Skip to content

Latest commit

 

History

History
110 lines (72 loc) · 8.62 KB

File metadata and controls

110 lines (72 loc) · 8.62 KB

AWS Backup Vault Terraform module for cross-account backup

CI/CD Pull Request Quality Gate Status

This solution demonstrates how you can save time using Terraform to automate the deployment of your AWS Backup resources across accounts in your organization. Using this solution, you can centrally manage the deployment of AWS Backup resources, such as vaults, as well as backup policies, for all of your AWS Organizations accounts.

Table of Contents

Prerequisites

Getting started

Terraform init

  1. To manage the Terraform state, Amazon S3 is used to store our .tfstate file and a Amazon DynamoDB table to maintain the lock state of our environment. Create these resources and update the backend.tf file with the appropriate values. You can learn more about protecting sensitive data in the Terraform state file using the AWS Prescriptive Guidance.

  2. If you plan to use the OrganizationAccountAccessRole for cross-acount operations, then you do not need to create any additional roles for managing these resources. However, you will need to update the trust relationships with the Principal of the IAM role or user you will be using to run the Terraform commands from the Management account. As a best practice, you will want to create roles specifically for Terraform to assume in each account following least privilege. Update the role_arn within the provider.tf file with the roles you will use.

  3. Run the terraform init command to initialize the working directory and install the plugin for the AWS provider.

Deploy resources

  1. Setup the Terraform variables required to deploy resources into the accounts. Create a terraform.tfvars file in the root module and populate them with the appropriate values. The target_account_id is the account number of the Member account which containers resources that you wish to backup. The backup_account_id is the account number of the Central Backup account. The org_id is the Organization ID which you can find from the AWS Organizations console in you Management account.

    target_account_id = "012345678901"
    backup_account_id = "234567890123"
    org_id = "o-a12b3cdefg"
  2. Run the terraform apply command to deploy resources within your member and backup account.

Define backup policies

The Central Backup account should be registered as a delegated administrator from your organizations Management account as part of the prerequisites. This will allow AWS Backup to assume cross-account roles and access the AWS Organizations API to manage backup policies.

The policy management process involves creating a .zip archive containing two JSON files, then uploading it to your designated S3 bucket, created during the deploy resources stage. These two files are: a backup policy, and a list of target OUs/accounts.

  1. The modules/backup-account/PolicyExample/policy_definition.json is a backup policy that is formatted using the syntax described in the AWS Backup documentation. Review or adjust this file to your requirements.

  2. The modules/backup-account/PolicyExample/target_list.json file contains a list of targets, which can be a combination of OU IDs and account IDs. In this example it will contain the single Member account we have prepared earlier. Edit the file with the target_account_id.

    {
        "targets":
        [
            "AccountID"
        ]
    }
  3. Archive these two files to a .zip and upload to your S3 bucket within the _Central Backup account. This will trigger two Lambda functions to unzip, parse, validate and apply the policy and attach it to the specified targets.

Considerations

As mentioned in the Getting Started section, this sample uses the OrganizationAccountAccessRole role which is created when an account is created in your organization. If you would like to follow along with the sample you will need to update the trust relationships of the role with the Principal of the IAM role or user you will be using to run the Terraform commands from the Management account. However, it is recommended to create a new role that is present within your accounts that Terraform can assume. If you have done so update the role_arn within the provider.tf file with the role arn.

This sample uses customer-managed keys (CMK) in AWS KMS, it is important that you configure these to your requirements. Key deletion windows and rotation can be set within the variables.tf file. It is also important to monitor AWS KMS to control and understand the availability, state and usage of the CMKs.

AWS Backup supports cross-account backup copying within your AWS Organization for centralized backup management. For cross-account copies of encrypted backups, some AWS services have their own encryption and is not independent of AWS Backup encryption. For data sources without AWS Backup encryption, source and destination backup vault must be encrypted with a shared AWS KMS customer-managed key. For more information see the storage blog on How encryption works in AWS Backup.

Design

Diagrams

AWS Backup Vault infrastructure diagram

Contributing

Describe or link templates on how to raise an issue, feature request or make a contribution to the codebase. Reference the other documentation files, like

  • Environment setup for contribution, i.e. CONTRIBUTING.md
  • Coding standards, branching, linting, practices for development and testing
  • Release process, versioning, changelog
  • Backlog, board, roadmap, ways of working
  • High-level requirements, guiding principles, decision records, etc.

Contacts

Provide a way to contact the owners of this project. It can be a team, an individual or information on the means of getting in touch via active communication channels, e.g. opening a GitHub discussion, raising an issue, etc.

Licence

The LICENCE.md file will need to be updated with the correct year and owner

Unless stated otherwise, the codebase is released under the MIT License. This covers both the codebase and any sample code in the documentation.

Any HTML or Markdown documentation is © Crown Copyright and available under the terms of the Open Government Licence v3.0.