README.md

AWS Backup Module

The AWS Backup Module helps automates the setup of AWS Backup resources in a source account. It streamlines the process of creating, managing, and standardising backup configurations.

Example

module "test_aws_backup" {
  source = "./modules/aws-backup"

  environment_name                   = "environment_name"
  bootstrap_kms_key_arn              = kms_key[0].arn
  project_name                       = "testproject"
  reports_bucket                     = "compliance-reports"
  terraform_role_arn                 = data.aws_iam_role.terraform_role.arn
}

Requirements

Name	Version
terraform	>= 1.9.5
archive	~> 2
aws	~> 5
awscc	~> 1

Providers

Name	Version
aws	~> 5
awscc	~> 1

Modules

No modules.

Resources

Name	Type
aws_backup_framework.dynamodb	resource
aws_backup_framework.main	resource
aws_backup_plan.default	resource
aws_backup_plan.dynamodb	resource
aws_backup_selection.default	resource
aws_backup_selection.dynamodb	resource
aws_backup_vault.main	resource
aws_backup_logically_air_gapped_vault.main	resource
aws_backup_vault_notifications.backup_notification	resource
aws_backup_vault_notifications.backup_notification_lag	resource
aws_backup_vault_policy.vault_policy	resource
aws_iam_role.backup	resource
aws_iam_role_policy_attachment.backup	resource
aws_iam_role_policy_attachment.restore	resource
aws_iam_role_policy_attachment.s3_backup	resource
aws_iam_role_policy_attachment.s3_restore	resource
aws_kms_alias.backup_key	resource
aws_kms_key.aws_backup_key	resource
aws_sns_topic.backup	resource
aws_sns_topic_subscription.aws_backup_notifications_email_target	resource
awscc_backup_restore_testing_plan.backup_restore_testing_plan	resource
awscc_backup_restore_testing_selection.backup_restore_testing_selection_dynamodb	resource
aws_caller_identity.current	data source
aws_iam_policy_document.allow_backup_to_sns	data source
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.backup_key_policy	data source
aws_iam_policy_document.vault_policy	data source
aws_iam_roles.roles	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
backup_copy_vault_account_id	The account id of the destination backup vault for allowing restores back into the source account.	string	""	no
backup_copy_vault_arn	The ARN of the destination backup vault for cross-account backup copies.	string	""	no
backup_plan_config	Configuration for backup plans	object({ selection_tag = string selection_tag_value = optional(string) selection_tags = optional(list(object({ key = optional(string) value = optional(string) }))) compliance_resource_types = list(string) rules = list(object({ name = string schedule = string enable_continuous_backup = optional(bool) lifecycle = object({ delete_after = optional(number) cold_storage_after = optional(number) }) copy_action = optional(object({ delete_after = optional(number) })) })) })	{ "compliance_resource_types": [ "S3" ], "rules": [ { "copy_action": { "delete_after": 365 }, "lifecycle": { "delete_after": 35 }, "name": "daily_kept_5_weeks", "schedule": "cron(0 0 * * ? *)" }, { "copy_action": { "delete_after": 365 }, "lifecycle": { "delete_after": 90 }, "name": "weekly_kept_3_months", "schedule": "cron(0 1 ? * SUN *)" }, { "copy_action": { "delete_after": 365 }, "lifecycle": { "cold_storage_after": 30, "delete_after": 2555 }, "name": "monthly_kept_7_years", "schedule": "cron(0 2 1 * ? *)" }, { "copy_action": { "delete_after": 365 }, "enable_continuous_backup": true, "lifecycle": { "delete_after": 35 }, "name": "point_in_time_recovery", "schedule": "cron(0 5 * * ? *)" } ], "selection_tag": "BackupLocal", "selection_tag_value": "True", "selection_tags": [] }	no
backup_plan_config_dynamodb	Configuration for backup plans with dynamodb	object({ enable = bool selection_tag = string selection_tag_value = optional(string) selection_tags = optional(list(object({ key = optional(string) value = optional(string) }))) compliance_resource_types = list(string) rules = optional(list(object({ name = string schedule = string enable_continuous_backup = optional(bool) lifecycle = object({ delete_after = number cold_storage_after = optional(number) }) copy_action = optional(object({ delete_after = optional(number) })) }))) })	{ "compliance_resource_types": [ "DynamoDB" ], "enable": true, "rules": [ { "copy_action": { "delete_after": 365 }, "lifecycle": { "delete_after": 35 }, "name": "dynamodb_daily_kept_5_weeks", "schedule": "cron(0 0 * * ? *)" }, { "copy_action": { "delete_after": 365 }, "lifecycle": { "delete_after": 90 }, "name": "dynamodb_weekly_kept_3_months", "schedule": "cron(0 1 ? * SUN *)" }, { "copy_action": { "delete_after": 365 }, "lifecycle": { "cold_storage_after": 30, "delete_after": 2555 }, "name": "dynamodb_monthly_kept_7_years", "schedule": "cron(0 2 1 * ? *)" } ], "selection_tag": "BackupDynamoDB", "selection_tag_value": "True", "selection_tags": [] }	no
backup_plan_config_aurora	Configuration for backup plans with aurora	object({ enable = bool selection_tag = string compliance_resource_types = list(string) restore_testing_overrides = optional(string) rules = optional(list(object({ name = string schedule = string enable_continuous_backup = optional(bool) lifecycle = object({ delete_after = number cold_storage_after = optional(number) }) copy_action = optional(object({ delete_after = optional(number) })) }))) })	{ "compliance_resource_types": [ "Aurora" ], "enable": true, "restore_testing_overrides" : "{"dbsubnetgroupname": "test-subnet"}", "rules": [ { "copy_action": { "delete_after": 365 }, "lifecycle": { "delete_after": 35 }, "name": "aurora_daily_kept_5_weeks", "schedule": "cron(0 0 * * ? *)" }, { "copy_action": { "delete_after": 365 }, "lifecycle": { "delete_after": 90 }, "name": "aurora_weekly_kept_3_months", "schedule": "cron(0 1 ? * SUN *)" }, { "copy_action": { "delete_after": 365 }, "lifecycle": { "cold_storage_after": 30, "delete_after": 2555 }, "name": "aurora_monthly_kept_7_years", "schedule": "cron(0 2 1 * ? *)" } ], "selection_tag": "BackupAurora" }	no
parameter_store_backup_config	Configuration for the scheduled Lambda function to backup tagged Parameter Store parameters to S3.	object({ enable = bool selection_tag = string selection_tag_value = optional(string) selection_tags = optional(list(object({ key = optional(string) value = optional(string) }))) lambda_backup_cron = optional(string) lambda_timeout_seconds = optional(number) air_gapped_kms_key_arn = optional(string) s3_bucket_name = optional(string) rules = optional(list(object({ name = string schedule = string completion_window = optional(number) enable_continuous_backup = optional(bool) lifecycle = object({ delete_after = number cold_storage_after = optional(number) }) copy_action = optional(object({ delete_after = optional(number) })) }))) })	{ "air_gapped_kms_key_arn": "", "enable": true, "lambda_backup_cron": "cron(0 6 * * ? *)", "lambda_timeout_seconds": 300, "rules": [ { "copy_action": { "delete_after": 365 }, "lifecycle": { "delete_after": 35 }, "name": "daily_kept_5_weeks", "schedule": "cron(0 0 * * ? *)" }, { "copy_action": { "delete_after": 365 }, "lifecycle": { "delete_after": 90 }, "name": "weekly_kept_3_months", "schedule": "cron(0 1 ? * SUN *)" }, { "copy_action": { "delete_after": 365 }, "lifecycle": { "cold_storage_after": 30, "delete_after": 2555 }, "name": "monthly_kept_7_years", "schedule": "cron(0 2 1 * ? *)" }, { "copy_action": { "delete_after": 365 }, "enable_continuous_backup": true, "lifecycle": { "delete_after": 35 }, "name": "point_in_time_recovery", "schedule": "cron(0 5 * * ? *)" } ], "s3_bucket_name": "", "selection_tag": "BackupParameterStore", "selection_tag_value": "True", "selection_tags": [] }	no
bootstrap_kms_key_arn	The ARN of the bootstrap KMS key used for encryption at rest of the SNS topic.	string	n/a	yes
environment_name	The name of the environment where AWS Backup is configured.	string	n/a	yes
name_prefix	Optional name prefix for vault resources	string	null	no
notifications_target_email_address	The email address to which backup notifications will be sent via SNS.	string	""	no
project_name	The name of the project this relates to.	string	n/a	yes
reports_bucket	Bucket to drop backup reports into	string	n/a	yes
restore_testing_plan_algorithm	Algorithm of the Recovery Selection Point	string	"LATEST_WITHIN_WINDOW"	no
restore_testing_plan_recovery_point_types	Recovery Point Types	list(string)	[ "SNAPSHOT" ]	no
restore_testing_plan_scheduled_expression	Scheduled Expression of Recovery Selection Point	string	"cron(0 1 ? * SUN *)"	no
restore_testing_plan_selection_window_days	Selection window days	number	7	no
restore_testing_plan_start_window	Start window from the scheduled time during which the test should start	number	1	no
terraform_role_arn	ARN of Terraform role used to deploy to account	string	n/a	yes
enable_logically_air_gapped_vault	Enable backing up to Logically Air-gapped Vault for supported resources	bool	false	no
logically_air_gapped_vault_lock_min_retention_days	The minimum retention period that the Logically Air-gapped Vault retains its recovery points	number	35	no
logically_air_gapped_vault_lock_max_retention_days	The maximum retention period that the Logically Air-gapped Vault retains its recovery points	number	365	no

Outputs

Name	Description
backup_role_arn	ARN of the of the backup role
backup_vault_arn	ARN of the of the Backup Vault
backup_vault_name	Name of the of the Backup Vault
logically_air_gapped_vault_arn	ARN of the of the Logically Air-gapped Vault
logically_air_gapped_vault_name	Name of the of the Logically Air-gapped Vault