Code Quality

Security

Cloud

Container

Data protection

Terraform AWS Backup

This Terraform module provides a preconfigured solution for setting up AWS Backup in your AWS account. With this module, you can easily and efficiently create and manage backups for your AWS resources. Our team has extensive experience working with AWS Backup and has optimized this module to provide the best possible experience for users.

Using this Terraform module, you can save time and effort in setting up and managing your backup policies, as well as avoid common mistakes and pitfalls. The module encapsulates all necessary configurations, making it easy to use and integrate into your existing AWS environment. Whether you are looking to add backup protection for your critical resources or streamline your existing backup processes, this Terraform module is a great choice.

Inputs

Name	Description	Type	Default	Required
changeable_for_days	The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode. When you apply this setting: The vault will become immutable in 3 days after applying. You have 3 days of grace time to manage or delete the vault lock before it becomes immutable. During this time, only those users with specific IAM permissions can make changes. Once the vault is locked in compliance mode, it cannot be managed or deleted by anyone, even the root user or AWS. The only way to deactivate the lock is to terminate the account, which will delete all the backups. Since you cannot delete the Vault, it will be charged for backups until that date. Be careful!	number	null	no
create_backup_vault	Whether to create a backup vault or use a pre-existing one.	bool	true	no
custom_rules	Backup rules to add to the AWS Backup Vault. See examples for usage.	list(object({ name = string schedule = optional(string) start_window = optional(number) completion_window = optional(number) enable_continuous_backup = optional(bool) recovery_point_tags = optional(map(string), {}) lifecycle = optional(object({ cold_storage_after = optional(number) delete_after = optional(number) })) copy_action = optional(object({ destination_vault_arn = optional(string) lifecycle = optional(object({ cold_storage_after = optional(number) delete_after = optional(number) })) })) }))	[]	no
enable_customer_managed_kms	Whether to enable customer managed KMS encryption for the backup vault.	bool	false	no
enable_vault_lock	Whether to enable Vault Lock for the backup vault.	bool	false	no
enable_windows_vss_backup	Whether to enable Windows VSS backup for the backup plan.	bool	false	no
kms_key_id	The ARN of the KMS Key to use to encrypt your backups. If left empty, the default AWS KMS will be used.	string	null	no
max_retention_days	The maximum retention period that the vault retains its recovery points.	number	365	no
min_retention_days	The minimum retention period that the vault retains its recovery points.	number	7	no
plan_name	The display name of the backup plan.	string	n/a	yes
predefined_rules	A list of predefined backup rules to add to the AWS Backup Plan. See examples for usage.	list(string)	[]	no
role_arn	The ARN of the IAM role that AWS Backup uses to authenticate when restoring or backing up the target resources. If left empty, a default role will be created.	string	null	no
selections	An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan.	list(object({ name = string role_arn = optional(string) arns = optional(list(string)) tag = optional(object({ type = string key = string value = string })) }))	[]	no
tags	Tags to add to the AWS Backup.	map(any)	{}	no
vault_force_destroy	Whether to allow the backup vault to be destroyed even if it contains recovery points.	string	false	no
vault_name	Name of the backup vault to create or use and existing one.	string	n/a	yes

Outputs

Name	Description
backup_plan_arn	The ARN of the backup plan.
backup_plan_id	The ID of the backup plan.
backup_vault_arn	The ARN of the backup vault.
backup_vault_id	The ID of the backup vault.

Providers

Name	Version
aws	>= 4.36

Resources

• resource.aws_backup_plan.main (main.tf#53)
• resource.aws_backup_selection.main (main.tf#113)
• resource.aws_backup_vault.main (main.tf#33)
• resource.aws_backup_vault_lock_configuration.main (main.tf#43)
• data source.aws_backup_vault.main (main.tf#27)

Examples

Basic Example

module "basic-example" {
  source = "../../"

  vault_name = "my-project"
  plan_name  = "customer-data"

  selections = [
    {
      name = "s3-buckets"
      arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
    },
    {
      name = "db-snaps"
      arns = ["arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance"]
    }
  ]
}

With Rules

module "with-rules" {
  source = "../../"

  vault_name = "my-project"
  plan_name  = "customer-data"

  predefined_rules = ["daily-snapshot", "monthly-snapshot"]
  custom_rules = [
    {
      name                     = "my-custom-rule"
      schedule                 = "cron(0 3 ? * 2,3,4,5,6,7,1 *)"
      start_window             = 60
      completion_window        = 240
      enable_continuous_backup = false

      lifecycle = {
        cold_storage_after = 1
        delete_after       = 180 # half a year
      }
    }
  ]

  selections = [
    {
      name = "s3-buckets"
      arns = ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-other-bucket"]
    },
    {
      name = "db-snaps"
      arns = ["arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance"]
    }
  ]
}

Predefined Rules

locals {
  predefined_rules = [
    # At 03:00 AM UTC, daily
    {
      name                     = "daily-snapshot"
      schedule                 = "cron(0 3 ? * * *)"
      start_window             = 60
      completion_window        = 240
      enable_continuous_backup = true
      recovery_point_tags      = {}

      lifecycle = {
        cold_storage_after = null
        delete_after       = 35 # 5 weeks
      }

      copy_action = null
    },

    # At 03:00 AM UTC, every Sunday
    {
      name                     = "weekly-snapshot"
      schedule                 = "cron(0 3 ? * SUN *)"
      start_window             = 60
      completion_window        = 240
      enable_continuous_backup = true
      recovery_point_tags      = {}

      lifecycle = {
        cold_storage_after = null
        delete_after       = 183 # 6 months
      }

      copy_action = null
    },

    # At 03:00 AM UTC, on day 1 of the month
    {
      name                     = "monthly-snapshot"
      schedule                 = "cron(0 3 1 * ? *)"
      start_window             = 60
      completion_window        = 240
      enable_continuous_backup = false
      recovery_point_tags      = {}

      lifecycle = {
        cold_storage_after = 1   # day
        delete_after       = 365 # 1 year
      }

      copy_action = null
    },

    # At 03:00 AM UTC, on day 1 of the month, only in January, April, July, and October
    {
      name                     = "quarterly-snapshot"
      schedule                 = "cron(0 3 1 1,4,7,10 ? *)"
      start_window             = 60
      completion_window        = 240
      enable_continuous_backup = false
      recovery_point_tags      = {}

      lifecycle = {
        cold_storage_after = 1   # day
        delete_after       = 730 # 2 years
      }

      copy_action = null
    },

    # At 03:00 AM UTC, on day 1 of the month, only in January
    {
      name                     = "yearly-snapshot"
      schedule                 = "cron(0 3 1 1 ? *)"
      start_window             = 60
      completion_window        = 240
      enable_continuous_backup = false
      recovery_point_tags      = {}

      lifecycle = {
        cold_storage_after = 1    # day
        delete_after       = 3650 # 10 years
      }

      copy_action = null
    }
  ]
}