I'm using AWS Backup services to create backups to my DynamoDB, but I don't like that solution because it's very manually and not replicable.
Now, How can I build a AWS Backup (from CloudFormation Designer or template)?
I'm searching about it but I cant do that.
Note: I don't want make the backup using any schedule event with lambda. I need use the AWS Backup but where can I have a CloudFormation Template for easy Creation / Update.
Description: "Backup Plan template to back up all resources tagged with
backup=daily daily at 5am UTC."
Resources:
KMSKey:
Type: AWS::KMS::Key
Properties:
Description: "Encryption key for daily"
EnableKeyRotation: True
Enabled: True
KeyPolicy:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
"AWS": { "Fn::Sub": "arn:aws:iam::***********:root" }
# "AWS": 'arn:aws:iam::***********:root'
Action:
- kms:*
Resource: "*"
BackupVaultWithDailyBackups:
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: "BackupVaultWithDailyBackups"
EncryptionKeyArn: { "Fn::GetAtt": [ KMSKey, Arn ] } #${self:custom.keyArn}
BackupPlanWithDailyBackups:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: "BackupPlanWithDailyBackups"
BackupPlanRule:
-
RuleName: DailyBackups
ScheduleExpression: cron(0 5 ? * * *)
StartWindowMinutes: 480
TargetBackupVault: {Ref: BackupVaultWithDailyBackups}
Lifecycle:
DeleteAfterDays: 35
-
RuleName: WeeklyBackups
ScheduleExpression: cron(0 5 ? * 7 *)
TargetBackupVault: {Ref: BackupVaultWithDailyBackups}
StartWindowMinutes: 480
Lifecycle:
DeleteAfterDays: 90
-
RuleName: MonthlyBackups
ScheduleExpression: cron(0 5 1 * ? *)
TargetBackupVault: {Ref: BackupVaultWithDailyBackups}
StartWindowMinutes: 480
Lifecycle:
MoveToColdStorageAfterDays: 90
DeleteAfterDays: 1825
DependsOn: BackupVaultWithDailyBackups
# BackupRole:
# Type: "AWS::IAM::Role"
# Properties:
# AssumeRolePolicyDocument:
# Version: "2012-10-17"
# Statement:
# -
# Effect: "Allow"
# Principal:
# Service:
# - "backup.amazonaws.com"
# Action:
# - "sts:AssumeRole"
# ManagedPolicyArns:
# -
# "arn:aws:iam::**********:role/service-role/AWSBackupDefaultServiceRole"
TagBasedBackupSelection:
Type: "AWS::Backup::BackupSelection"
Properties:
BackupSelection:
SelectionName: "TagBasedBackupSelection"
IamRoleArn: "arn:aws:iam::***********:role/service-role/AWSBackupDefaultServiceRole"
ListOfTags:
-
ConditionType: "STRINGEQUALS"
ConditionKey: "backup"
ConditionValue: "dev-pci"
-
ConditionType: "STRINGEQUALS"
ConditionKey: "backup"
ConditionValue: "uat-pci"
-
ConditionType: "STRINGEQUALS"
ConditionKey: "backup"
ConditionValue: "prod-pci"
BackupPlanId: {Ref: BackupPlanWithDailyBackups}
DependsOn: BackupPlanWithDailyBackups
Note: Replace *********** for your AWS AccountId
You need add the dynamoDB tag like:
DDBTableWithDailyBackupTag:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: "TestTable"
AttributeDefinitions:
-
AttributeName: "Album"
AttributeType: "S"
KeySchema:
-
AttributeName: "Album"
KeyType: "HASH"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
Tags:
-
Key: "backup"
Value: "daily"
Description: "Backup Plan template to back up all resources tagged with backup=daily daily at 5am UTC."
Resources:
KMSKey:
Type: AWS::KMS::Key
Properties:
Description: "Encryption key for daily"
EnableKeyRotation: True
Enabled: True
KeyPolicy:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
"AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" }
Action:
- kms:*
Resource: "*"
BackupVaultWithDailyBackups:
Type: "AWS::Backup::BackupVault"
Properties:
BackupVaultName: "BackupVaultWithDailyBackups"
EncryptionKeyArn: !GetAtt KMSKey.Arn
BackupPlanWithDailyBackups:
Type: "AWS::Backup::BackupPlan"
Properties:
BackupPlan:
BackupPlanName: "BackupPlanWithDailyBackups"
BackupPlanRule:
-
RuleName: "RuleForDailyBackups"
TargetBackupVault: !Ref BackupVaultWithDailyBackups
ScheduleExpression: "cron(0 5 ? * * *)"
DependsOn: BackupVaultWithDailyBackups
DDBTableWithDailyBackupTag:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: "TestTable"
AttributeDefinitions:
-
AttributeName: "Album"
AttributeType: "S"
KeySchema:
-
AttributeName: "Album"
KeyType: "HASH"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
Tags:
-
Key: "backup"
Value: "daily"
BackupRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "backup.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
-
"arn:aws:iam::aws:policy/service-role/service role"
TagBasedBackupSelection:
Type: "AWS::Backup::BackupSelection"
Properties:
BackupSelection:
SelectionName: "TagBasedBackupSelection"
IamRoleArn: !GetAtt BackupRole.Arn
ListOfTags:
-
ConditionType: "STRINGEQUALS"
ConditionKey: "backup"
ConditionValue: "daily"
BackupPlanId: !Ref BackupPlanWithDailyBackups
DependsOn: BackupPlanWithDailyBackups
Reference:
https://docs.aws.amazon.com/aws-backup/latest/devguide/integrate-cloudformation-with-aws-backup.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Backup.html
