Skip to content

README.md

Latest commit

 

History

History
103 lines (86 loc) · 16.2 KB

README.md

File metadata and controls

103 lines (86 loc) · 16.2 KB

AWS Backup Module

The AWS Backup Module helps automates the setup of AWS Backup resources in a source account. It streamlines the process of creating, managing, and standardising backup configurations.

Example

module "test_aws_backup" {
  source = "./modules/aws-backup"

  environment_name                   = "environment_name"
  bootstrap_kms_key_arn              = kms_key[0].arn
  project_name                       = "testproject"
  reports_bucket                     = "compliance-reports"
  terraform_role_arn                 = data.aws_iam_role.terraform_role.arn
}

Requirements

Name Version
terraform >= 1.9.5
archive ~> 2
aws ~> 5
awscc ~> 1

Providers

Name Version
aws ~> 5
awscc ~> 1

Modules

No modules.

Resources

Name Type
aws_backup_framework.dynamodb resource
aws_backup_framework.main resource
aws_backup_framework.rds resource
aws_backup_plan.default resource
aws_backup_plan.dynamodb resource
aws_backup_plan.rds resource
aws_backup_selection.default resource
aws_backup_selection.dynamodb resource
aws_backup_selection.rds resource
aws_backup_vault.main resource
aws_backup_vault_notifications.backup_notification resource
aws_backup_vault_policy.vault_policy resource
aws_iam_role.backup resource
aws_iam_role_policy_attachment.backup resource
aws_iam_role_policy_attachment.restore resource
aws_iam_role_policy_attachment.s3_backup resource
aws_iam_role_policy_attachment.s3_restore resource
aws_kms_alias.backup_key resource
aws_kms_key.aws_backup_key resource
aws_sns_topic.backup resource
aws_sns_topic_subscription.aws_backup_notifications_email_target resource
awscc_backup_restore_testing_plan.backup_restore_testing_plan resource
awscc_backup_restore_testing_selection.backup_restore_testing_selection_dynamodb resource
awscc_backup_restore_testing_selection.backup_restore_testing_selection_rds resource
aws_caller_identity.current data source
aws_iam_policy_document.allow_backup_to_sns data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.backup_key_policy data source
aws_iam_policy_document.vault_policy data source
aws_iam_roles.roles data source
aws_region.current data source

Inputs

Name Description Type Default Required
backup_copy_vault_account_id The account id of the destination backup vault for allowing restores back into the source account. string "" no
backup_copy_vault_arn The ARN of the destination backup vault for cross-account backup copies. string "" no
backup_plan_config Configuration for backup plans 
object({
    selection_tag       = string
    selection_tag_value = optional(string)
    selection_tags = optional(list(object({
      key   = optional(string)
      value = optional(string)
    })))
    compliance_resource_types = list(string)
    rules = list(object({
      name                     = string
      schedule                 = string
      enable_continuous_backup = optional(bool)
      lifecycle = object({
        delete_after       = optional(number)
        cold_storage_after = optional(number)
      })
      copy_action = optional(object({
        delete_after = optional(number)
      }))
    }))
  })
 
{
  "compliance_resource_types": [
    "S3"
  ],
  "rules": [
    {
      "copy_action": {
        "delete_after": 365
      },
      "lifecycle": {
        "delete_after": 35
      },
      "name": "daily_kept_5_weeks",
      "schedule": "cron(0 0 * * ? *)"
    },
    {
      "copy_action": {
        "delete_after": 365
      },
      "lifecycle": {
        "delete_after": 90
      },
      "name": "weekly_kept_3_months",
      "schedule": "cron(0 1 ? * SUN *)"
    },
    {
      "copy_action": {
        "delete_after": 365
      },
      "lifecycle": {
        "cold_storage_after": 30,
        "delete_after": 2555
      },
      "name": "monthly_kept_7_years",
      "schedule": "cron(0 2 1  * ? *)"
    },
    {
      "copy_action": {
        "delete_after": 365
      },
      "enable_continuous_backup": true,
      "lifecycle": {
        "delete_after": 35
      },
      "name": "point_in_time_recovery",
      "schedule": "cron(0 5 * * ? *)"
    }
  ],
  "selection_tag": "BackupLocal",
  "selection_tag_value": "True",
  "selection_tags": []
}
 no
backup_plan_config_dynamodb Configuration for backup plans with dynamodb 
object({
    enable              = bool
    selection_tag       = string
    selection_tag_value = optional(string)
    selection_tags = optional(list(object({
      key   = optional(string)
      value = optional(string)
    })))
    compliance_resource_types = list(string)
    rules = optional(list(object({
      name                     = string
      schedule                 = string
      enable_continuous_backup = optional(bool)
      lifecycle = object({
        delete_after       = number
        cold_storage_after = optional(number)
      })
      copy_action = optional(object({
        delete_after = optional(number)
      }))
    })))
  })
 
{
  "compliance_resource_types": [
    "DynamoDB"
  ],
  "enable": true,
  "rules": [
    {
      "copy_action": {
        "delete_after": 365
      },
      "lifecycle": {
        "delete_after": 35
      },
      "name": "dynamodb_daily_kept_5_weeks",
      "schedule": "cron(0 0 * * ? *)"
    },
    {
      "copy_action": {
        "delete_after": 365
      },
      "lifecycle": {
        "delete_after": 90
      },
      "name": "dynamodb_weekly_kept_3_months",
      "schedule": "cron(0 1 ? * SUN *)"
    },
    {
      "copy_action": {
        "delete_after": 365
      },
      "lifecycle": {
        "cold_storage_after": 30,
        "delete_after": 2555
      },
      "name": "dynamodb_monthly_kept_7_years",
      "schedule": "cron(0 2 1  * ? *)"
    }
  ],
  "selection_tag": "BackupDynamoDB",
  "selection_tag_value": "True",
  "selection_tags": []
}
 no

| backup_plan_config_rds | Configuration for backup plans with RDS | 

object({
    enable              = bool
    selection_tag       = string
    selection_tag_value = optional(string)
    selection_tags = optional(list(object({
      key   = optional(string)
      value = optional(string)
    })))
    compliance_resource_types = list(string)
    rules = optional(list(object({
      name                     = string
      schedule                 = string
      completion_window        = optional(number)
      enable_continuous_backup = optional(bool)
      lifecycle = object({
        delete_after       = number
        cold_storage_after = optional(number)
      })
      copy_action = optional(object({
        delete_after = optional(number)
      }))
    })))
  })
| 
{
  "compliance_resource_types": [
    "RDS"
  ],
  "enable": true,
  "rules": [
    {
      "copy_action": {
        "delete_after": 365
      },
      "lifecycle": {
        "delete_after": 35
      },
      "completion_window": 24,
      "name": "rds_daily_kept_5_weeks",
      "schedule": "cron(0 0 * * ? *)"
    },
    {
      "copy_action": {
        "delete_after": 365
      },
      "lifecycle": {
        "delete_after": 90
      },
      "completion_window": 48,
      "name": "rds_weekly_kept_3_months",
      "schedule": "cron(0 1 ? * SUN *)"
    },
    {
      "copy_action": {
        "delete_after": 365
      },
      "lifecycle": {
        "cold_storage_after": 30,
        "delete_after": 2555
      },
      "completion_window": 72,
      "name": "rds_monthly_kept_7_years",
      "schedule": "cron(0 2 1  * ? *)"
    }
  ],
  "selection_tag": "BackupRDS",
  "selection_tag_value": "True",
  "selection_tags": []
}
| no | | backup_plan_config_aurora | Configuration for backup plans with aurora | 
object({
 enable = bool
 selection_tag = string
 compliance_resource_types = list(string)
 restore_testing_overrides = optional(string)
 rules = optional(list(object({
 name = string
 schedule = string
 enable_continuous_backup = optional(bool)
 lifecycle = object({
 delete_after = number
 cold_storage_after = optional(number)
 })
 copy_action = optional(object({
 delete_after = optional(number)
 }))
 })))
 })
| 
{
 "compliance_resource_types": [
 "Aurora"
 ],
 "enable": true,
 "restore_testing_overrides" : "{"dbsubnetgroupname": "test-subnet"}",
 "rules": [
 {
 "copy_action": {
 "delete_after": 365
 },
 "lifecycle": {
 "delete_after": 35
 },
 "name": "aurora_daily_kept_5_weeks",
 "schedule": "cron(0 0 * * ? *)"
 },
 {
 "copy_action": {
 "delete_after": 365
 },
 "lifecycle": {
 "delete_after": 90
 },
 "name": "aurora_weekly_kept_3_months",
 "schedule": "cron(0 1 ? * SUN *)"
 },
 {
 "copy_action": {
 "delete_after": 365
 },
 "lifecycle": {
 "cold_storage_after": 30,
 "delete_after": 2555
 },
 "name": "aurora_monthly_kept_7_years",
 "schedule": "cron(0 2 1 * ? *)"
 }
 ],
 "selection_tag": "BackupAurora"
}
| no | | bootstrap_kms_key_arn | The ARN of the bootstrap KMS key used for encryption at rest of the SNS topic. | string | n/a | yes | | environment_name | The name of the environment where AWS Backup is configured. | string | n/a | yes | | name_prefix | Optional name prefix for vault resources | string | null | no | | notifications_target_email_address | The email address to which backup notifications will be sent via SNS. | string | "" | no | | project_name | The name of the project this relates to. | string | n/a | yes | | reports_bucket | Bucket to drop backup reports into | string | n/a | yes | | restore_testing_plan_algorithm | Algorithm of the Recovery Selection Point | string | "LATEST_WITHIN_WINDOW" | no | | restore_testing_plan_recovery_point_types | Recovery Point Types | list(string) | 
[
  "SNAPSHOT"
]
| no | | restore_testing_plan_scheduled_expression | Scheduled Expression of Recovery Selection Point | string | "cron(0 1 ? * SUN *)" | no | | restore_testing_plan_selection_window_days | Selection window days | number | 7 | no | | restore_testing_plan_start_window | Start window from the scheduled time during which the test should start | number | 1 | no | | terraform_role_arn | ARN of Terraform role used to deploy to account | string | n/a | yes |

Outputs

No outputs.