nationalarchives · kurtismash · Jul 22, 2025 · Jul 15, 2025 · Jul 15, 2025 · Jul 22, 2025
diff --git a/README.md b/README.md
@@ -31,10 +31,9 @@ module "immutable_aws_backup" {
 
   deployments = {
     "website-service" = {
-      targets            = ["ou-abcd-defghijk"]
+      backup_targets     = ["ou-abcd-defghijk"]
       min_retention_days = 7
       max_retention_days = 90
-      restores_enabled   = false
       backup_tag_key     = "BackupPlan"
       plans = {
         "GFS-7-28-90" : {

diff --git a/docs/index.md b/docs/index.md
@@ -31,10 +31,9 @@ module "immutable_aws_backup" {
 
   deployments = {
     "website-service" = {
-      targets            = ["ou-abcd-defghijk"]
+      backup_targets     = ["ou-abcd-defghijk"]
       min_retention_days = 7
       max_retention_days = 90
-      restores_enabled   = false
       backup_tag_key     = "BackupPlan"
       plans = {
         "GFS-7-28-90" : {

diff --git a/docs/usage.md b/docs/usage.md
@@ -30,13 +30,13 @@ A deployment is an instance of the backup solution. Within the deployment accoun
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|----------|
 | <a name="deployments_admin_role_names"></a> [admin\_role\_names](#deployments\_admin\_role\_names) | A list of role names that will have administrator abilities in member accounts. For example, administering the Backup Vaults. | `list(string)` | `[]` | no |
+| <a name="deployments_allow_backup_targets_to_restore"></a> [allow\_backup\_targets\_to\_restore](#deployments\_allow\_backup\_targets\_to\_restore) | Allow restores within the `backup_targets` workload accounts. This will share the LAG Vault back to workload accounts through AWS RAM. | `bool` | `false` | no |
 | <a name="deployments_backup_tag_key"></a> [backup\_tag\_key](#deployments\_backup\_tag\_key) | The tag key to query when `require_plan_name_resource_tag` is enabled within a plan. | `string` | `null` | no |
+| <a name="deployments_backup_targets"></a> [backup\_targets](#deployments\_backup\_targets) | A list of Organizational Unit IDs to deploy the backup solution to. The module will deploy to all accounts within these OUs. | `list(string)` |  | yes |
 | <a name="deployments_max_retention_days"></a> [max\_retention\_days](#deployments\_max\_retention\_days) | The maximum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | `number` | `null` | no |
 | <a name="deployments_min_retention_days"></a> [min\_retention\_days](#deployments\_min\_retention\_days) | The minimum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | `number` | `null` | no |
 | <a name="deployments_plans"></a> [plans](#deployments\_plans) | A map of backup plans to implement, see [Plans](#plans). | `map(object)` |  | yes |
-| <a name="deployments_restores_enabled"></a> [restores\_enabled](#deployments\_restores\_enabled) | Allow restores within workload accounts. This will share the LAG Vault back to workload accounts through AWS RAM. | `bool` | `false` | no |
 | <a name="deployments_retained_vaults"></a> [retained_vaults](#deployments\_retained\_vaults) | A list of previously deployed Backup Vault configurations. This is used to retain Vaults that were previously configured and are now locked, preventing deletion. This is useful when changing the configuration of a deployment, such as changing the minimum or maximum retention days. | `list(object({ min_retention_days = number, max_retention_days = number, use_logically_air_gapped_vault = optional(bool, false) }))` | `[]` | no |
-| <a name="deployments_targets"></a> [targets](#deployments\_targets) | A list of Organizational Unit IDs to deploy the backup solution to. The module will deploy to all accounts within these OUs. | `list(string)` |  | yes |
 <!-- prettier-ignore-end -->
 
 ### Plans

diff --git a/examples/tags/main.tf b/examples/tags/main.tf
@@ -8,12 +8,12 @@ module "aws_backup" {
   terraform_state_bucket_name          = var.terraform_state_bucket
   deployments = {
     "ca-prod" = {
-      targets            = [module.ou_data_lookup.by_name_path["Workloads / Serverless / CA / RSA CA"].id]
-      min_retention_days = 7
-      max_retention_days = 12
-      restores_enabled   = true
-      backup_tag_key     = "BackupPolicy"
-      plans              = local.ca_default_plans
+      backup_targets                  = [module.ou_data_lookup.by_name_path["Workloads / Serverless / CA / RSA CA"].id]
+      min_retention_days              = 7
+      max_retention_days              = 12
+      allow_backup_targets_to_restore = true
+      backup_tag_key                  = "BackupPolicy"
+      plans                           = local.ca_default_plans
     }
   }
 }
diff --git a/main.tf b/main.tf
@@ -31,11 +31,11 @@ module "deployment" {
   service_name       = each.key
   admin_role_names   = each.value.admin_role_names
   backup_tag_key     = each.value.backup_tag_key
-  deployment_targets = each.value.targets
+  deployment_targets = each.value.backup_targets
   max_retention_days = each.value.max_retention_days
   min_retention_days = each.value.min_retention_days
   plans              = each.value.plans
-  restores_enabled   = each.value.restores_enabled
+  restores_enabled   = each.value.allow_backup_targets_to_restore
   retained_vaults    = each.value.retained_vaults
 
   current = {

diff --git a/variables.tf b/variables.tf
@@ -5,18 +5,20 @@ variable "central_account_resource_name_prefix" {
 
 variable "deployments" {
   type = map(object({
-    admin_role_names   = optional(list(string), []) # Names of IAM roles that have admin access to the deployment. E.g. can manage the backup vaults in member accounts.
-    backup_tag_key     = optional(string)
-    max_retention_days = optional(number)
-    min_retention_days = optional(number)
+    admin_role_names                = optional(list(string), []) # Names of IAM roles that have admin access to the deployment. E.g. can manage the backup vaults in member accounts.
+    allow_backup_targets_to_restore = optional(bool, false)
+    backup_tag_key                  = optional(string)
+    backup_targets                  = list(string)
+    max_retention_days              = optional(number)
+    min_retention_days              = optional(number)
     plans = map(object({
       complete_backup_window_minutes        = optional(number)
       continuous_backup_schedule_expression = optional(string, "cron(0 0 ? * * *)") # Schedule for creating continuous backups, if enabled.
       create_continuous_backups             = optional(bool, false)                 # Create continuous backups for resources that support it to enable local PITR, there is no copy action for these backups.
-      intermediate_retention_days           = optional(number),                     # Number of days to retain backups in the intermediate vault.
-      local_retention_days                  = optional(number),                     # Number of days to retain backups in the member account vault. If not specified, defaults to delete_after_days.
+      intermediate_retention_days           = optional(number)                      # Number of days to retain backups in the intermediate vault.
+      local_retention_days                  = optional(number)                      # Number of days to retain backups in the member account vault. If not specified, defaults to delete_after_days.
       require_plan_name_resource_tag        = optional(bool, true)
-      snapshot_from_continuous_backups      = optional(bool, true), # Generate continuous backups for resources that support it and then snapshot from them. These backups do not copy but act as a source for the backup jobs created by the rules. Currently only S3 is supported.
+      snapshot_from_continuous_backups      = optional(bool, true) # Generate continuous backups for resources that support it and then snapshot from them. These backups do not copy but act as a source for the backup jobs created by the rules. Currently only S3 is supported.
       start_backup_window_minutes           = optional(number)
       use_logically_air_gapped_vault        = optional(bool, false)
       rules = list(object({
@@ -25,17 +27,15 @@ variable "deployments" {
         intermediate_retention_days    = optional(number) # Number of days to retain backups in the intermediate vault, overrides the plan's intermediate_retention_days.
         local_retention_days           = optional(number) # Number of days to retain backups in the member account vault. If not specified, defaults to delete_after_days.
         name                           = optional(string)
-        schedule_expression            = string,
+        schedule_expression            = string
         start_backup_window_minutes    = optional(number)
       }))
     }))
-    restores_enabled = bool,
     retained_vaults = optional(list(object({
-      min_retention_days             = number,
-      max_retention_days             = number,
+      min_retention_days             = number
+      max_retention_days             = number
       use_logically_air_gapped_vault = optional(bool, false)
     })), [])
-    targets = list(string)
   }))
 }