-
Notifications
You must be signed in to change notification settings - Fork 16
/
aws-backup-org-policy.yaml
254 lines (250 loc) · 9.19 KB
/
aws-backup-org-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
AWSTemplateFormatVersion: '2010-09-09'
Transform:
- 'AWS::LanguageExtensions'
Description: This template deploys AWS Organization Backup Policies to manage
backups at an organization level. It should be deployed in the AWS
Organizations management account or from an AWS Account with delegated
Administrator permissions.
Parameters:
pOrgBackupTargetOUs:
Description: A comma separated list of the AWS Organizations OUs to attach
backup policies.
Type: AWS::SSM::Parameter::Value<CommaDelimitedList>
Default: "/backup/target/organizational-units"
pRegions:
Description: Target regions for backup plans as a comma delimited list
Type: AWS::SSM::Parameter::Value<CommaDelimitedList>
Default: "/backup/target/regions"
pCentralBackupVaultArn:
Description: The ARN of a centralized AWS Backup Vault that will be the
secondary store for all AWS Backups. The defined organization backup
policy plans will "copy_to" this vault.
Type: AWS::SSM::Parameter::Value<String>
Default: "/backup/central-vault-arn"
pCrossAccountBackupRole:
Description: This is the IAM role name for the cross-account backup role that
carries out the backup activities.
Type: String
Default: AWSBackupSolutionRole
DailyBackupSchedule:
Description: The CRON job to initiate backup jobs. For example, cron(0 5 ? * *
*) for daily, every day at 05:00 UTC.
Type: String
Default: cron(0 5 ? * * *)
MonthlyBackupSchedule:
Description: The CRON job to initiate backup jobs. For example, cron(0 5 1 * ?
*) for monthly, first day of month at midnight UTC.
Type: String
Default: cron(0 5 1 * ? *)
pMemberAccountBackupVault:
AllowedPattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ConstraintDescription: The name of the member account Backup vaults. (Name is case sensitive).
Type: String
Default: AWSBackupSolutionVault
pBackupTagKey1:
Type: String
Description: The backup tag key to automatically assign resources to a backup
plan across the member accounts.
Default: 'backup'
pBackupTagValue1:
Type: String
Description: The backup tag value to automatically assign resources to a backup
plan across the member accounts.
Default: 'daily'
pBackupTagKey2:
Type: String
Description: The backup tag key to automatically assign resources to a backup
plan across the member accounts.
Default: 'backup'
pBackupTagValue2:
Type: String
Description: The backup tag value to automatically assign resources to a backup
plan across the member accounts.
Default: 'monthly'
pTagKey:
Type: String
Description: This is the tag key to assign to resources.
Default: 'project'
pTagValue:
Type: String
Description: This is the tag value to assign to resources.
Default: 'aws-backup'
# Parameters for tagging
CommitId:
Description: The commit id for the change
Type: String
BusinessUnit:
Description: Business Unit Name
Type: String
MinLength: '1'
MaxLength: '255'
AllowedValues:
- Marketing
- Engineering
- R&D
ConstraintDescription: Must be a valid business unit
Default: Engineering
CostCenter:
Description: Cost Center for AWS Services
Type: String
MinLength: '1'
MaxLength: '255'
Default: '00000'
Environment:
Description: Environment
Type: String
AllowedValues:
- Development
- QA
- Production
ConstraintDescription: Must be a valid environment.
Default: Development
ApplicationOwner:
Description: Email address of application owner
Type: String
Default: selfserviceservicecatalog@example.com
Application:
Description: Application Name
Type: String
Default: Example Application
Resources:
rOrgDailyBackUpPolicy:
Type: AWS::Organizations::Policy
Properties:
Name: org-daily-backup-policy
Description: >-
BackupPolicy for Daily Backup as per the resource selection criteria
Type: BACKUP_POLICY
TargetIds: !Ref pOrgBackupTargetOUs
Content:
Fn::ToJsonString:
plans:
OrgBackupPlanDaily:
rules:
OrgDailyBackupRule:
schedule_expression:
"@@assign": !Ref DailyBackupSchedule
start_backup_window_minutes:
"@@assign": '60'
complete_backup_window_minutes:
"@@assign": '1200'
lifecycle:
delete_after_days:
"@@assign": '35'
target_backup_vault_name:
"@@assign": !Ref pMemberAccountBackupVault
recovery_point_tags:
project:
tag_key:
"@@assign": !Ref pTagKey
tag_value:
"@@assign": !Ref pTagValue
copy_actions:
# Currently this must be hardcoded since [AWS Backup Policy syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html#backup-policy-syntax-reference) requires the name of this key to be the same as the target.
<Replace with value from pCentralBackupVaultArn>:
target_backup_vault_arn:
"@@assign": !Ref pCentralBackupVaultArn
lifecycle:
delete_after_days:
"@@assign": '35'
backup_plan_tags:
project:
tag_key:
"@@assign": !Ref pTagKey
tag_value:
"@@assign": !Ref pTagValue
regions:
"@@append": !Ref pRegions
selections:
tags:
OrgDailyBackupSelection:
iam_role_arn:
"@@assign": !Sub 'arn:aws:iam::$account:role/${pCrossAccountBackupRole}'
tag_key:
"@@assign": !Ref pBackupTagKey1
tag_value:
"@@assign":
- !Ref pBackupTagValue1
Tags:
- Key: Application
Value: !Ref Application
- Key: CommitId
Value: !Ref CommitId
- Key: BusinessUnit
Value: !Ref BusinessUnit
- Key: CostCenter
Value: !Ref CostCenter
- Key: Environment
Value: !Ref Environment
- Key: ApplicationOwner
Value: !Ref ApplicationOwner
rOrgMonthlyBackUpPolicy:
Type: AWS::Organizations::Policy
Properties:
Name: org-monthly-backup-policy
Description: >-
BackupPolicy for Monthly Backup as per the resource selection criteria
Type: BACKUP_POLICY
TargetIds: !Ref pOrgBackupTargetOUs
Content:
Fn::ToJsonString:
plans:
OrgBackupPlanMonthly:
rules:
OrgMonthlyBackupRule:
schedule_expression:
"@@assign": !Ref MonthlyBackupSchedule
start_backup_window_minutes:
"@@assign": '60'
complete_backup_window_minutes:
"@@assign": '1200'
lifecycle:
delete_after_days:
"@@assign": '366'
target_backup_vault_name:
"@@assign": !Ref pMemberAccountBackupVault
recovery_point_tags:
project:
tag_key:
"@@assign": !Ref pTagKey
tag_value:
"@@assign": !Ref pTagValue
copy_actions:
# Currently this must be hardcoded since [AWS Backup Policy syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup_syntax.html#backup-policy-syntax-reference) requires the name of this key to be the same as the target.
<Replace with value from pCentralBackupVaultArn>:
target_backup_vault_arn:
"@@assign": !Ref pCentralBackupVaultArn
lifecycle:
delete_after_days:
"@@assign": '366'
backup_plan_tags:
project:
tag_key:
"@@assign": !Ref pTagKey
tag_value:
"@@assign": !Ref pTagValue
regions:
"@@append": !Ref pRegions
selections:
tags:
OrgDailyBackupSelection:
iam_role_arn:
"@@assign": !Sub "arn:aws:iam::$account:role/${pCrossAccountBackupRole}"
tag_key:
"@@assign": !Ref pBackupTagKey2
tag_value:
"@@assign":
- !Ref pBackupTagValue2
Tags:
- Key: Application
Value: !Ref Application
- Key: CommitId
Value: !Ref CommitId
- Key: BusinessUnit
Value: !Ref BusinessUnit
- Key: CostCenter
Value: !Ref CostCenter
- Key: Environment
Value: !Ref Environment
- Key: ApplicationOwner
Value: !Ref ApplicationOwner