AWS Backup Plan Terraform Module

This Terraform module automates the creation and management of AWS Backup Plans, Vaults, and associated IAM roles. It allows you to define scheduled backup rules, select resources based on tags, configure vault encryption, and enforce retention policies. Automates the backup of data across AWS services such as Amazon RDS, EBS, DynamoDB, EFS, and more. It allows you to schedule automated backups, and manage and monitor backup activity from a single console, ensuring compliance and data protection. AWS Backup also supports cross-region and cross-account backup capabilities for enhanced data durability and disaster recovery.

Key features:

• Create AWS Backup Plans with custom rules and schedules.
• Manage Backup Vaults with optional KMS encryption.
• Configure IAM roles and policies for backup and restore operations.
• Support for resource selection via tags or ARNs.
• Optional Vault Lock configuration to enforce retention in governance or compliance mode.

Requirements

Name	Version
terraform	>= 1.3.0
aws	>= 5.0.0

Providers

Name	Version
aws	>= 5.0.0

Modules

Name	Source	Version
backup_vault	./backup-vault	n/a

Resources

Name	Type
aws_backup_plan.this	resource
aws_backup_selection.this	resource
aws_backup_vault_lock_configuration.this	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.aws_backup_policy_backup_attachment	resource
aws_iam_role_policy_attachment.aws_backup_policy_restore_attachment	resource
aws_iam_role.this	data source

Inputs

Name	Description	Type	Default	Required
backup_plan	Rules for AWS backup plan, null act as flag to enable or disable backup plan	object({ name = string rules = list(object({ name = string target_vault_name = string schedule = string start_window = optional(string, null) completion_window = optional(string, null) recovery_point_tags = optional(map(string), {}) enable_continuous_backup = optional(bool, false) lifecycle = list(object({ cold_storage_after = optional(number, 0) delete_after = number })) copy_action = optional(list(object({ destination_vault_arn = string lifecycle = optional(list(object({ cold_storage_after = string delete_after = string })), []) })), []) })) })	null	no
backup_selection_data	(optional) Backup selection criteria to select resources	object({ name = string plan_name = string resources = optional(list(string), [""]) // List of resources eg [ "arn:aws:ec2:::instance/" ] , * -> All supported resources selection_tags = optional(list(object({ type = string key = string value = string })), []) })	null	no
backup_vault_data	Details to create backup vault, null act as flag to enable or disable	object({ name = string backup_role_name = string enable_encryption = optional(bool, true) kms_key_deletion_window_in_days = optional(number, 7) kms_key_admin_arns = optional(list(string), []) })	null	no
create_role	(optional) Role Required for taking backup and restore	bool	true	no
role_name	IAM role name	string	null	no
tags	Tags for AWS backup service	map(string)	n/a	yes
vault_lock_configuration	(optional) Vault lock configuration , changeable_for_days > 0 , then its governance else compliance mode	object({ vault_name = string changeable_for_days = number max_retention_days = number min_retention_days = number })	null	no

Outputs

Name	Description
backup_plan_id	AWS backups plan ID
backup_role_arn	n/a
backup_role_name	n/a
vault_arn	ARN of Vault