Using the module
Prerequisites
It is strongly recommended that this module is deployed into a dedicated AWS Backup account within your AWS Organization.
The module is designed to be deployed into a delegated administrator account within an AWS Organization, it assumes that these requirements are met when deploying:
- All features are enabled for your AWS Organization.
- Trusted access with AWS Backup is enabled on your Organization.
- Backup Policies within your Organization.
- Enable cross-account backup is turned on within your Organization.
- AWS Backup cross-account monitoring is enabled within your Organization.
- Resource Access Manager (RAM) sharing with AWS Organizations enabled in management account at Resource Access Manager, Settings
- The account you are deploying to has been delegated to manage AWS Backup.
- The account you are deploying to has been delegated to manage CloudFormation StackSets.
- The account you are deploying to has permission to manage Backup Policies as detailed in our example delegation policy.
Deployment & Configuration
The module is to be deployed only once per Organization, within the configuration for the module you can define multiple deployments with unique settings.
Deployments
A deployment is an instance of the backup solution. Within the deployment account it creates a single set of resources (Backup Vaults, KMS Key, CloudFormation StackSet, etc.) that can then be used by multiple workload accounts. Deployments create a security boundary for your backups. The key value for each deployment is used to generate unique resource names within the deployment account and workload accounts.
Variables
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_role_names | A list of role names that will have administrator abilities in member accounts. For example, administering the Backup Vaults. | list(string) |
[] |
no |
| allow_backup_targets_to_restore | Allow restores within the backup_targets workload accounts. This will share the LAG Vault back to workload accounts through AWS RAM. |
bool |
false |
no |
| backup_tag_key | The tag key to query when require_plan_name_resource_tag is enabled within a plan. |
string |
null |
no |
| backup_targets | A list of Organizational Unit IDs to deploy the backup solution to. The module will deploy to all accounts within these OUs. | list(string) |
yes | |
| max_retention_days | The maximum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | number |
null |
no |
| min_retention_days | The minimum retention to configure on the Backup Vaults. Required when a plan is using a LAG Vault. | number |
null |
no |
| plans | A map of backup plans to implement, see Plans. | map(object) |
yes | |
| retained_vaults | A list of previously deployed Backup Vault configurations. This is used to retain Vaults that were previously configured and are now locked, preventing deletion. This is useful when changing the configuration of a deployment, such as changing the minimum or maximum retention days. | list(object({ min_retention_days = number, max_retention_days = number, use_logically_air_gapped_vault = optional(bool, false) })) |
[] |
no |
Plans
A plan defines a selection of resources and a list of rules (when your backups should be taken) for AWS Backup to orchestrate. This module generates AWS Backup Plans based upon the configuration made here; the module implements additional functionality to simplify the configuration of AWS Backup and implement AWS guidance. The key value for each plan is used to identify the plan and filter by resource tag when require_plan_name_resource_tag is enabled.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| complete_backup_window_minutes | Number of minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. | number |
null |
no |
| continuous_backup_schedule_expression | A cron expression for when to create Continuous Backups of supported and enabled resources. It is recommended to set this outside of the backup windows defined in your rules and to run it regularly. | string |
"cron(0 0 ? * * *)" |
no |
| create_continuous_backups | Create continuous backups for resources that support it to enable point in time recovery within the same account. These backups are not copied to the immutable backup vaults. Supported resource types: RDS database instances, SAP HANA. |
bool |
false |
no |
| intermediate_retention_days | The number of days to retain backups in the Intermediate Vault once copied to the Immutable Vault. Persisting backups in this vault can reduce copy latency through incremental backups. If not set will use the rule's delete_after_days configuration or 7 days if null. Can be overridden by setting on the rule. |
number |
Rule's delete_after_days or 7 |
no |
| local_retention_days | The number of days to retain backups in the workload account vaults once copied to the Intermediate or LAG vaults. Persisting backups in this vault can reduce backup latency through incremental backups. If not set will use the rule's delete_after_days configuration. Can be overridden by setting on the rule. This does not affect Continuous Backups. |
number |
Rule's delete_after_days |
no |
| require_plan_name_resource_tag | Only backup resources that have a resource tag with key backup_tag_key and value matching the plan name. |
bool |
true |
no |
| snapshot_from_continuous_backups | Create continuous backups for resources that support it and then generate snapshot backups from these. Recommended by AWS to reduce cost. Supported resource types: S3. |
bool |
true |
no |
| start_backup_window_minutes | Number of minutes to wait for a backup job to start before cancelling it. If this value is included, it must be at least 60 minutes to avoid errors. | number |
null |
no |
| use_logically_air_gapped_vault | Copy backups to a Logically Air Gapped Vault for supported resource types. Logically Air Gapped Vaults enable faster recovery as backups can be restored cross-account. | bool |
false |
no |
| rules | A list of backup rules to implement, defining when backups should be taken. Where rules have overlapping start windows, the rule with the greatest delete_after_days value will run. See Rules. |
list |
yes |
Rules
A rule defines when backups should be taken and how long they should be kept for. Where rules within a plan have overlapping start windows, the rule with the greatest delete_after_days value will run.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| complete_backup_window_minutes | Number of minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Overrides the value set on the plan. | number |
null |
no |
| delete_after_days | The number of days a backup should be retained for. Required when the plan is using a LAG Vault. | number |
null |
no |
| intermediate_retention_days | The number of days to retain backups in the Intermediate Vault once copied to the Immutable Vault. Overrides the value set on the plan. | number |
null |
no |
| local_retention_days | The number of days to retain backups in the workload account vaults once copied to the Intermediate or LAG vaults. Overrides the value set on the plan. | number |
null |
no |
| name | A friendly name for the rule. | string |
Rule's index number | no |
| schedule_expression | A cron expression for when to start the backup window. | string |
yes | |
| start_backup_window_minutes | Number of minutes to wait for a backup job to start before cancelling it. If this value is included, it must be at least 60 minutes to avoid errors. Overrides the value set on the plan. | number |
null |
no |