Terraform Aws Backup Module

Terraform module to setup AWS Backup

Example

module "backup" {
  source             = "blackbird-cloud/backup/aws"
  version            = "~> 1.2.0"
  name               = "centralized-backup"
  kms_key_arn        = "arn:aws:kms:us-west-2:xxxxx:key/xxxxxxxxxxxxx"
  create_backup_plan = true
  resource_type_opt_in_preference = {
    "Aurora" : true,
    "EBS" : true,
    "EC2" : true,
    "RDS" : true,
    "S3" : true,
  }

  selection = {
    create_default_role = true
    condition = {
      string_equals = [{
        key   = "aws:ResourceTag/Backup"
        value = "true"
      }]
    }
    resources = ["*"]
  }

  rules = [
    {
      schedule          = "cron(0 3 * * ? *)" # Every day at 03:00 UTC
      start_window      = 60
      completion_window = 120
      lifecycle = {
        delete_after = 30
      }
    }
  ]

  vault_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
      {
        "Sid": "Allow access to backup vault",
        "Effect": "Allow",
        "Action": "backup:CopyIntoBackupVault",
        "Resource": "*",
        "Principal": "*",
        "Condition": {
          "StringEquals": {
            "aws:AccountId": "123456789012"
          }
        }
      }
  ]
}
EOF
}

Requirements

Name	Version
terraform	>= 1.9.0
aws	~> 6.0

Providers

Name	Version
aws	~> 6.0

Resources

Name	Type
aws_backup_plan.plan	resource
aws_backup_region_settings.settings	resource
aws_backup_selection.selection	resource
aws_backup_vault.vault	resource
aws_backup_vault_policy.policy	resource
aws_iam_role.backup_selection	resource
aws_iam_role_policy_attachment.backup_selection	resource
aws_iam_policy_document.assume_role	data source

Inputs

Name	Description	Type	Default	Required
create_backup_plan	(Optional) Create an AWS Backup plan, requires the rules variable to be configured as well.	bool	true	no
create_backup_region_settings	(Optional) Create an AWS Backup Region Settings resource.	bool	true	no
iam_role_arn	(Optional) IAM role arn to use when making backups.	string	""	no
kms_key_arn	(Required) The server-side encryption key that is used to protect your backups.	string	n/a	yes
name	(Required) Name of backup resource	string	n/a	yes
resource_type_management_preference	(Optional) A map of services along with the management preferences for the Region.	any	{ "DynamoDB": true, "EFS": true }	no
resource_type_opt_in_preference	(Optional) A map of services along with the opt-in preferences for the Region.	any	{ "Aurora": true, "CloudFormation": true, "DocumentDB": true, "DynamoDB": true, "EBS": true, "EC2": true, "EFS": true, "FSx": true, "Neptune": true, "RDS": true, "Redshift": true, "S3": true, "Storage Gateway": true, "Timestream": true, "VirtualMachine": true }	no
rules	(Optional) An list of rules to create for the backup plan.	list(any)	[]	no
selection	(Optional) Manages selection conditions for AWS Backup plan resources.	object({ create_default_role : bool, resources : optional(list(string)), not_resources : optional(list(string)), condition : any })	{ "condition": {}, "create_default_role": false }	no
tags	(Optional) Metadata that you can assign to help organize the resources that you create. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.	map(string)	{}	no
vault_policy	(Optional) The backup vault access policy document in JSON format.	string	null	no

Outputs

Name	Description
vault	AWS Backup Vault

About

We are Blackbird Cloud, Amsterdam based cloud consultancy, and cloud management service provider. We help companies build secure, cost efficient, and scale-able solutions.

Checkout our other 👉 terraform modules

Copyright

Copyright © 2017-2025 Blackbird Cloud