Skip to content

Using the module

Prerequisites

It is strongly recommended that this module is deployed into a dedicated AWS Backup account within your AWS Organization.

The module is designed to be deployed into a delegated administrator account within an AWS Organization, it assumes that these requirements are met when deploying:

Deployment & Configuration

The module is to be deployed only once per Organization, within the configuration for the module you can define multiple deployments with unique settings.

Variables

Deployments

A deployment is an instance of the backup solution. Within the deployment account it creates a single set of resources (Backup Vaults, KMS Key, CloudFormation StackSet, etc.) that can then be used by multiple workload accounts. Deployments create a security boundary for your backups. The key value for each deployment is used to generate unique resource names within the deployment account and workload accounts.

Name Description Type Default Required
backup_tag_key The tag key to query when require_plan_name_resource_tag is enabled within a plan. string null no
max_retention_days The maximum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. number null no
min_retention_days The minimum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. number null no
plans A map of backup plans to implement, see Plans. map(object) yes
restores_enabled Allow restores within workload accounts. This will share the LAG Vault back to workload accounts through AWS RAM. bool false no
retained_vaults A list of previously deployed Backup Vault configurations. This is used to retain Vaults that were previously configured and are now locked, preventing deletion. This is useful when changing the configuration of a deployment, such as changing the minimum or maximum retention days. list(object({ min_retention_days = number, max_retention_days = number, use_logically_air_gapped_vault = optional(bool, false) })) [] no
targets A list of Organizational Unit IDs to deploy the backup solution to. The module will deploy to all accounts within these OUs. list(string) yes

Plans

A plan defines a selection of resources and a list of rules (when your backups should be taken) for AWS Backup to orchestrate. This module generates AWS Backup Plans based upon the configuration made here; the module implements additional functionality to simplify the configuration of AWS Backup and implement AWS guidance. The key value for each plan is used to identify the plan and filter by resource tag when require_plan_name_resource_tag is enabled.

Name Description Type Default Required
complete_backup_window_minutes Number of minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. number null no
continuous_backup_schedule_expression A cron expression for when to create Continuous Backups of supported and enabled resources. It is recommended to set this outside of the backup windows defined in your rules and to run it regularly. string "cron(0 0 ? * * *)" no
create_continuous_backups Create continuous backups for resources that support it to enable point in time recovery within the same account. These backups are not copied to the immutable backup vaults.

Supported resource types: RDS database instances, SAP HANA.
bool false no
intermediate_retention_days The number of days to retain backups in the Intermediate Vault once copied to the Immutable Vault. Persisting backups in this vault can reduce copy latency through incremental backups. If not set will use the rule's delete_after_days configuration or 7 days if null. Can be overridden by setting on the rule. number Rule's delete_after_days or 7 no
local_retention_days The number of days to retain backups in the workload account vaults once copied to the Intermediate or LAG vaults. Persisting backups in this vault can reduce backup latency through incremental backups. If not set will use the rule's delete_after_days configuration. Can be overridden by setting on the rule. This does not affect Continuous Backups. number Rule's delete_after_days no
require_plan_name_resource_tag Only backup resources that have a resource tag with key backup_tag_key and value matching the plan name. bool true no
snapshot_from_continuous_backups Create continuous backups for resources that support it and then generate snapshot backups from these. Recommended by AWS to reduce cost.

Supported resource types: S3.
bool true no
start_backup_window_minutes Number of minutes to wait for a backup job to start before cancelling it. If this value is included, it must be at least 60 minutes to avoid errors. number null no
use_logically_air_gapped_vault Copy backups to a Logically Air Gapped Vault for supported resource types. Logically Air Gapped Vaults enable faster recovery as backups can be restored cross-account. bool false no
rules A list of backup rules to implement, defining when backups should be taken. Where rules have overlapping start windows, the rule with the greatest delete_after_days value will run. See Rules. list yes

Rules

A rule defines when backups should be taken and how long they should be kept for. Where rules within a plan have overlapping start windows, the rule with the greatest delete_after_days value will run.

Name Description Type Default Required
complete_backup_window_minutes Number of minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Overrides the value set on the plan. number null no
delete_after_days The number of days a backup should be retained for. Required when the plan is using a LAG Vault. number null no
intermediate_retention_days The number of days to retain backups in the Intermediate Vault once copied to the Immutable Vault. Overrides the value set on the plan. number null no
local_retention_days The number of days to retain backups in the workload account vaults once copied to the Intermediate or LAG vaults. Overrides the value set on the plan. number null no
name A friendly name for the rule. string Rule's index number no
schedule_expression A cron expression for when to start the backup window. string yes
start_backup_window_minutes Number of minutes to wait for a backup job to start before cancelling it. If this value is included, it must be at least 60 minutes to avoid errors. Overrides the value set on the plan. number null no