Terraform module to create AWS Backup plans. AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services (EBS volumes, RDS databases, DynamoDB tables, EFS file systems, and Storage Gateway volumes).
- Flexible backup plan customization
- Comprehensive backup management:
- Rules and selections
- Copy actions and lifecycle policies
- Retention periods and windows
- Resource tagging
- Advanced capabilities:
- IAM role management
- Multi-region support
- Vault management
- Framework integration
- Organization policies
- Enterprise features:
- Notifications system
- Audit Manager integration
- Cross-account backups
- Compliance controls
You can use this module to create a simple plan using the module's rule_*
variables. You can also use the rules
and selections
list of maps variables to build a more complete plan by defining several rules and selections at once. For multiple backup plans, you can use the plans
variable to create several plans with their own rules and selections.
Check the examples folder where you can see how to configure backup plans with different selection criteria.
See examples/simple_plan/main.tf for a basic backup plan configuration.
See examples/simple_plan_using_variables/main.tf for a backup plan using variables.
See examples/complete_plan/main.tf for a comprehensive backup plan setup.
See examples/multiple_plans/main.tf for managing multiple backup plans.
See examples/organization_backup_policy/main.tf for organization-wide backup policies.
See examples/simple_audit_framework/main.tf for audit framework configuration.
Name | Version |
---|---|
terraform | >= 1.3.0 |
aws | >= 5.0.0 |
Name | Version |
---|---|
aws | 6.3.0 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
advanced_backup_settings | Advanced backup settings by resource type | map(map(string)) |
{} |
no |
audit_framework | Configuration for AWS Backup Audit Manager framework | object({ |
{ |
no |
backup_policies | Map of backup policies to create | map(object({ |
{} |
no |
backup_regions | List of regions where backups should be created | list(string) |
[] |
no |
backup_selections | Map of backup selections | map(object({ |
{} |
no |
changeable_for_days | The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode | number |
null |
no |
default_lifecycle_cold_storage_after_days | Default number of days after creation that a recovery point is moved to cold storage. Used when cold_storage_after is not specified in lifecycle configuration. | number |
0 |
no |
default_lifecycle_delete_after_days | Default number of days after creation that a recovery point is deleted. Used when delete_after is not specified in lifecycle configuration. | number |
90 |
no |
enable_org_policy | Enable AWS Organizations backup policy | bool |
false |
no |
enabled | Change to false to avoid deploying any AWS Backup resources | bool |
true |
no |
iam_role_arn | If configured, the module will attach this role to selections, instead of creating IAM resources by itself | string |
null |
no |
iam_role_name | Allow to set IAM role name, otherwise use predefined default | string |
"" |
no |
locked | Change to true to add a lock configuration for the backup vault | bool |
false |
no |
max_retention_days | The maximum retention period that the vault retains its recovery points | number |
null |
no |
min_retention_days | The minimum retention period that the vault retains its recovery points | number |
null |
no |
notifications | Notification block which defines backup vault events and the SNS Topic ARN to send AWS Backup notifications to. Leave it empty to disable notifications | any |
{} |
no |
notifications_disable_sns_policy | Disable the creation of the SNS policy. Enable if you need to manage the policy elsewhere. | bool |
false |
no |
org_policy_description | Description of the AWS Organizations backup policy | string |
"AWS Organizations backup policy" |
no |
org_policy_name | Name of the AWS Organizations backup policy | string |
"backup-policy" |
no |
org_policy_target_id | Target ID (Root/OU/Account) for the backup policy | string |
null |
no |
plan_name | The display name of a backup plan | string |
null |
no |
plans | A map of backup plans to create. Each key is the plan name and each value is a map of plan configuration. | map(object({ |
{} |
no |
reports | The default cache behavior for this distribution. | list(object({ |
[] |
no |
rule_completion_window | The amount of time AWS Backup attempts a backup before canceling the job and returning an error | number |
null |
no |
rule_enable_continuous_backup | Enable continuous backups for supported resources. | bool |
false |
no |
rule_lifecycle_cold_storage_after | Specifies the number of days after creation that a recovery point is moved to cold storage | number |
null |
no |
rule_lifecycle_delete_after | Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than cold_storage_after |
number |
null |
no |
rule_name | An display name for a backup rule | string |
null |
no |
rule_recovery_point_tags | Metadata that you can assign to help organize the resources that you create | map(string) |
{} |
no |
rule_schedule | A CRON expression specifying when AWS Backup initiates a backup job | string |
null |
no |
rule_start_window | The amount of time in minutes before beginning a backup | number |
null |
no |
rules | A list of rule maps | list(object({ |
[] |
no |
selection_conditions | A map of conditions that you define to assign resources to your backup plans using tags. | object({ |
{} |
no |
selection_name | The display name of a resource selection document | string |
null |
no |
selection_not_resources | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan. | list(any) |
[] |
no |
selection_resources | An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan | list(any) |
[] |
no |
selection_tags | List of tags for selection_name var, when using variable definition. |
list(any) |
[] |
no |
selections | A list or map of backup selections. If passing a list, each selection must have a name attribute. | any |
[] |
no |
tags | A mapping of tags to assign to the resource | map(string) |
{} |
no |
vault_force_destroy | A boolean that indicates that all recovery points stored in the vault are deleted so that the vault can be destroyed without error | bool |
false |
no |
vault_kms_key_arn | The server-side encryption key that is used to protect your backups | string |
null |
no |
vault_name | Name of the backup vault to create. If not given, AWS use default | string |
null |
no |
windows_vss_backup | Enable Windows VSS backup option and create a VSS Windows backup | bool |
false |
no |
Name | Description |
---|---|
framework_arn | The ARN of the backup framework |
framework_creation_time | The date and time that the backup framework was created |
framework_id | The unique identifier of the backup framework |
framework_status | The deployment status of the backup framework |
plan_arn | The ARN of the backup plan |
plan_id | The id of the backup plan |
plan_role | The service role of the backup plan |
plan_version | Unique, randomly generated, Unicode, UTF-8 encoded string that serves as the version ID of the backup plan |
plans | Map of plans created and their attributes |
vault_arn | The ARN of the vault |
vault_id | The name of the vault |
During the development of the module, the following issues were found:
In case you get an error message similar to this one:
error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms
and backup-storage
permissions are added.
During the development of the module, the following issues were found:
In case you get an error message similar to this one:
error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms
and backup-storage
permissions are added.
During the development of the module, the following issues were found:
In case you get an error message similar to this one:
error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms
and backup-storage
permissions are added.
During the development of the module, the following issues were found:
In case you get an error message similar to this one:
error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms
and backup-storage
permissions are added.
This module includes comprehensive testing to ensure reliability and prevent regressions.
- Validation Tests: Terraform format, syntax, and basic validation across multiple Terraform and AWS provider versions
- Security Scanning: Static analysis using
checkov
andtfsec
to identify security issues - Example Tests: Automated validation of all example configurations
- Integration Tests: Real AWS resource creation/destruction testing using Terratest
- Install Go 1.21+
- Install Terraform 1.0+
- Configure AWS credentials
cd test
go test -v -timeout 10m -run TestExamples
cd test
go test -v -timeout 30m -run TestBasicBackupPlan
go test -v -timeout 30m -run TestIAMRoleCreation
# Install tools
pip install checkov
curl -L https://github.com/aquasecurity/tfsec/releases/latest/download/tfsec-linux-amd64 -o tfsec
chmod +x tfsec && sudo mv tfsec /usr/local/bin/
# Run scans
checkov -d . --framework terraform
tfsec .
The module includes automated testing through GitHub Actions:
- Validate Workflow: Runs on every push/PR - Terraform validation and format checking
- Security Workflow: Runs on every push/PR and weekly - Security scanning with checkov/tfsec
- Test Workflow: Manual trigger and weekly schedule - Comprehensive integration testing
The test suite covers:
- ✅ Basic backup plan creation
- ✅ Multiple backup plans
- ✅ Cross-region backup scenarios
- ✅ IAM role and policy validation
- ✅ Backup vault configuration
- ✅ Notification integration
- ✅ All example configurations
- ✅ Security best practices
- ✅ Multi-version compatibility (Terraform 1.0+, AWS Provider 4.0+)
When contributing to this module:
- Ensure all tests pass:
cd test && go test -v ./...
- Run security scans:
checkov -d . && tfsec .
- Update examples if adding new features
- Add integration tests for new functionality
If you encounter issues with the module, check these common problems:
- AccessDeniedException: Ensure your IAM user/role has the necessary permissions for AWS Backup operations
- InvalidParameterValueException: Check that schedule expressions, lifecycle values, and ARNs are properly formatted
- Backup Job Failures: Verify resource permissions and backup windows are sufficient
- Cross-Region Issues: Ensure both regions support cross-region backups and KMS key permissions are configured
For detailed troubleshooting steps:
- TROUBLESHOOTING.md - Comprehensive troubleshooting guide with step-by-step solutions
- KNOWN_ISSUES.md - Known issues and workarounds
- BEST_PRACTICES.md - Best practices and optimization tips
- PERFORMANCE.md - Performance tuning guide
-
Enable Debug Logging:
export TF_LOG=DEBUG export TF_LOG_PATH=terraform.log terraform plan
-
Check AWS Service Health: Verify AWS Backup is available in your region
-
Validate Configuration:
terraform validate terraform plan
-
Check Resource State:
aws backup list-backup-vaults aws backup list-backup-plans
During the development of the module, the following issues were found:
In case you get an error message similar to this one:
error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
Add the required IAM permissions mentioned in the CreateBackupVault row to the role or user creating the Vault (the one running Terraform CLI). In particular make sure kms
and backup-storage
permissions are added.