CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-pulumi--aws

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

glacier.mddocs/storage/

Glacier - Archive Storage

Amazon S3 Glacier provides secure, durable, and low-cost storage for data archiving and long-term backup.

Common Tasks

Create a vault for archives

import * as aws from "@pulumi/aws";

const vault = new aws.glacier.Vault("archive-vault", {
    name: "long-term-archives",
    tags: { Purpose: "compliance" },
});

Create vault with notifications

import * as aws from "@pulumi/aws";

const vault = new aws.glacier.Vault("backup-vault", {
    name: "backup-archives",
    notification: {
        snsTopic: snsTopic.arn,
        events: ["ArchiveRetrievalCompleted", "InventoryRetrievalCompleted"],
    },
    tags: { Retention: "7-years" },
});

Lock vault with compliance policy

import * as aws from "@pulumi/aws";

const lock = new aws.glacier.VaultLock("compliance-lock", {
    vaultName: vault.name,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Deny",
            Principal: "*",
            Action: "glacier:DeleteArchive",
            Resource: vault.arn,
            Condition: {
                NumericLessThan: {
                    "glacier:ArchiveAgeInDays": "2555" // ~7 years
                }
            }
        }]
    }),
    completeLock: true,
});

Core Resources

Vault

class Vault extends pulumi.CustomResource {
    constructor(name: string, args?: VaultArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
    readonly name: pulumi.Output<string>;
}

interface VaultArgs {
    name?: pulumi.Input<string>;
    accessPolicy?: pulumi.Input<string>;
    notification?: pulumi.Input<VaultNotification>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

interface VaultNotification {
    snsTopic: pulumi.Input<string>;
    events: pulumi.Input<pulumi.Input<string>[]>;
}

Example: Basic archive vault

const vault = new aws.glacier.Vault("data-archive", {
    name: "company-data-archive",
    tags: {
        Department: "IT",
        Compliance: "SOX",
        RetentionYears: "7"
    },
});

Example: Vault with SNS notifications

// SNS topic for notifications
const topic = new aws.sns.Topic("glacier-notifications", {
    displayName: "Glacier Archive Notifications",
});

// Vault with notifications enabled
const vault = new aws.glacier.Vault("backup-vault", {
    name: "backup-archives",
    notification: {
        snsTopic: topic.arn,
        events: [
            "ArchiveRetrievalCompleted",
            "InventoryRetrievalCompleted",
        ],
    },
    tags: {
        Purpose: "automated-backups",
        NotificationsEnabled: "true"
    },
});

Example: Vault with access policy

const vault = new aws.glacier.Vault("restricted-vault", {
    name: "secure-archives",
    accessPolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                AWS: backupRoleArn
            },
            Action: [
                "glacier:InitiateJob",
                "glacier:GetJobOutput",
                "glacier:UploadArchive"
            ],
            Resource: pulumi.interpolate`arn:aws:glacier:${region}:${accountId}:vaults/secure-archives`
        }]
    }),
    tags: {
        AccessControl: "restricted",
        Environment: "production"
    },
});

VaultLock

class VaultLock extends pulumi.CustomResource {
    constructor(name: string, args: VaultLockArgs, opts?: pulumi.CustomResourceOptions);
}

interface VaultLockArgs {
    vaultName: pulumi.Input<string>;
    policy: pulumi.Input<string>;
    completeLock?: pulumi.Input<boolean>;
    ignoreDeletionError?: pulumi.Input<boolean>;
}

Example: Compliance vault lock (7-year retention)

const lock = new aws.glacier.VaultLock("compliance-lock", {
    vaultName: vault.name,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Sid: "deny-deletion-before-retention",
            Effect: "Deny",
            Principal: "*",
            Action: "glacier:DeleteArchive",
            Resource: vault.arn,
            Condition: {
                NumericLessThan: {
                    "glacier:ArchiveAgeInDays": "2555" // 7 years
                }
            }
        }]
    }),
    completeLock: true, // Immutable after completion
});

Example: Test vault lock before completing

// First, test the lock policy
const testLock = new aws.glacier.VaultLock("test-lock", {
    vaultName: vault.name,
    policy: lockPolicyJson,
    completeLock: false, // Test mode - can be aborted
});

// After testing (usually 24 hours), complete the lock
const finalLock = new aws.glacier.VaultLock("final-lock", {
    vaultName: vault.name,
    policy: lockPolicyJson,
    completeLock: true, // Permanently lock
});

Example: Multi-condition vault lock

const advancedLock = new aws.glacier.VaultLock("advanced-lock", {
    vaultName: vault.name,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Sid: "deny-early-deletion",
                Effect: "Deny",
                Principal: "*",
                Action: "glacier:DeleteArchive",
                Resource: vault.arn,
                Condition: {
                    NumericLessThan: {
                        "glacier:ArchiveAgeInDays": "365"
                    }
                }
            },
            {
                Sid: "require-mfa-for-deletion",
                Effect: "Deny",
                Principal: "*",
                Action: "glacier:DeleteArchive",
                Resource: vault.arn,
                Condition: {
                    BoolIfExists: {
                        "aws:MultiFactorAuthPresent": "false"
                    }
                }
            }
        ]
    }),
    completeLock: true,
});

Storage Classes

Glacier offers different storage classes via S3:

  • S3 Glacier Instant Retrieval - Millisecond retrieval, quarterly access
  • S3 Glacier Flexible Retrieval - Minutes to hours retrieval, 1-2 times per year
  • S3 Glacier Deep Archive - 12-hour retrieval, rarely accessed

Retrieval Options

  • Expedited - 1-5 minutes (Flexible Retrieval only)
  • Standard - 3-5 hours (Flexible Retrieval) or 12 hours (Deep Archive)
  • Bulk - 5-12 hours, lowest cost

Best Practices

  • Use vault locks for compliance and regulatory requirements
  • Enable SNS notifications for retrieval job completion
  • Tag vaults with retention policies and compliance requirements
  • Test vault lock policies before completing the lock (irreversible)
  • Use lifecycle policies in S3 to automatically transition to Glacier
  • Consider retrieval costs when planning data access patterns
  • Use S3 Glacier for archives accessed 1-2 times per year
  • Use Deep Archive for archives accessed rarely (long-term backups)

Vault Lock Use Cases

  • Regulatory Compliance - SEC, FINRA, HIPAA requirements
  • Legal Hold - Preserve records for litigation
  • Data Retention - Enforce minimum retention periods
  • Immutable Backups - Protect against ransomware

Related Services

  • S3 - Lifecycle policies to transition objects to Glacier
  • Backup - Automated backup to Glacier vaults
  • Storage Gateway - On-premises integration with Glacier
  • DataSync - Transfer data to Glacier for archival
  • SNS - Notifications for Glacier job completion
  • IAM - Access control for vault operations
  • CloudWatch - Monitor vault metrics and operations

Install with Tessl CLI

npx tessl i tessl/npm-pulumi--aws@7.16.0

docs

storage

backup.md

ebs.md

efs.md

fsx.md

glacier.md

overview.md

s3.md

index.md

quickstart.md

README.md

tile.json