Skip to content

Terraform module for creating AWS Organization Backup Policies

License

Notifications You must be signed in to change notification settings

appvia/terraform-aws-backup

Github Actions

Terraform AWS Organizations Backup

Description

This module creates an AWS Organization Backup Policy consisting of one or more backup plans to be deployed to accounts within the specified Organizational Unit.

Usage

The following example creates a generalised backup policy targeting all compatible AWS Backup resources. Resources are matched if they have a tag with the key BackupPolicy and a value matching the plan name - in this case daily. This policy is applied to all accounts within the specified organizational unit and is run on a daily schedule starting at 3am.

module "basic" {
  source  = "appvia/backup/aws"
  version = "1.0.0"

  name                = "general-backup"
  organizational_unit = "ou-1tbg-wpzfzxb7"

  plans = [{
    name                    = "daily"
    schedule                = "cron(0 3 ? * * *)"
    start_window_minutes    = "60"
    complete_window_minutes = "300"
  }]
}

resource "aws_s3_bucket" "data_pending_processing" {
  bucket = "io-appvia-data-pending-processing"

  tags = {
    BackupPolicy = "daily"
  }
}

Update Documentation

The terraform-docs utility is used to generate this README. Follow the below steps to update:

  1. Make changes to the .terraform-docs.yml file
  2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
  3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Requirements

Name Version
terraform >= 1.7
aws >= 5

Providers

Name Version
aws >= 5

Modules

No modules.

Resources

Name Type
aws_cloudformation_stack_set.role resource
aws_cloudformation_stack_set.vault resource
aws_cloudformation_stack_set_instance.role resource
aws_cloudformation_stack_set_instance.vault resource
aws_organizations_policy.backup resource
aws_organizations_policy_attachment.backup resource
aws_region.current data source

Inputs

Name Description Type Default Required
name Name of the backup policy string n/a yes
plans List of plan definitions. Each definition defines a backup plan governing the frequency, destinations and retention settings.
list(object({
name = string
schedule = string
start_window_minutes = optional(number, 60)
complete_window_minutes = optional(number, 360)
backup_tag_name = optional(string, "BackupPolicy")
backup_role_name = optional(string, "lza-backup-service-linked-role")
vault_name = optional(string, "Default")

copy_backups = optional(list(object({
target_vault = string

lifecycle = optional(object({
cold_storage_after_days = optional(number)
delete_after_days = optional(number)
}))
})), [])

lifecycle = optional(object({
cold_storage_after_days = optional(number)
delete_after_days = optional(number)
}))
}))
n/a yes
deployment_targets The accounts or organizational unit to attach the backup policy to. list(string) [] no
regions List of regions where resources to be backed up are located list(string) [] no
tags Map of tags to apply to resources create by this module. These are also passed down to individual backups. map(string) {} no
vaults List of Backup Vaults to be created along with their lock configuration
list(object({
name = string
change_grace_days = optional(number)
min_retention_days = optional(number)
max_retention_days = optional(number)
}))
[] no

Outputs

No outputs.