CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-pulumi--aws

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

backup.mddocs/storage/

Backup - Centralized Backup Management

AWS Backup provides centralized backup management across AWS services.

Common Tasks

Create a daily backup plan

import * as aws from "@pulumi/aws";

const plan = new aws.backup.Plan("daily-backups", {
    name: "daily-backup-plan",
    rule: {
        ruleName: "daily-rule",
        targetVaultName: vault.name,
        schedule: "cron(0 2 * * ? *)", // 2 AM daily
        lifecycle: {
            deleteAfter: 30, // days
        },
    },
});

Create backup vault with encryption

import * as aws from "@pulumi/aws";

const vault = new aws.backup.Vault("backup-vault", {
    name: "production-backups",
    kmsKeyArn: kmsKey.arn,
    tags: { Environment: "production" },
});

Select resources for backup by tags

import * as aws from "@pulumi/aws";

const selection = new aws.backup.Selection("tagged-resources", {
    name: "backup-tagged-resources",
    planId: plan.id,
    iamRoleArn: backupRole.arn,
    selectionTag: {
        type: "STRINGEQUALS",
        key: "Backup",
        value: "true",
    },
});

Core Resources

Plan, Vault, Selection

AWS Backup manages backup plans, vaults, and resource selections for automated backup across RDS, DynamoDB, EFS, EBS, and more.

Plan

Defines backup schedule, retention, and lifecycle policies.

class Plan extends pulumi.CustomResource {
    constructor(name: string, args: PlanArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
    readonly id: pulumi.Output<string>;
}

interface PlanArgs {
    name: pulumi.Input<string>;
    rule: pulumi.Input<PlanRule | PlanRule[]>;
    advancedBackupSetting?: pulumi.Input<AdvancedBackupSetting[]>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

interface PlanRule {
    ruleName: pulumi.Input<string>;
    targetVaultName: pulumi.Input<string>;
    schedule?: pulumi.Input<string>; // cron expression
    startWindow?: pulumi.Input<number>; // minutes
    completionWindow?: pulumi.Input<number>; // minutes
    lifecycle?: pulumi.Input<Lifecycle>;
    recoveryPointTags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
    copyAction?: pulumi.Input<CopyAction[]>;
}

interface Lifecycle {
    deleteAfter?: pulumi.Input<number>; // days
    moveToColdStorageAfter?: pulumi.Input<number>; // days
}

Example: Comprehensive backup plan with multiple rules

const plan = new aws.backup.Plan("comprehensive-backup", {
    name: "production-backup-plan",
    rule: [
        {
            ruleName: "hourly-snapshots",
            targetVaultName: vault.name,
            schedule: "cron(0 * * * ? *)", // Every hour
            startWindow: 60,
            completionWindow: 120,
            lifecycle: {
                deleteAfter: 1, // Keep hourly for 1 day
            },
            recoveryPointTags: {
                Frequency: "hourly",
            },
        },
        {
            ruleName: "daily-backups",
            targetVaultName: vault.name,
            schedule: "cron(0 2 * * ? *)", // 2 AM daily
            lifecycle: {
                deleteAfter: 30, // Keep daily for 30 days
            },
            recoveryPointTags: {
                Frequency: "daily",
            },
        },
        {
            ruleName: "monthly-archives",
            targetVaultName: vault.name,
            schedule: "cron(0 3 1 * ? *)", // 3 AM on 1st of month
            lifecycle: {
                moveToColdStorageAfter: 30,
                deleteAfter: 365, // Keep for 1 year
            },
            recoveryPointTags: {
                Frequency: "monthly",
            },
        },
    ],
    tags: {
        Environment: "production",
        ManagedBy: "aws-backup",
    },
});

Example: Cross-region backup replication

const drVault = new aws.backup.Vault("dr-vault", {
    name: "disaster-recovery-vault",
}, { provider: drRegionProvider });

const plan = new aws.backup.Plan("replicated-backup", {
    name: "cross-region-backup",
    rule: {
        ruleName: "daily-with-replication",
        targetVaultName: primaryVault.name,
        schedule: "cron(0 2 * * ? *)",
        lifecycle: {
            deleteAfter: 30,
        },
        copyAction: [{
            destinationVaultArn: drVault.arn,
            lifecycle: {
                deleteAfter: 30,
            },
        }],
    },
});

Vault

Secure storage location for backups.

class Vault extends pulumi.CustomResource {
    constructor(name: string, args?: VaultArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
    readonly id: pulumi.Output<string>;
}

interface VaultArgs {
    name?: pulumi.Input<string>;
    kmsKeyArn?: pulumi.Input<string>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

Example: Encrypted backup vault

const vault = new aws.backup.Vault("encrypted-vault", {
    name: "production-backups",
    kmsKeyArn: kmsKey.arn,
    tags: {
        Environment: "production",
        Encrypted: "true",
    },
});

Example: Vault with access policy

const vault = new aws.backup.Vault("restricted-vault", {
    name: "compliance-backups",
    kmsKeyArn: kmsKey.arn,
});

new aws.backup.VaultPolicy("vault-policy", {
    backupVaultName: vault.name,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Deny",
            Principal: "*",
            Action: "backup:DeleteRecoveryPoint",
            Resource: "*",
            Condition: {
                NumericLessThan: {
                    "backup:CopyJobId": "365"
                }
            }
        }]
    }),
});

Selection

Assigns resources to backup plans.

class Selection extends pulumi.CustomResource {
    constructor(name: string, args: SelectionArgs, opts?: pulumi.CustomResourceOptions);

    readonly id: pulumi.Output<string>;
}

interface SelectionArgs {
    name: pulumi.Input<string>;
    planId: pulumi.Input<string>;
    iamRoleArn: pulumi.Input<string>;
    resources?: pulumi.Input<pulumi.Input<string>[]>; // ARNs
    selectionTag?: pulumi.Input<SelectionTag | SelectionTag[]>;
    condition?: pulumi.Input<SelectionCondition>;
}

interface SelectionTag {
    type: pulumi.Input<"STRINGEQUALS">;
    key: pulumi.Input<string>;
    value: pulumi.Input<string>;
}

Example: Select resources by tag

const selection = new aws.backup.Selection("tagged-resources", {
    name: "backup-tagged-resources",
    planId: plan.id,
    iamRoleArn: backupRole.arn,
    selectionTag: {
        type: "STRINGEQUALS",
        key: "Backup",
        value: "true",
    },
});

Example: Select specific resources by ARN

const selection = new aws.backup.Selection("critical-resources", {
    name: "critical-databases",
    planId: plan.id,
    iamRoleArn: backupRole.arn,
    resources: [
        db1.arn,
        db2.arn,
        efsFileSystem.arn,
    ],
});

Example: Select with multiple conditions

const selection = new aws.backup.Selection("multi-condition", {
    name: "production-tagged-resources",
    planId: plan.id,
    iamRoleArn: backupRole.arn,
    selectionTag: [
        {
            type: "STRINGEQUALS",
            key: "Environment",
            value: "production",
        },
        {
            type: "STRINGEQUALS",
            key: "Backup",
            value: "true",
        },
    ],
});

IAM Role Setup

AWS Backup requires an IAM role with appropriate permissions:

const backupRole = new aws.iam.Role("backup-role", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                Service: "backup.amazonaws.com"
            },
            Action: "sts:AssumeRole"
        }]
    }),
});

new aws.iam.RolePolicyAttachment("backup-policy", {
    role: backupRole.name,
    policyArn: "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup",
});

new aws.iam.RolePolicyAttachment("restore-policy", {
    role: backupRole.name,
    policyArn: "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores",
});

Supported Services

AWS Backup supports centralized backup for:

  • RDS - Database snapshots
  • DynamoDB - Table backups
  • EFS - File system backups
  • EBS - Volume snapshots
  • EC2 - Instance snapshots
  • Aurora - Cluster snapshots
  • DocumentDB - Database backups
  • Neptune - Graph database backups
  • FSx - File system backups
  • Storage Gateway - Volume backups

Best Practices

  • Enable encryption for backup vaults using KMS
  • Use tag-based selection for automatic backup inclusion
  • Implement multiple retention tiers (hourly, daily, monthly)
  • Set up cross-region backup replication for disaster recovery
  • Use vault locks for compliance requirements
  • Monitor backup job success/failure with CloudWatch
  • Test restore procedures regularly
  • Use lifecycle policies to move old backups to cold storage
  • Tag recovery points for organization and compliance

Cron Expression Examples

  • cron(0 2 * * ? *) - Daily at 2 AM UTC
  • cron(0 */6 * * ? *) - Every 6 hours
  • cron(0 3 ? * MON *) - Weekly on Monday at 3 AM
  • cron(0 4 1 * ? *) - Monthly on 1st at 4 AM
  • cron(0 5 1 */3 ? *) - Quarterly on 1st at 5 AM

For complete Backup API with 13 resources and 5 data sources, see All Services.

Related Services

  • S3 - Backup destination for certain services
  • Glacier - Long-term backup archival
  • KMS - Encryption for backup vaults
  • SNS - Notifications for backup job status
  • CloudWatch - Monitoring and alerting
  • IAM - Access control for backup operations
  • RDS/EBS/EFS - Resources being backed up
  • EventBridge - Automate backup workflows

Install with Tessl CLI

npx tessl i tessl/npm-pulumi--aws@7.16.0

docs

storage

backup.md

ebs.md

efs.md

fsx.md

glacier.md

overview.md

s3.md

index.md

quickstart.md

README.md

tile.json