terraform-aws-backup

Terraform module to create AWS Backup plans. AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services (EBS volumes, RDS databases, DynamoDB tables, EFS file systems, and Storage Gateway volumes).

Features

• Flexible backup plan customization
• Comprehensive backup management:
  • Rules and selections
  • Copy actions and lifecycle policies
  • Retention periods and windows
  • Resource tagging
• Advanced capabilities:
  • IAM role management
  • Multi-region support
  • Vault management
  • Framework integration
  • Organization policies
• Enterprise features:
  • Notifications system
  • Audit Manager integration
  • Cross-account backups
  • Compliance controls

Usage

You can use this module to create a simple plan using the module's rule_* variables. You can also use the rules and selections list of maps variables to build a more complete plan by defining several rules and selections at once. For multiple backup plans, you can use the plans variable to create several plans with their own rules and selections.

Check the examples folder where you can see how to configure backup plans with different selection criteria.

Simple plan

See examples/simple_plan/main.tf for a basic backup plan configuration.

Simple plan using variables

See examples/simple_plan_using_variables/main.tf for a backup plan using variables.

Complete plan

See examples/complete_plan/main.tf for a comprehensive backup plan setup.

Multiple backup plans

See examples/multiple_plans/main.tf for managing multiple backup plans.

Simple plan using AWS Organizations backup policies

See examples/organization_backup_policy/main.tf for organization-wide backup policies.

AWS Backup Audit Manager Framework

See examples/simple_audit_framework/main.tf for audit framework configuration.

Requirements

Name	Version
terraform	>= 1.3.0
aws	>= 5.0.0

Providers

Name	Version
aws	6.3.0

Modules

No modules.

Resources

Name	Type
aws_backup_framework.ab_framework	resource
aws_backup_plan.ab_plan	resource
aws_backup_plan.ab_plans	resource
aws_backup_report_plan.ab_report	resource
aws_backup_selection.ab_selection	resource
aws_backup_selection.ab_selections	resource
aws_backup_selection.plan_selections	resource
aws_backup_vault.ab_vault	resource
aws_backup_vault_lock_configuration.ab_vault_lock_configuration	resource
aws_backup_vault_notifications.backup_events	resource
aws_iam_policy.ab_tag_policy	resource
aws_iam_role.ab_role	resource
aws_iam_role_policy_attachment.ab_managed_policies	resource
aws_iam_role_policy_attachment.ab_tag_policy_attach	resource
aws_organizations_policy.backup_policy	resource
aws_organizations_policy_attachment.backup_policy	resource
aws_sns_topic_policy.backup_events	resource
aws_iam_policy_document.ab_role_assume_role_policy	data source
aws_iam_policy_document.ab_tag_policy_document	data source
aws_iam_policy_document.backup_events	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
advanced_backup_settings	Advanced backup settings by resource type	map(map(string))	{}	no
audit_framework	Configuration for AWS Backup Audit Manager framework	object({ create = bool name = string description = optional(string) controls = list(object({ name = string parameter_name = optional(string) parameter_value = optional(string) })) })	{ "controls": [], "create": false, "description": null, "name": null }	no
backup_policies	Map of backup policies to create	map(object({ target_vault_name = string schedule = string start_window = number completion_window = number lifecycle = object({ delete_after = number cold_storage_after = optional(number) }) recovery_point_tags = optional(map(string)) copy_actions = optional(list(map(string))) enable_continuous_backup = optional(bool) }))	{}	no
backup_regions	List of regions where backups should be created	list(string)	[]	no
backup_selections	Map of backup selections	map(object({ resources = optional(list(string)) not_resources = optional(list(string)) conditions = optional(object({ string_equals = optional(map(string)) string_not_equals = optional(map(string)) string_like = optional(map(string)) string_not_like = optional(map(string)) })) tags = optional(map(string)) }))	{}	no
changeable_for_days	The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode	number	null	no
default_lifecycle_cold_storage_after_days	Default number of days after creation that a recovery point is moved to cold storage. Used when cold_storage_after is not specified in lifecycle configuration.	number	0	no
default_lifecycle_delete_after_days	Default number of days after creation that a recovery point is deleted. Used when delete_after is not specified in lifecycle configuration.	number	90	no
enable_org_policy	Enable AWS Organizations backup policy	bool	false	no
enabled	Change to false to avoid deploying any AWS Backup resources	bool	true	no
iam_role_arn	If configured, the module will attach this role to selections, instead of creating IAM resources by itself	string	null	no
iam_role_name	Allow to set IAM role name, otherwise use predefined default	string	""	no
locked	Change to true to add a lock configuration for the backup vault	bool	false	no
max_retention_days	The maximum retention period that the vault retains its recovery points	number	null	no
min_retention_days	The minimum retention period that the vault retains its recovery points	number	null	no
notifications	Notification block which defines backup vault events and the SNS Topic ARN to send AWS Backup notifications to. Leave it empty to disable notifications	any	{}	no
notifications_disable_sns_policy	Disable the creation of the SNS policy. Enable if you need to manage the policy elsewhere.	bool	false	no
org_policy_description	Description of the AWS Organizations backup policy	string	"AWS Organizations backup policy"	no
org_policy_name	Name of the AWS Organizations backup policy	string	"backup-policy"	no
org_policy_target_id	Target ID (Root/OU/Account) for the backup policy	string	null	no
plan_name	The display name of a backup plan	string	null	no
plans	A map of backup plans to create. Each key is the plan name and each value is a map of plan configuration.	map(object({ name = optional(string) rules = list(object({ name = string target_vault_name = optional(string) schedule = optional(string) start_window = optional(number) completion_window = optional(number) enable_continuous_backup = optional(bool) lifecycle = optional(object({ cold_storage_after = optional(number) delete_after = number })) recovery_point_tags = optional(map(string)) copy_actions = optional(list(object({ destination_vault_arn = string lifecycle = optional(object({ cold_storage_after = optional(number) delete_after = number })) })), []) })) selections = optional(map(object({ resources = optional(list(string)) not_resources = optional(list(string)) conditions = optional(object({ string_equals = optional(map(string)) string_not_equals = optional(map(string)) string_like = optional(map(string)) string_not_like = optional(map(string)) })) selection_tags = optional(list(object({ type = string key = string value = string }))) })), {}) }))	{}	no
reports	The default cache behavior for this distribution.	list(object({ name = string description = optional(string, null) formats = optional(list(string), null) s3_bucket_name = string s3_key_prefix = optional(string, null) report_template = string accounts = optional(list(string), null) organization_units = optional(list(string), null) regions = optional(list(string), null) framework_arns = optional(list(string), []) }))	[]	no
rule_completion_window	The amount of time AWS Backup attempts a backup before canceling the job and returning an error	number	null	no
rule_enable_continuous_backup	Enable continuous backups for supported resources.	bool	false	no
rule_lifecycle_cold_storage_after	Specifies the number of days after creation that a recovery point is moved to cold storage	number	null	no
rule_lifecycle_delete_after	Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than cold_storage_after	number	null	no
rule_name	An display name for a backup rule	string	null	no
rule_recovery_point_tags	Metadata that you can assign to help organize the resources that you create	map(string)	{}	no
rule_schedule	A CRON expression specifying when AWS Backup initiates a backup job	string	null	no
rule_start_window	The amount of time in minutes before beginning a backup	number	null	no
rules	A list of rule maps	list(object({ name = string target_vault_name = optional(string) schedule = optional(string) start_window = optional(number) completion_window = optional(number) enable_continuous_backup = optional(bool) lifecycle = optional(object({ cold_storage_after = optional(number) delete_after = number })) recovery_point_tags = optional(map(string)) copy_actions = optional(list(object({ destination_vault_arn = string lifecycle = optional(object({ cold_storage_after = optional(number) delete_after = number })) })), []) }))	[]	no
selection_conditions	A map of conditions that you define to assign resources to your backup plans using tags.	object({ string_equals = optional(map(string)) string_not_equals = optional(map(string)) string_like = optional(map(string)) string_not_like = optional(map(string)) })	{}	no
selection_name	The display name of a resource selection document	string	null	no
selection_not_resources	An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan.	list(any)	[]	no
selection_resources	An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan	list(any)	[]	no
selection_tags	List of tags for selection_name var, when using variable definition.	list(any)	[]	no
selections	A list or map of backup selections. If passing a list, each selection must have a name attribute.	any	[]	no
tags	A mapping of tags to assign to the resource	map(string)	{}	no
vault_force_destroy	A boolean that indicates that all recovery points stored in the vault are deleted so that the vault can be destroyed without error	bool	false	no
vault_kms_key_arn	The server-side encryption key that is used to protect your backups	string	null	no
vault_name	Name of the backup vault to create. If not given, AWS use default	string	null	no
windows_vss_backup	Enable Windows VSS backup option and create a VSS Windows backup	bool	false	no

Outputs

Name	Description
framework_arn	The ARN of the backup framework
framework_creation_time	The date and time that the backup framework was created
framework_id	The unique identifier of the backup framework
framework_status	The deployment status of the backup framework
plan_arn	The ARN of the backup plan
plan_id	The id of the backup plan
plan_role	The service role of the backup plan
plan_version	Unique, randomly generated, Unicode, UTF-8 encoded string that serves as the version ID of the backup plan
plans	Map of plans created and their attributes
vault_arn	The ARN of the vault
vault_id	The name of the vault

Known Issues

During the development of the module, the following issues were found:

Error creating Backup Vault

In case you get an error message similar to this one:

error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,

Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms and backup-storage permissions are added.

Known Issues

During the development of the module, the following issues were found:

Error creating Backup Vault

In case you get an error message similar to this one:

error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,

Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms and backup-storage permissions are added.

Known Issues

During the development of the module, the following issues were found:

Error creating Backup Vault

In case you get an error message similar to this one:

error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,

Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms and backup-storage permissions are added.

Known Issues

During the development of the module, the following issues were found:

Error creating Backup Vault

In case you get an error message similar to this one:

error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,

Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms and backup-storage permissions are added.

Testing

This module includes comprehensive testing to ensure reliability and prevent regressions.

Test Structure

• Validation Tests: Terraform format, syntax, and basic validation across multiple Terraform and AWS provider versions
• Security Scanning: Static analysis using checkov and tfsec to identify security issues
• Example Tests: Automated validation of all example configurations
• Integration Tests: Real AWS resource creation/destruction testing using Terratest

Running Tests Locally

Prerequisites

1. Install Go 1.21+
2. Install Terraform 1.0+
3. Configure AWS credentials

Example Validation Tests

cd test
go test -v -timeout 10m -run TestExamples

Integration Tests (requires AWS credentials)

cd test
go test -v -timeout 30m -run TestBasicBackupPlan
go test -v -timeout 30m -run TestIAMRoleCreation

Security Scanning

# Install tools
pip install checkov
curl -L https://github.com/aquasecurity/tfsec/releases/latest/download/tfsec-linux-amd64 -o tfsec
chmod +x tfsec && sudo mv tfsec /usr/local/bin/

# Run scans
checkov -d . --framework terraform
tfsec .

CI/CD Workflows

The module includes automated testing through GitHub Actions:

• Validate Workflow: Runs on every push/PR - Terraform validation and format checking
• Security Workflow: Runs on every push/PR and weekly - Security scanning with checkov/tfsec
• Test Workflow: Manual trigger and weekly schedule - Comprehensive integration testing

Test Coverage

The test suite covers:

• ✅ Basic backup plan creation
• ✅ Multiple backup plans
• ✅ Cross-region backup scenarios
• ✅ IAM role and policy validation
• ✅ Backup vault configuration
• ✅ Notification integration
• ✅ All example configurations
• ✅ Security best practices
• ✅ Multi-version compatibility (Terraform 1.0+, AWS Provider 4.0+)

Contributing

When contributing to this module:

1. Ensure all tests pass: cd test && go test -v ./...
2. Run security scans: checkov -d . && tfsec .
3. Update examples if adding new features
4. Add integration tests for new functionality

Troubleshooting

Common Issues

If you encounter issues with the module, check these common problems:

1. AccessDeniedException: Ensure your IAM user/role has the necessary permissions for AWS Backup operations
2. InvalidParameterValueException: Check that schedule expressions, lifecycle values, and ARNs are properly formatted
3. Backup Job Failures: Verify resource permissions and backup windows are sufficient
4. Cross-Region Issues: Ensure both regions support cross-region backups and KMS key permissions are configured

Getting Help

For detailed troubleshooting steps:

• TROUBLESHOOTING.md - Comprehensive troubleshooting guide with step-by-step solutions
• KNOWN_ISSUES.md - Known issues and workarounds
• BEST_PRACTICES.md - Best practices and optimization tips
• PERFORMANCE.md - Performance tuning guide

Quick Debug Steps

1. Enable Debug Logging:

   export TF_LOG=DEBUG
   export TF_LOG_PATH=terraform.log
   terraform plan

2. Check AWS Service Health: Verify AWS Backup is available in your region

3. Validate Configuration:

   terraform validate
   terraform plan

4. Check Resource State:

   aws backup list-backup-vaults
   aws backup list-backup-plans

Known Issues

During the development of the module, the following issues were found:

Error creating Backup Vault

In case you get an error message similar to this one:

error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,

Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms and backup-storage permissions are added.