Terraform AWS Backup

Terraform module to provision AWS Backup resources.

Terraform versions

Terraform 1.0+. Pin module version to ~> v1.5. Submit pull-requests to main branch. Prior versions on master branch will need ~> v1.3.

Usage

If referring directly to the code instead of a pinned version, take note that from release 1.4.0 all future changes will only be made to the main branch.

module "backup" {
  source = "umotif-public/backup/aws"
  version = "~> 1.5"

  vault_name        = "test-rds-aurora"
  vault_kms_key_arn = "arn:aws:kms:eu-west-1:1111111111:key/07a8a813-fcc9-4d7f-a982648d9c25"

  tags = {
    Environment = "test"
  }

  plan_name = "test-backup-plan"

  rules = [
    {
      name              = "test-backup-rule"
      schedule          = "cron(0 12 * * ? *)"
      start_window      = "65"
      completion_window = "180"
      recovery_point_tags = {
        Project = "test"
        Region  = "eu-west-1"
      }

      lifecycle = {
        cold_storage_after = 0
        delete_after       = 90
      }
    }
  ]

  selection_name = "test-backup-selection"
  selection_resources = ["arn:aws:rds:eu-west-1:1111111111:cluster:example-database-1"]

  selection_tags = [
    {
      type  = "STRINGEQUALS"
      key   = "Project"
      value = "Test"
    },
    {
      type  = "STRINGEQUALS"
      key   = "Environment"
      value = "test"
    }
  ]
}

Assumptions

Module is to be used with Terraform > 1.0.

Examples

Authors

Module managed by:

Module managed by uMotif.

Requirements

Name	Version
terraform	>= 1.5.0
aws	>= 4.26.0

Providers

Name	Version
aws	>= 4.26.0

Modules

No modules.

Resources

Name	Type
aws_backup_plan.main	resource
aws_backup_selection.main	resource
aws_backup_vault.main	resource
aws_backup_vault_notifications.main	resource
aws_iam_policy.main_custom_policy	resource
aws_iam_role.main	resource
aws_iam_role_policy_attachment.main_custom_policy_attach	resource
aws_iam_role_policy_attachment.main_role_backup_policy_attach	resource
aws_iam_role_policy_attachment.main_role_restore_policy_attach	resource
aws_iam_role_policy_attachment.main_role_s3_backup_policy_attach	resource
aws_iam_role_policy_attachment.main_role_s3_restore_policy_attach	resource
aws_sns_topic.main	resource
aws_sns_topic_policy.main	resource
aws_iam_policy_document.main	data source
aws_iam_policy_document.main_custom_policy	data source
aws_iam_policy_document.sns_policy	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
advanced_backup_settings	An object that specifies backup options for each resource type	`any`	`[]`	no
backup_vault_events	An array of events that indicate the status of jobs to back up resources to the backup vault.	`list(string)`	[ "BACKUP_JOB_STARTED", "BACKUP_JOB_COMPLETED", "BACKUP_JOB_SUCCESSFUL", "BACKUP_JOB_FAILED", "BACKUP_JOB_EXPIRED", "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", "RESTORE_JOB_SUCCESSFUL", "RESTORE_JOB_FAILED", "COPY_JOB_STARTED", "COPY_JOB_SUCCESSFUL", "COPY_JOB_FAILED", "RECOVERY_POINT_MODIFIED", "BACKUP_PLAN_CREATED", "BACKUP_PLAN_MODIFIED" ]	no
create_sns_topic	Create SNS Topic	`bool`	`true`	no
enable_sns_notifications	Enable Backup Vault Notifications	`bool`	`false`	no
iam_role_name	Name of IAM Role to associate to the Backup Plan	`string`	`null`	no
plan_name	The display name of a backup plan	`string`	n/a	yes
rules	A list of rules mapping rule configurations for a backup plan	`any`	`[]`	no
selection_name	The display name of a resource selection document	`string`	`null`	no
selection_not_resources	An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan.	`list(string)`	`[]`	no
selection_resources	A list of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan	`list(string)`	`[]`	no
selection_tags	A list of selection tags map	`list(any)`	`[]`	no
sns_topic_arn	The Amazon Resource Name (ARN) that specifies the topic for a backup vault’s events	`string`	`null`	no
tags	A mapping of tags to assign to the resource	`map(string)`	`{}`	no
vault_force_destroy	A boolean that indicates that all recovery points stored in the vault are deleted so that the vault can be destroyed without error.	`bool`	`false`	no
vault_kms_key_arn	The server-side encryption key that is used to protect your backups	`string`	`null`	no
vault_name	Name of the backup vault to create. If not given, AWS use default	`string`	`null`	no
vault_sns_kms_key_arn	The server-side encryption key that is used to protect SNS messages for backups	`string`	`null`	no

Outputs

Name	Description
backup_plan_arn	The Amazon Resource Name (ARN) that identifies the backup plan
backup_plan_id	The name of the backup plan
backup_plan_version	Unique, randomly generated, Unicode, UTF-8 encoded string that serves as the version ID of the backup plan.
backup_selection_id	The identifier of the backup selection
backup_sns_topic_arn	The Amazon Resource Name (ARN) that specifies the topic for a backup vault’s events
backup_vault_arn	The Amazon Resource Name (ARN) that identifies the AWS Backup Vault
backup_vault_events	An array of events that indicate the status of jobs to back up resources to the backup vault.
backup_vault_iam_role_arn	The ARN of the backup IAM role
backup_vault_iam_role_name	The name of the backup IAM role
backup_vault_id	The name of the AWS Backup Vault
backup_vault_recovery_points	The number of recovery points that are stored in a backup vault

License

See LICENSE for full details.

Pre-commit hooks & Golang for Terratest

Install dependencies

pre-commit
terraform-docs required for terraform_docs hooks.
TFLint required for terraform_tflint hook.
golang required for running tests.

Terratest

We are using Terratest to run tests on this module.

brew install go
# Change to test directory
cd test
# Get dependencies
go mod download
# Run tests
go test -v -timeout 30m

MacOS

brew install pre-commit terraform-docs tflint

brew tap git-chglog/git-chglog
brew install git-chglog

umotif-public/terraform-aws-backup