tessl/npm-pulumi--aws
A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
multi-region.mddocs/guides/
Multi-Region Patterns Guide
This guide covers patterns for deploying AWS infrastructure across multiple regions, including multi-region providers, cross-region replication, global resources, and disaster recovery patterns.
Table of Contents
- Multi-Region Providers
- Cross-Region Replication
- Global Resources
- Regional Endpoints
- Disaster Recovery Patterns
Multi-Region Providers
Basic Multi-Region Setup
Create providers for multiple regions:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Primary region provider
const usEast1 = new aws.Provider("us-east-1", {
region: "us-east-1",
});
// Secondary region provider
const usWest2 = new aws.Provider("us-west-2", {
region: "us-west-2",
});
// Europe region provider
const euWest1 = new aws.Provider("eu-west-1", {
region: "eu-west-1",
});
// Deploy resources in each region
const usEastBucket = new aws.s3.Bucket("us-east-bucket", {
acl: "private",
tags: { Region: "us-east-1" },
}, { provider: usEast1 });
const usWestBucket = new aws.s3.Bucket("us-west-bucket", {
acl: "private",
tags: { Region: "us-west-2" },
}, { provider: usWest2 });
const euBucket = new aws.s3.Bucket("eu-bucket", {
acl: "private",
tags: { Region: "eu-west-1" },
}, { provider: euWest1 });
export const buckets = {
usEast: usEastBucket.bucket,
usWest: usWestBucket.bucket,
eu: euBucket.bucket,
};Dynamic Multi-Region Deployment
Deploy to regions based on configuration:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
interface RegionConfig {
name: string;
region: string;
isPrimary: boolean;
}
const regions: RegionConfig[] = [
{ name: "primary", region: "us-east-1", isPrimary: true },
{ name: "secondary", region: "us-west-2", isPrimary: false },
{ name: "tertiary", region: "eu-west-1", isPrimary: false },
];
// Create provider for each region
const providers = regions.map(r => ({
config: r,
provider: new aws.Provider(r.name, { region: r.region }),
}));
// Deploy infrastructure to each region
const regionalResources = providers.map(({ config, provider }) => {
const vpc = new aws.ec2.Vpc(`${config.name}-vpc`, {
cidrBlock: "10.0.0.0/16",
tags: {
Name: `${config.name}-vpc`,
Region: config.region,
Primary: config.isPrimary.toString(),
},
}, { provider });
const bucket = new aws.s3.Bucket(`${config.name}-bucket`, {
acl: "private",
tags: {
Region: config.region,
Primary: config.isPrimary.toString(),
},
}, { provider });
return {
region: config.region,
vpcId: vpc.id,
bucketName: bucket.bucket,
};
});
export const regions_deployed = regionalResources;Region-Specific Configuration
Apply different configurations per region:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
interface RegionSettings {
region: string;
instanceType: string;
instanceCount: number;
dbInstanceClass: string;
}
const config = new pulumi.Config();
const regionSettings: RegionSettings[] = config.requireObject("regions");
// Example config:
// {
// "regions": [
// { "region": "us-east-1", "instanceType": "t3.large", "instanceCount": 3, "dbInstanceClass": "db.t3.large" },
// { "region": "us-west-2", "instanceType": "t3.medium", "instanceCount": 2, "dbInstanceClass": "db.t3.medium" }
// ]
// }
const regionalDeployments = regionSettings.map(settings => {
const provider = new aws.Provider(settings.region, {
region: settings.region,
});
// Deploy instances based on region settings
const instances = Array.from({ length: settings.instanceCount }, (_, i) => {
return new aws.ec2.Instance(`${settings.region}-instance-${i}`, {
instanceType: settings.instanceType,
ami: "ami-0c55b159cbfafe1f0", // Should be region-specific
tags: {
Region: settings.region,
Index: i.toString(),
},
}, { provider });
});
// Deploy database with region-specific size
const db = new aws.rds.Instance(`${settings.region}-db`, {
engine: "postgres",
instanceClass: settings.dbInstanceClass,
allocatedStorage: 100,
username: "admin",
password: pulumi.secret("db-password"),
}, { provider });
return {
region: settings.region,
instanceIds: instances.map(i => i.id),
dbEndpoint: db.endpoint,
};
});
export const deployments = regionalDeployments;Cross-Region Replication
S3 Cross-Region Replication
Set up S3 replication between regions:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create providers
const usEast1 = new aws.Provider("us-east-1", { region: "us-east-1" });
const usWest2 = new aws.Provider("us-west-2", { region: "us-west-2" });
// Source bucket in us-east-1
const sourceBucket = new aws.s3.Bucket("source-bucket", {
acl: "private",
versioning: {
enabled: true, // Required for replication
},
}, { provider: usEast1 });
// Destination bucket in us-west-2
const destBucket = new aws.s3.Bucket("dest-bucket", {
acl: "private",
versioning: {
enabled: true, // Required for replication
},
}, { provider: usWest2 });
// IAM role for replication
const replicationRole = new aws.iam.Role("replication-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: { Service: "s3.amazonaws.com" },
Action: "sts:AssumeRole",
}],
}),
});
// IAM policy for replication
const replicationPolicy = new aws.iam.RolePolicy("replication-policy", {
role: replicationRole.id,
policy: pulumi.all([sourceBucket.arn, destBucket.arn]).apply(([sourceArn, destArn]) =>
JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: [
"s3:GetReplicationConfiguration",
"s3:ListBucket",
],
Resource: sourceArn,
},
{
Effect: "Allow",
Action: [
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
],
Resource: `${sourceArn}/*`,
},
{
Effect: "Allow",
Action: [
"s3:ReplicateObject",
"s3:ReplicateDelete",
],
Resource: `${destArn}/*`,
},
],
})
),
});
// Configure replication
const replicationConfig = new aws.s3.BucketReplicationConfiguration("replication", {
bucket: sourceBucket.id,
role: replicationRole.arn,
rules: [{
id: "replicate-all",
status: "Enabled",
priority: 1,
filter: {},
destination: {
bucket: destBucket.arn,
storageClass: "STANDARD",
replicationTime: {
status: "Enabled",
time: {
minutes: 15,
},
},
metrics: {
status: "Enabled",
eventThreshold: {
minutes: 15,
},
},
},
}],
}, {
provider: usEast1,
dependsOn: [replicationPolicy],
});
export const sourceBucketName = sourceBucket.bucket;
export const destBucketName = destBucket.bucket;DynamoDB Global Tables
Create globally replicated DynamoDB tables:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create providers for regions
const usEast1 = new aws.Provider("us-east-1", { region: "us-east-1" });
const usWest2 = new aws.Provider("us-west-2", { region: "us-west-2" });
const euWest1 = new aws.Provider("eu-west-1", { region: "eu-west-1" });
// Create global table
const globalTable = new aws.dynamodb.GlobalTable("global-table", {
name: "users-global",
replicas: [
{ regionName: "us-east-1" },
{ regionName: "us-west-2" },
{ regionName: "eu-west-1" },
],
});
// Create table in each region
const usEastTable = new aws.dynamodb.Table("us-east-table", {
name: "users-global",
attributes: [
{ name: "userId", type: "S" },
{ name: "email", type: "S" },
],
hashKey: "userId",
globalSecondaryIndexes: [{
name: "email-index",
hashKey: "email",
projectionType: "ALL",
}],
billingMode: "PAY_PER_REQUEST",
streamEnabled: true,
streamViewType: "NEW_AND_OLD_IMAGES",
tags: { Region: "us-east-1" },
}, { provider: usEast1 });
const usWestTable = new aws.dynamodb.Table("us-west-table", {
name: "users-global",
attributes: [
{ name: "userId", type: "S" },
{ name: "email", type: "S" },
],
hashKey: "userId",
globalSecondaryIndexes: [{
name: "email-index",
hashKey: "email",
projectionType: "ALL",
}],
billingMode: "PAY_PER_REQUEST",
streamEnabled: true,
streamViewType: "NEW_AND_OLD_IMAGES",
tags: { Region: "us-west-2" },
}, { provider: usWest2 });
const euTable = new aws.dynamodb.Table("eu-table", {
name: "users-global",
attributes: [
{ name: "userId", type: "S" },
{ name: "email", type: "S" },
],
hashKey: "userId",
globalSecondaryIndexes: [{
name: "email-index",
hashKey: "email",
projectionType: "ALL",
}],
billingMode: "PAY_PER_REQUEST",
streamEnabled: true,
streamViewType: "NEW_AND_OLD_IMAGES",
tags: { Region: "eu-west-1" },
}, { provider: euWest1 });
export const globalTableName = globalTable.name;RDS Cross-Region Read Replicas
Create read replicas across regions:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const usEast1 = new aws.Provider("us-east-1", { region: "us-east-1" });
const usWest2 = new aws.Provider("us-west-2", { region: "us-west-2" });
// Primary database in us-east-1
const primaryDb = new aws.rds.Instance("primary-db", {
identifier: "primary-db",
engine: "postgres",
engineVersion: "14.7",
instanceClass: "db.t3.medium",
allocatedStorage: 100,
storageEncrypted: true,
backupRetentionPeriod: 7,
username: "admin",
password: pulumi.secret("db-password"),
tags: {
Role: "primary",
Region: "us-east-1",
},
}, { provider: usEast1 });
// Read replica in us-west-2
const readReplica = new aws.rds.Instance("read-replica", {
identifier: "read-replica",
replicateSourceDb: primaryDb.identifier,
instanceClass: "db.t3.medium",
storageEncrypted: true,
publiclyAccessible: false,
tags: {
Role: "read-replica",
Region: "us-west-2",
},
}, {
provider: usWest2,
dependsOn: [primaryDb],
});
export const primaryEndpoint = primaryDb.endpoint;
export const replicaEndpoint = readReplica.endpoint;EBS Snapshot Copy
Copy EBS snapshots across regions:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const usEast1 = new aws.Provider("us-east-1", { region: "us-east-1" });
const usWest2 = new aws.Provider("us-west-2", { region: "us-west-2" });
// Create volume in us-east-1
const volume = new aws.ebs.Volume("data-volume", {
availabilityZone: "us-east-1a",
size: 100,
encrypted: true,
tags: { Name: "data-volume" },
}, { provider: usEast1 });
// Create snapshot
const snapshot = new aws.ebs.Snapshot("data-snapshot", {
volumeId: volume.id,
tags: { Name: "data-snapshot" },
}, { provider: usEast1 });
// Copy snapshot to us-west-2
const snapshotCopy = new aws.ebs.SnapshotCopy("snapshot-copy", {
sourceSnapshotId: snapshot.id,
sourceRegion: "us-east-1",
encrypted: true,
tags: { Name: "data-snapshot-copy" },
}, { provider: usWest2 });
export const originalSnapshotId = snapshot.id;
export const copiedSnapshotId = snapshotCopy.id;Global Resources
IAM Resources
IAM resources are global but created in any region:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// IAM resources are global - no provider needed
const role = new aws.iam.Role("global-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: { Service: "ec2.amazonaws.com" },
Action: "sts:AssumeRole",
}],
}),
});
const policy = new aws.iam.Policy("global-policy", {
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: "s3:*",
Resource: "*",
}],
}),
});
const attachment = new aws.iam.RolePolicyAttachment("attachment", {
role: role.name,
policyArn: policy.arn,
});
// Use role in multiple regions
const usEast1 = new aws.Provider("us-east-1", { region: "us-east-1" });
const usWest2 = new aws.Provider("us-west-2", { region: "us-west-2" });
const instanceProfile = new aws.iam.InstanceProfile("instance-profile", {
role: role.name,
});
const usEastInstance = new aws.ec2.Instance("us-east-instance", {
instanceType: "t3.micro",
ami: "ami-0c55b159cbfafe1f0",
iamInstanceProfile: instanceProfile.name,
}, { provider: usEast1 });
const usWestInstance = new aws.ec2.Instance("us-west-instance", {
instanceType: "t3.micro",
ami: "ami-0abcdef123456789",
iamInstanceProfile: instanceProfile.name,
}, { provider: usWest2 });
export const roleArn = role.arn;Route 53 Hosted Zones
Route 53 is a global service:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create hosted zone (global resource)
const zone = new aws.route53.Zone("domain-zone", {
name: "example.com",
});
// Create regional resources
const usEast1 = new aws.Provider("us-east-1", { region: "us-east-1" });
const usWest2 = new aws.Provider("us-west-2", { region: "us-west-2" });
const usEastLb = new aws.lb.LoadBalancer("us-east-lb", {
loadBalancerType: "application",
subnets: ["subnet-1", "subnet-2"],
}, { provider: usEast1 });
const usWestLb = new aws.lb.LoadBalancer("us-west-lb", {
loadBalancerType: "application",
subnets: ["subnet-3", "subnet-4"],
}, { provider: usWest2 });
// Create Route 53 records pointing to regional resources
const usEastRecord = new aws.route53.Record("us-east-record", {
zoneId: zone.zoneId,
name: "us-east.example.com",
type: "A",
aliases: [{
name: usEastLb.dnsName,
zoneId: usEastLb.zoneId,
evaluateTargetHealth: true,
}],
});
const usWestRecord = new aws.route53.Record("us-west-record", {
zoneId: zone.zoneId,
name: "us-west.example.com",
type: "A",
aliases: [{
name: usWestLb.dnsName,
zoneId: usWestLb.zoneId,
evaluateTargetHealth: true,
}],
});
// Geo-routing policy
const geoUsRecord = new aws.route53.Record("geo-us", {
zoneId: zone.zoneId,
name: "example.com",
type: "A",
setIdentifier: "us",
geolocationRoutingPolicies: [{
continent: "NA",
}],
aliases: [{
name: usEastLb.dnsName,
zoneId: usEastLb.zoneId,
evaluateTargetHealth: true,
}],
});
const geoEuRecord = new aws.route53.Record("geo-eu", {
zoneId: zone.zoneId,
name: "example.com",
type: "A",
setIdentifier: "eu",
geolocationRoutingPolicies: [{
continent: "EU",
}],
aliases: [{
name: usWestLb.dnsName,
zoneId: usWestLb.zoneId,
evaluateTargetHealth: true,
}],
});
export const nameServers = zone.nameServers;CloudFront Distributions
CloudFront is a global CDN service:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Regional S3 buckets
const usEast1 = new aws.Provider("us-east-1", { region: "us-east-1" });
const euWest1 = new aws.Provider("eu-west-1", { region: "eu-west-1" });
const usBucket = new aws.s3.Bucket("us-bucket", {
acl: "private",
}, { provider: usEast1 });
const euBucket = new aws.s3.Bucket("eu-bucket", {
acl: "private",
}, { provider: euWest1 });
// Global CloudFront distribution with regional origins
const distribution = new aws.cloudfront.Distribution("cdn", {
enabled: true,
origins: [
{
originId: "us-origin",
domainName: usBucket.bucketRegionalDomainName,
s3OriginConfig: {
originAccessIdentity: "origin-access-identity",
},
},
{
originId: "eu-origin",
domainName: euBucket.bucketRegionalDomainName,
s3OriginConfig: {
originAccessIdentity: "origin-access-identity",
},
},
],
defaultCacheBehavior: {
targetOriginId: "us-origin",
viewerProtocolPolicy: "redirect-to-https",
allowedMethods: ["GET", "HEAD"],
cachedMethods: ["GET", "HEAD"],
forwardedValues: {
queryString: false,
cookies: { forward: "none" },
},
},
orderedCacheBehaviors: [{
pathPattern: "/eu/*",
targetOriginId: "eu-origin",
viewerProtocolPolicy: "redirect-to-https",
allowedMethods: ["GET", "HEAD"],
cachedMethods: ["GET", "HEAD"],
forwardedValues: {
queryString: false,
cookies: { forward: "none" },
},
}],
restrictions: {
geoRestriction: {
restrictionType: "none",
},
},
viewerCertificate: {
cloudfrontDefaultCertificate: true,
},
});
export const distributionDomain = distribution.domainName;Regional Endpoints
Service Endpoints by Region
Configure service endpoints for each region:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
interface RegionalEndpoints {
region: string;
s3Endpoint: string;
dynamodbEndpoint: string;
ec2Endpoint: string;
}
function getRegionalEndpoints(region: string): RegionalEndpoints {
return {
region: region,
s3Endpoint: `https://s3.${region}.amazonaws.com`,
dynamodbEndpoint: `https://dynamodb.${region}.amazonaws.com`,
ec2Endpoint: `https://ec2.${region}.amazonaws.com`,
};
}
const regions = ["us-east-1", "us-west-2", "eu-west-1"];
const endpoints = regions.map(getRegionalEndpoints);
export const regionalEndpoints = endpoints;VPC Endpoints for Regional Services
Create VPC endpoints for regional services:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const usEast1 = new aws.Provider("us-east-1", { region: "us-east-1" });
const vpc = new aws.ec2.Vpc("vpc", {
cidrBlock: "10.0.0.0/16",
}, { provider: usEast1 });
// S3 Gateway endpoint
const s3Endpoint = new aws.ec2.VpcEndpoint("s3-endpoint", {
vpcId: vpc.id,
serviceName: "com.amazonaws.us-east-1.s3",
vpcEndpointType: "Gateway",
}, { provider: usEast1 });
// DynamoDB Gateway endpoint
const dynamodbEndpoint = new aws.ec2.VpcEndpoint("dynamodb-endpoint", {
vpcId: vpc.id,
serviceName: "com.amazonaws.us-east-1.dynamodb",
vpcEndpointType: "Gateway",
}, { provider: usEast1 });
// Interface endpoints for other services
const subnet = new aws.ec2.Subnet("private-subnet", {
vpcId: vpc.id,
cidrBlock: "10.0.1.0/24",
}, { provider: usEast1 });
const ec2Endpoint = new aws.ec2.VpcEndpoint("ec2-endpoint", {
vpcId: vpc.id,
serviceName: "com.amazonaws.us-east-1.ec2",
vpcEndpointType: "Interface",
subnetIds: [subnet.id],
privateDnsEnabled: true,
}, { provider: usEast1 });
export const endpoints_created = {
s3: s3Endpoint.id,
dynamodb: dynamodbEndpoint.id,
ec2: ec2Endpoint.id,
};Disaster Recovery Patterns
Active-Passive Failover
Implement active-passive DR pattern:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Primary region (active)
const primary = new aws.Provider("primary", { region: "us-east-1" });
// Secondary region (passive)
const secondary = new aws.Provider("secondary", { region: "us-west-2" });
// Primary infrastructure
const primaryVpc = new aws.ec2.Vpc("primary-vpc", {
cidrBlock: "10.0.0.0/16",
tags: { Role: "primary" },
}, { provider: primary });
const primaryDb = new aws.rds.Instance("primary-db", {
identifier: "primary-db",
engine: "postgres",
instanceClass: "db.t3.medium",
allocatedStorage: 100,
backupRetentionPeriod: 7,
username: "admin",
password: pulumi.secret("db-password"),
}, { provider: primary });
const primaryApp = new aws.ecs.Cluster("primary-cluster", {
tags: { Role: "primary" },
}, { provider: primary });
// Secondary infrastructure (standby)
const secondaryVpc = new aws.ec2.Vpc("secondary-vpc", {
cidrBlock: "10.1.0.0/16",
tags: { Role: "secondary" },
}, { provider: secondary });
const secondaryDb = new aws.rds.Instance("secondary-db", {
identifier: "secondary-db",
replicateSourceDb: primaryDb.identifier,
instanceClass: "db.t3.medium",
}, {
provider: secondary,
dependsOn: [primaryDb],
});
// Route 53 health check and failover
const zone = new aws.route53.Zone("domain", {
name: "example.com",
});
const primaryHealthCheck = new aws.route53.HealthCheck("primary-health", {
type: "HTTPS",
resourcePath: "/health",
fqdn: "primary.example.com",
port: 443,
failureThreshold: 3,
requestInterval: 30,
});
// Primary record (active)
const primaryRecord = new aws.route53.Record("primary-record", {
zoneId: zone.zoneId,
name: "app.example.com",
type: "A",
setIdentifier: "primary",
failoverRoutingPolicies: [{
type: "PRIMARY",
}],
healthCheckId: primaryHealthCheck.id,
ttl: 60,
records: ["1.2.3.4"], // Primary IP
});
// Secondary record (passive)
const secondaryRecord = new aws.route53.Record("secondary-record", {
zoneId: zone.zoneId,
name: "app.example.com",
type: "A",
setIdentifier: "secondary",
failoverRoutingPolicies: [{
type: "SECONDARY",
}],
ttl: 60,
records: ["5.6.7.8"], // Secondary IP
});
export const drConfig = {
primaryRegion: "us-east-1",
secondaryRegion: "us-west-2",
primaryEndpoint: primaryDb.endpoint,
secondaryEndpoint: secondaryDb.endpoint,
};Active-Active Multi-Region
Deploy active-active architecture:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const regions = [
{ name: "us-east", region: "us-east-1", weight: 60 },
{ name: "us-west", region: "us-west-2", weight: 40 },
];
// Deploy to all regions
const regionalDeployments = regions.map(r => {
const provider = new aws.Provider(r.name, { region: r.region });
const vpc = new aws.ec2.Vpc(`${r.name}-vpc`, {
cidrBlock: "10.0.0.0/16",
}, { provider });
const cluster = new aws.ecs.Cluster(`${r.name}-cluster`, {}, { provider });
const alb = new aws.lb.LoadBalancer(`${r.name}-alb`, {
loadBalancerType: "application",
subnets: ["subnet-1", "subnet-2"],
}, { provider });
return {
region: r.region,
weight: r.weight,
albDnsName: alb.dnsName,
albZoneId: alb.zoneId,
};
});
// Route 53 with weighted routing
const zone = new aws.route53.Zone("domain", {
name: "example.com",
});
regionalDeployments.forEach(deployment => {
new aws.route53.Record(`${deployment.region}-record`, {
zoneId: zone.zoneId,
name: "app.example.com",
type: "A",
setIdentifier: deployment.region,
weightedRoutingPolicies: [{
weight: deployment.weight,
}],
aliases: [{
name: deployment.albDnsName,
zoneId: deployment.albZoneId,
evaluateTargetHealth: true,
}],
});
});
// Global DynamoDB table
const globalTable = new aws.dynamodb.GlobalTable("global-table", {
name: "application-data",
replicas: regions.map(r => ({ regionName: r.region })),
});
export const deployments = regionalDeployments;Backup and Restore Strategy
Implement comprehensive backup strategy:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const primary = new aws.Provider("primary", { region: "us-east-1" });
const backup = new aws.Provider("backup", { region: "us-west-2" });
// AWS Backup vault in primary region
const primaryVault = new aws.backup.Vault("primary-vault", {
name: "primary-backup-vault",
}, { provider: primary });
// AWS Backup vault in backup region
const backupVault = new aws.backup.Vault("backup-vault", {
name: "backup-vault",
}, { provider: backup });
// Backup plan
const backupPlan = new aws.backup.Plan("backup-plan", {
name: "comprehensive-backup",
rules: [{
ruleName: "daily-backup",
targetVaultName: primaryVault.name,
schedule: "cron(0 2 * * ? *)", // 2 AM daily
lifecycle: {
deleteAfter: 30,
coldStorageAfter: 7,
},
copyActions: [{
destinationVaultArn: backupVault.arn,
lifecycle: {
deleteAfter: 90,
coldStorageAfter: 30,
},
}],
}],
}, { provider: primary });
// Backup selection
const backupSelection = new aws.backup.Selection("backup-selection", {
name: "resource-selection",
planId: backupPlan.id,
iamRoleArn: "arn:aws:iam::123456789012:role/BackupRole",
selectionTags: [{
type: "STRINGEQUALS",
key: "Backup",
value: "true",
}],
}, { provider: primary });
// Resources to backup
const database = new aws.rds.Instance("app-db", {
engine: "postgres",
instanceClass: "db.t3.medium",
allocatedStorage: 100,
backupRetentionPeriod: 7,
username: "admin",
password: pulumi.secret("db-password"),
tags: { Backup: "true" },
}, { provider: primary });
const volume = new aws.ebs.Volume("data-volume", {
availabilityZone: "us-east-1a",
size: 100,
tags: { Backup: "true" },
}, { provider: primary });
export const backupPlanId = backupPlan.id;
export const backupVaultArn = backupVault.arn;Install with Tessl CLI
npx tessl i tessl/npm-pulumi--aws@7.16.0