What is an AWS Backup? And how to automate it
Backups are not always a straightforward task, in this article, you will learn what is AWS Backup and how to automate it by using Terraform.
Introduction
First, allow me to introduce myself I’m a DevOps Engineer at Tikal,
I was looking for a tool or service that would make my work easier, something that would do it automatically. A tool will make me forget about manual and ineffective work, beyond one-time configuration and it’s done.
Prerequisites:
- AWS account
- Terraform version 1.5.0+
Goals & Objectives:
Learning something new and implementing a fully automated backup plan not only expands your skill set but also significantly streamlines daily tasks.
Meet the AWS Backup ✨
“AWS Backup is a fully-managed service that makes it easy to centralize and automate data protection across AWS services, in the cloud, and on-premises. Using this service, you can configure backup policies and monitor activity for your AWS resources in one place.”
The most popular supported AWS resources
- Amazon Elastic Compute Cloud (Amazon EC2)
- Amazon Simple Storage Service (Amazon S3)
- Amazon Relational Database Service (Amazon RDS)
- Amazon Elastic File System (Amazon EFS)
- Amazon Elastic Block Store (Amazon EBS)
- Amazon DynamoDB
Ingredients for this magic potion
AWS Backup Vault:
- Container that stores and organizes your backups
Recovery point:
- Can view the snapshot and other details of backup resources.
AWS Backup plan:
- Policy expression that defines when and how you want to backup AWS resources
AWS Backup selection:
The resources are selected for backup according as follows:
- Conditions: Conditions in the context of AWS Backup typically refer to the criteria or rules that define when a backup job should be executed. These conditions could include factors such as time, frequency, or specific events.
- ListOfTags: In AWS Backup, tagging allows users to attach metadata to their resources, such as backup plans or recovery points. A list of tags helps organize and categorize resources, making it easier to manage and track them.
- NotResources: This term is not standard in the context of AWS Backup as of my last update. It’s possible that it could refer to excluding specific resources from backup operations, but it would depend on the specific context or documentation you’re referring to.
- Resources: In AWS Backup, resources are the entities that want to back up. These could include Amazon EBS volumes, Amazon RDS databases, Amazon EC2 instances, and other supported AWS services.
How it works? My use case
AWS Backup is a comprehensive backup service designed for centralized and automated data backup across various AWS services.
Users can create customized backup plans, specifying parameters like backup frequency and retention duration.
The service simplifies the backup process by allowing users to apply plans to AWS resources by tagging and automating the backup process based on the defined plan.
I use a terraform to provision AWS Backup including all the ingredients above:
- Create an AWS IAM role for AWS Backup with a default policy:
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["backup.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "aws_backup_plan" {
name = "aws_backup_plan"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy_attachment" "aws_backup_plan_policy_attachment" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
role = aws_iam_role.aws_backup_plan.name
}- Create an AWS Backup Vault:
You can choose to manage the snapshots of resources in a single vault or with many.
data "aws_kms_key" "by_alias_arn" {
key_id = var.backup_kms_key
}
resource "aws_backup_vault" "aws_backup_vault" {
for_each = toset(var.resource_name)
name = "${each.key}_backup_vault"
kms_key_arn = aws_kms_key.kms_key[each.key].arn
tags = {
Name = "aws_backup_vault"
}
}Note:
You can use the managed default KMS key for AWS Backup or create one of your own.
- Create an AWS Backup plan:
In this case, I use “for_each” to use multiple resource provisioning.
Schedule: Define the time the backup executes.
Lifecycle: Define the time deletion of the backup.
resource "aws_backup_plan" "aws_backup" {
for_each = toset(var.resource_name)
name = "${each.key}_backup_plan"
rule {
rule_name = "${each.key}_backup_plan"
target_vault_name = "${aws_backup_vault.aws_backup_vault.name}"
schedule = var.schedule
lifecycle {
delete_after = var.lifecycle_time
}
}
tags = {
Name = "aws_backup_plan"
}
}- Create an AWS Backup selection to assign services with Tag options:
resource "aws_backup_selection" "aws_backup_selection" {
for_each = toset(var.resource_name)
iam_role_arn = aws_iam_role.aws_backup_plan.arn
name = "${each.key}_backup_selection"
plan_id = aws_backup_plan.aws_backup[each.key].id
selection_tag {
type = "STRINGEQUALS"
key = var.backup_tag_key
value = var.backup_tag_value
}
}- Variables for fun:
variable "resource_name" {
type = list(string)
description = "A name of the resource"
default = ["ec2", "rds"]
}
variable "lifecycle_time" {
type = number
description = "A time for lifecycle deletion"
default = "14"
}
variable "schedule" {
type = string
description = "A schedule of the backup plan"
default = "cron(0 9 ? * 1 *)" # Every sunday at 9 AM
}
variable "backup_tag_value" {
type = string
description = "A tag of the backup plan"
default = "Backup"
}
variable "backup_tag_key" {
type = string
description = "A tag of the backup plan"
default = "true"
}
variable "backup_kms_key" {
type = string
description = "A default kms key for the backup vault"
default = "arn:aws:iam::111122223333:role/ExampleKMSRoleForAWSBackup"
}Benefits
AWS Backup plan comes with a built-in features like:
- Automation Backup plan.
- Cross-Region backup and restore resources.
- Easy to define the strategy plan.
Final thoughts
After experimenting with the AWS Backup tool, the configuration was very convenient and easy to understand.
Thank you for Reading. 🤟
