Terraform AWS Backup

Terraform module to provision AWS Backup resources.

Terraform versions

Terraform 0.13+. Pin module version to ~> v1.4. Submit pull-requests to main branch. Prior versions on master branch will need ~> v1.3.

Usage

If referring directly to the code instead of a pinned version, take note that from release 1.4.0 all future changes will only be made to the main branch.

module "backup" {
  source = "umotif-public/backup/aws"
  version = "~> 1.4"

  vault_name        = "test-rds-aurora"
  vault_kms_key_arn = "arn:aws:kms:eu-west-1:1111111111:key/07a8a813-fcc9-4d7f-a982648d9c25"

  tags = {
    Environment = "test"
  }

  plan_name = "test-backup-plan"

  rules = [
    {
      name              = "test-backup-rule"
      schedule          = "cron(0 12 * * ? *)"
      start_window      = "65"
      completion_window = "180"
      recovery_point_tags = {
        Project = "test"
        Region  = "eu-west-1"
      }

      lifecycle = {
        cold_storage_after = 0
        delete_after       = 90
      }
    }
  ]

  selection_name = "test-backup-selection"
  selection_resources = ["arn:aws:rds:eu-west-1:1111111111:cluster:example-database-1"]

  selection_tags = [
    {
      type  = "STRINGEQUALS"
      key   = "Project"
      value = "Test"
    },
    {
      type  = "STRINGEQUALS"
      key   = "Environment"
      value = "test"
    }
  ]
}

Assumptions

Module is to be used with Terraform > 0.13.

Examples

Authors

Module managed by:

Marcin Cuber (LinkedIn)
Abdul Wahid (LinkedIn)

Requirements

Name	Version
terraform	>= 0.13
aws	>= 3.11

Providers

Name	Version
aws	>= 3.11

Modules

No modules.

Resources

Name	Type
aws_backup_plan.main	resource
aws_backup_selection.main	resource
aws_backup_vault.main	resource
aws_backup_vault_notifications.main	resource
aws_iam_policy.main_custom_policy	resource
aws_iam_role.main	resource
aws_iam_role_policy_attachment.main_custom_policy_attach	resource
aws_iam_role_policy_attachment.main_role_policy_attach	resource
aws_sns_topic.main	resource
aws_sns_topic_policy.main	resource
aws_iam_policy_document.main	data source
aws_iam_policy_document.main_custom_policy	data source
aws_iam_policy_document.sns_policy	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
advanced_backup_settings	An object that specifies backup options for each resource type	`any`	`[]`	no
backup_vault_events	An array of events that indicate the status of jobs to back up resources to the backup vault.	`list(string)`	[ "BACKUP_JOB_STARTED", "BACKUP_JOB_COMPLETED", "BACKUP_JOB_SUCCESSFUL", "BACKUP_JOB_FAILED", "BACKUP_JOB_EXPIRED", "RESTORE_JOB_STARTED", "RESTORE_JOB_COMPLETED", "RESTORE_JOB_SUCCESSFUL", "RESTORE_JOB_FAILED", "COPY_JOB_STARTED", "COPY_JOB_SUCCESSFUL", "COPY_JOB_FAILED", "RECOVERY_POINT_MODIFIED", "BACKUP_PLAN_CREATED", "BACKUP_PLAN_MODIFIED" ]	no
create_sns_topic	Create SNS Topic	`bool`	`true`	no
enable_sns_notifications	Enable Backup Vault Notifications	`bool`	`false`	no
iam_role_name	Name of IAM Role to associate to the Backup Plan	`string`	`null`	no
plan_name	The display name of a backup plan	`string`	n/a	yes
rule_completion_window	The amount of time AWS Backup attempts a backup before canceling the job and returning an error	`number`	`null`	no
rule_copy_action_destination_vault_arn	An Amazon Resource Name (ARN) that uniquely identifies the destination backup vault for the copied backup.	`string`	`null`	no
rule_copy_action_lifecycle	The lifecycle defines when a protected resource is copied over to a backup vault and when it expires.	`map(any)`	`{}`	no
rule_lifecycle_cold_storage_after	Specifies the number of days after creation that a recovery point is moved to cold storage	`number`	`null`	no
rule_lifecycle_delete_after	Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than `cold_storage_after`	`number`	`null`	no
rule_name	An display name for a backup rule	`string`	`null`	no
rule_recovery_point_tags	Metadata that you can assign to help organize the resources that you create	`map(string)`	`{}`	no
rule_schedule	A CRON expression specifying when AWS Backup initiates a backup job	`string`	`null`	no
rule_start_window	The amount of time in minutes before beginning a backup	`number`	`null`	no
rules	A list of rules mapping rule configurations for a backup plan	`any`	`[]`	no
selection_name	The display name of a resource selection document	`string`	`null`	no
selection_resources	A list of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan	`list(string)`	`[]`	no
selection_tag_key	The key in a key-value pair	`string`	`null`	no
selection_tag_type	An operation, such as StringEquals, that is applied to a key-value pair used to filter resources in a selection	`string`	`null`	no
selection_tag_value	The value in a key-value pair	`string`	`null`	no
selection_tags	A list of selection tags map	`list(any)`	`[]`	no
sns_topic_arn	The Amazon Resource Name (ARN) that specifies the topic for a backup vault’s events	`string`	`null`	no
tags	A mapping of tags to assign to the resource	`map(string)`	`{}`	no
vault_kms_key_arn	The server-side encryption key that is used to protect your backups	`string`	`null`	no
vault_name	Name of the backup vault to create. If not given, AWS use default	`string`	`null`	no
vault_sns_kms_key_arn	The server-side encryption key that is used to protect SNS messages for backups	`string`	`null`	no

Outputs

Name	Description
backup_plan_arn	The Amazon Resource Name (ARN) that identifies the backup plan
backup_plan_id	The name of the backup plan
backup_plan_version	Unique, randomly generated, Unicode, UTF-8 encoded string that serves as the version ID of the backup plan.
backup_selection_id	The identifier of the backup selection
backup_sns_topic_arn	The Amazon Resource Name (ARN) that specifies the topic for a backup vault’s events
backup_vault_arn	The Amazon Resource Name (ARN) that identifies the AWS Backup Vault
backup_vault_events	An array of events that indicate the status of jobs to back up resources to the backup vault.
backup_vault_id	The name of the AWS Backup Vault
backup_vault_recovery_points	The number of recovery points that are stored in a backup vault

License

See LICENSE for full details.

Pre-commit hooks & Golang for Terratest

Install dependencies

pre-commit
terraform-docs required for terraform_docs hooks.
TFLint required for terraform_tflint hook.
golang required for running tests.

Terratest

We are using Terratest to run tests on this module.

brew install go
# Change to test directory
cd test
# Get dependencies
go mod download
# Run tests
go test -v -timeout 30m

MacOS

brew install pre-commit terraform-docs tflint

brew tap git-chglog/git-chglog
brew install git-chglog

isabella232 / terraform-aws-backup Goto Github PK