, if enabled.
@@ -30,7 +31,6 @@ variable "deployments" {
start_backup_window_minutes = optional(number)
}))
}))
- restores_enabled = bool,
retained_vaults = optional(list(object({
min_retention_days = number,
max_retention_days = number,
From f5be9ddb7de762150485b7d8e4ee8c34af92a5a0 Mon Sep 17 00:00:00 2001
From: Kurtis Mash <24705116+kurtismash@users.noreply.github.com>
Date: Tue, 22 Jul 2025 09:46:00 +0100
Subject: [PATCH 3/3] Default `allow_backup_targets_to_restore` to `false`
---
variables.tf | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/variables.tf b/variables.tf
index 7735ace..b8e7cb1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -6,7 +6,7 @@ variable "central_account_resource_name_prefix" {
variable "deployments" {
type = map(object({
admin_role_names = optional(list(string), []) # Names of IAM roles that have admin access to the deployment. E.g. can manage the backup vaults in member accounts.
- allow_backup_targets_to_restore = bool,
+ allow_backup_targets_to_restore = optional(bool, false)
backup_tag_key = optional(string)
backup_targets = list(string)
max_retention_days = optional(number)
@@ -15,10 +15,10 @@ variable "deployments" {
complete_backup_window_minutes = optional(number)
continuous_backup_schedule_expression = optional(string, "cron(0 0 ? * * *)") # Schedule for creating continuous backups, if enabled.
create_continuous_backups = optional(bool, false) # Create continuous backups for resources that support it to enable local PITR, there is no copy action for these backups.
- intermediate_retention_days = optional(number), # Number of days to retain backups in the intermediate vault.
- local_retention_days = optional(number), # Number of days to retain backups in the member account vault. If not specified, defaults to delete_after_days.
+ intermediate_retention_days = optional(number) # Number of days to retain backups in the intermediate vault.
+ local_retention_days = optional(number) # Number of days to retain backups in the member account vault. If not specified, defaults to delete_after_days.
require_plan_name_resource_tag = optional(bool, true)
- snapshot_from_continuous_backups = optional(bool, true), # Generate continuous backups for resources that support it and then snapshot from them. These backups do not copy but act as a source for the backup jobs created by the rules. Currently only S3 is supported.
+ snapshot_from_continuous_backups = optional(bool, true) # Generate continuous backups for resources that support it and then snapshot from them. These backups do not copy but act as a source for the backup jobs created by the rules. Currently only S3 is supported.
start_backup_window_minutes = optional(number)
use_logically_air_gapped_vault = optional(bool, false)
rules = list(object({
@@ -27,13 +27,13 @@ variable "deployments" {
intermediate_retention_days = optional(number) # Number of days to retain backups in the intermediate vault, overrides the plan's intermediate_retention_days.
local_retention_days = optional(number) # Number of days to retain backups in the member account vault. If not specified, defaults to delete_after_days.
name = optional(string)
- schedule_expression = string,
+ schedule_expression = string
start_backup_window_minutes = optional(number)
}))
}))
retained_vaults = optional(list(object({
- min_retention_days = number,
- max_retention_days = number,
+ min_retention_days = number
+ max_retention_days = number
use_logically_air_gapped_vault = optional(bool, false)
})), [])
}))