Skip to content

Terraform module to create AWS Backup plans. AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services (EBS volumes, RDS databases, DynamoDB tables, EFS file systems, and Storage Gateway volumes).

License

Notifications You must be signed in to change notification settings

matthieudolci/terraform-aws-backup

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Terraform

terraform-aws-backup

Terraform module to create AWS Backup plans. AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services (EBS volumes, RDS databases, DynamoDB tables, EFS file systems, and Storage Gateway volumes).

Usage

You can use this module to create a simple plan using the module's rule_* variables. You can also use the rules and selections list of maps variables to build a more complete plan by defining several rules and selections at once.

Check the examples for the simple plan, complete plan, simple plan using variables and the selection by tags plan snippets.

Example (complete plan)

This example creates a plan with two rules and two selections at once. It also defines a vault key which is used by the first rule because no target_vault_name was given (null). Whereas the second rule is using the "Default" vault key.

The first selection has two assignments, the first defined by a resource ARN and the second one defined by a tag condition. The second selection has just one assignment defined by a resource ARN.

module "aws_backup_example" {

  source = "lgallard/aws/backup"

  # Vault
  vault_name = "vault-3"

  # Plan
  plan_name = "complete-plan"

  # Multiple rules using a list of maps
  rules = [
    {
      name              = "rule-1"
      schedule          = "cron(0 12 * * ? *)"
      target_vault_name = null
      start_window      = 120
      completion_window = 360
      lifecycle = {
        cold_storage_after = 0
        delete_after       = 90
      },
      copy_action = {
        lifecycle = {
          cold_storage_after = 0
          delete_after       = 90
        },
        destination_vault_arn = "arn:aws:backup:us-west-2:123456789101:backup-vault:Default"
      }
      recovery_point_tags = {
        Environment = "production"
      }
    },
    {
      name                = "rule-2"
      target_vault_name   = "Default"
      schedule            = null
      start_window        = 120
      completion_window   = 360
      lifecycle           = {}
      copy_action         = {}
      recovery_point_tags = {}
    },
  ]

  # Multiple selections
  #  - Selection-1: By resources and tag
  #  - Selection-2: Only by resources
  selections = [
    {
      name      = "selection-1"
      resources = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table1"]
      selection_tag = {
        type  = "STRINGEQUALS"
        key   = "Environment"
        value = "production"
      }
    },
    {
      name          = "selection-2"
      resources     = ["arn:aws:dynamodb:us-east-1:123456789101:table/mydynamodb-table2"]
      selection_tag = {}
    },
  ]

  tags = {
    Owner       = "backup team"
    Environment = "production"
    Terraform   = true
  }
}

Providers

Name Version
aws >= 2.58.0

Inputs

Name Description Type Default Required
enabled Change to false to avoid deploying any AWS Backup resources bool true no
plan_name The display name of a backup plan string n/a yes
rule_completion_window The amount of time AWS Backup attempts a backup before canceling the job and returning an error number n/a yes
rule_copy_action_destination_vault_arn An Amazon Resource Name (ARN) that uniquely identifies the destination backup vault for the copied backup. string n/a yes
rule_copy_action_lifecycle The lifecycle defines when a protected resource is copied over to a backup vault and when it expires. map {} no
rule_lifecycle_cold_storage_after Specifies the number of days after creation that a recovery point is moved to cold storage number n/a yes
rule_lifecycle_delete_after Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than cold_storage_after number n/a yes
rule_name An display name for a backup rule string n/a yes
rule_recovery_point_tags Metadata that you can assign to help organize the resources that you create map(string) {} no
rule_schedule A CRON expression specifying when AWS Backup initiates a backup job string n/a yes
rule_start_window The amount of time in minutes before beginning a backup number n/a yes
rules A list of rule maps any [] no
selection_name The display name of a resource selection document string n/a yes
selection_resources An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan list [] no
selection_tag_key The key in a key-value pair string n/a yes
selection_tag_type An operation, such as StringEquals, that is applied to a key-value pair used to filter resources in a selection string n/a yes
selection_tag_value The value in a key-value pair string n/a yes
selections A list of selction maps list [] no
tags A mapping of tags to assign to the resource map(string) {} no
vault_kms_key_arn The server-side encryption key that is used to protect your backups string n/a yes
vault_name Name of the backup vault to create. If not given, AWS use default string n/a yes

Outputs

Name Description
plan_arn The ARN of the backup plan
plan_id The id of the backup plan
plan_version Unique, randomly generated, Unicode, UTF-8 encoded string that serves as the version ID of the backup plan
vault_arn The ARN of the vault
vault_id The name of the vault

Known issues

During the developing of the module I found some issues reported to the The AWS provider:

Related backup plan selections must be deleted prior to backup plan deletion

$ terraform destroy
...
module.aws_backup_example.aws_iam_policy.ab_tag_policy: Destruction complete after 2s
module.aws_backup_example.aws_iam_role.ab_role: Destruction complete after 1s

Error: error deleting Backup Plan: InvalidRequestException: Related backup plan selections must be deleted prior to backup plan deletion
	status code: 400, request id: 4a6637c8-2d46-4714-9929-4df3f694979b

When trying to destroy a plan, terraform complains about deleting the selections first, even though terraform tries to delete them in the right order:

This issue was reported as Backup Plan deletion fails randomly for the AWS Provider.

This happens because thee AWS provider tries to delete the plan without waiting for the selections destroyal confirmation.

Workaround:

I included and script in the examples that destroys the selections first and then destroys the plan:

 cat terraform_destroy_aws_backup.sh

 #!/bin/sh
targets=""
for i in `terraform state list | grep "selection"`; do targets="${targets} --target=${i}"; done

# Destroy selections
terraform destroy ${targets}

# Destroy all
terraform destroy

Error creating Backup Selection: IAM Role is not authorized to call tag:GetResources

Error: error creating Backup Selection: InvalidParameterValueException: IAM Role arn:aws:iam::111111111111:role/aws-backup-plan-complete-plan-role is not authorized to call tag:GetResources
	status code: 400, request id: 07ab775d-8885-4240-bb99-41305df969e0

  on .terraform/modules/aws_backup_example/selection.tf line 1, in resource "aws_backup_selection" "ab_selection":
   1: resource "aws_backup_selection" "ab_selection" {

This issue was reported as aws_backup_selection.selection: error creating Backup Selection: InvalidParameterValueException for the AWS Provider.

I faced this when applying and destroying the same plan several times, for instance when I ws developing the module.

Workaround:

I couldn't find any workaround for this. Just destroy all wait some time and apply again.

About

Terraform module to create AWS Backup plans. AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services (EBS volumes, RDS databases, DynamoDB tables, EFS file systems, and Storage Gateway volumes).

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HCL 100.0%