Module Architecture
The module is designed to be deployed in a dedicated account within an AWS Organization, this account must be delegated certain abilities for the module to function.
Deployment to member accounts
Deployment to member accounts is orchestrated through CloudFormation StackSets. The module uses CloudFormation as it enables deployment to many AWS accounts without the need to configure and manage a Terraform provider for each account. StackSets work natively within AWS, reacting when accounts are moved between Organizations and Organizational Units to provision and destroy resources depending on their location within an Organization.
However, as CloudFormation is a declarative syntax for provisioning resources, even more so than Terraform, some of the member account deployment functionality has been implemented through custom resources - AWS Lambda calling the AWS API or running Terraform itself. For example, creating the AWS Backup Service-linked IAM Role will only succeed if this role doesn't already exist; by using a custom Lambda function this error can be caught and ignored. Terraform is used to deploy the Backup Vaults within member accounts as it includes a force_destroy
option that will empty a Vault before deleting it, whereas CloudFormation would fail to delete a Vault with contents.
Central account resources
- Deployment helper SNS topic
- Deployment helper Lambda function
- AWS Backup Service-linked IAM Role
Central account resources per deployment
- EventBridge Event Bus
- Backup Ingest Step Function
- Intermediate Backup Vault
- Standard Backup Vault
- LAG Backup Vault
- AWS Backup Service Role
- CloudFormation StackSet
Member account resources
- Backup Vault
- Restore Vault
- AWS Backup Service-linked IAM Role
- AWS Backup Service Role
- EventBridge Rule forwarding AWS Backup events