This solution demonstrates how you can save time using Terraform to automate the deployment of your AWS Backup resources across accounts in your organization. Using this solution, you can centrally manage the deployment of AWS Backup resources, such as vaults, as well as backup policies, for all of your AWS Organizations accounts.
- AWS Organizations enabled and access to the Management account.
- AWS Backup features enabled for your organization.
- An AWS account that will be used as your Central Backup account. This account should be registered as a delegated administrator for AWS Organizations.
- Terraform v1.3.6 or later installed.
-
To manage the Terraform state, Amazon S3 is used to store our
.tfstate
file and a Amazon DynamoDB table to maintain the lock state of our environment. Create these resources and update thebackend.tf
file with the appropriate values. You can learn more about protecting sensitive data in the Terraform state file using the AWS Prescriptive Guidance. -
If you plan to use the OrganizationAccountAccessRole for cross-acount operations, then you do not need to create any additional roles for managing these resources. However, you will need to update the trust relationships with the
Principal
of the IAM role or user you will be using to run the Terraform commands from the Management account. As a best practice, you will want to create roles specifically for Terraform to assume in each account following least privilege. Update therole_arn
within theprovider.tf
file with the roles you will use. -
Run the
terraform init
command to initialize the working directory and install the plugin for the AWS provider.
-
Setup the Terraform variables required to deploy resources into the accounts. Create a
terraform.tfvars
file in the root module and populate them with the appropriate values. Thetarget_account_id
is the account number of the Member account which containers resources that you wish to backup. Thebackup_account_id
is the account number of the Central Backup account. Theorg_id
is the Organization ID which you can find from the AWS Organizations console in you Management account.target_account_id = "012345678901" backup_account_id = "234567890123" org_id = "o-a12b3cdefg"
-
Run the
terraform apply
command to deploy resources within your member and backup account.
The Central Backup account should be registered as a delegated administrator from your organizations Management account as part of the prerequisites. This will allow AWS Backup to assume cross-account roles and access the AWS Organizations API to manage backup policies.
The policy management process involves creating a .zip
archive containing two JSON files, then uploading it to your designated S3 bucket, created during the deploy resources stage. These two files are: a backup policy, and a list of target OUs/accounts.
-
The
modules/backup-account/PolicyExample/policy_definition.json
is a backup policy that is formatted using the syntax described in the AWS Backup documentation. Review or adjust this file to your requirements. -
The
modules/backup-account/PolicyExample/target_list.json
file contains a list of targets, which can be a combination of OU IDs and account IDs. In this example it will contain the single Member account we have prepared earlier. Edit the file with thetarget_account_id
.{ "targets": [ "AccountID" ] }
-
Archive these two files to a
.zip
and upload to your S3 bucket within the _Central Backup account. This will trigger two Lambda functions to unzip, parse, validate and apply the policy and attach it to the specified targets.
As mentioned in the Getting Started section, this sample uses the OrganizationAccountAccessRole role which is created when an account is created in your organization. If you would like to follow along with the sample you will need to update the trust relationships of the role with the Principal
of the IAM role or user you will be using to run the Terraform commands from the Management account. However, it is recommended to create a new role that is present within your accounts that Terraform can assume. If you have done so update the role_arn
within the provider.tf
file with the role arn.
This sample uses customer-managed keys (CMK) in AWS KMS, it is important that you configure these to your requirements. Key deletion windows and rotation can be set within the variables.tf
file. It is also important to monitor AWS KMS to control and understand the availability, state and usage of the CMKs.
AWS Backup supports cross-account backup copying within your AWS Organization for centralized backup management. For cross-account copies of encrypted backups, some AWS services have their own encryption and is not independent of AWS Backup encryption. For data sources without AWS Backup encryption, source and destination backup vault must be encrypted with a shared AWS KMS customer-managed key. For more information see the storage blog on How encryption works in AWS Backup.
Describe or link templates on how to raise an issue, feature request or make a contribution to the codebase. Reference the other documentation files, like
- Environment setup for contribution, i.e.
CONTRIBUTING.md
- Coding standards, branching, linting, practices for development and testing
- Release process, versioning, changelog
- Backlog, board, roadmap, ways of working
- High-level requirements, guiding principles, decision records, etc.
Provide a way to contact the owners of this project. It can be a team, an individual or information on the means of getting in touch via active communication channels, e.g. opening a GitHub discussion, raising an issue, etc.
The LICENCE.md file will need to be updated with the correct year and owner
Unless stated otherwise, the codebase is released under the MIT License. This covers both the codebase and any sample code in the documentation.
Any HTML or Markdown documentation is © Crown Copyright and available under the terms of the Open Government Licence v3.0.