CodeWithYou

AWS Backup resources assignment by Tag using AWS CDK

Published on
Authors
AWS Backup resources assignment by Tag using AWS CDK

Photo by Jason Pofahl

What is AWS Backup?

AWS has many resources supporting backup and restoration. For example, EC2 instances, EBS volumes, S3 buckets, RDS databases, and more. You can enable backup and restore for any of these resources. But what if you want has one place to manage all of your AWS backup and restore resources? AWS backup is the service you need in this case.

CDK example for AWS Backup

Assume that, you have a dynamoDB table that you want to backup. You can create a on-demand backup or a scheduled backup. A scheduled backup is a backup plan of AWS Backup service.

Let see how to create a backup plan for a dynamoDB table.

// -----AWS Backup Plan-----
// 1. Create a kms key for the backup vault
const kmsKey = new kms.Key(this, 'KmsKey', {
  description: 'KMS Key for Backup Vault',
  removalPolicy: RemovalPolicy.DESTROY, // if you don't specify this, the key will be deleted when the stack is deleted
  enabled: true, // if you don't specify this, the key will be disabled
  enableKeyRotation: true,
  policy: new iam.PolicyDocument({
    statements: [
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ['kms:*'],
        principals: [
          // Enable IAM Root Permissions
          new iam.AccountRootPrincipal(),
        ],
        resources: ['*'],
      }),
    ],
  }),
})

// 2. Create a backup vault with the kms key as the encryption key
const backupVault = new backup.BackupVault(this, 'BackupVault', {
  encryptionKey: kmsKey,
  removalPolicy: RemovalPolicy.DESTROY,
  backupVaultName: 'BackupVaultWithDailyBackups',
})

// 3. Create a backup plan
const backupPlan = new backup.BackupPlan(this, 'BackupPlan', {
  backupPlanName: 'BackupPlanWithDailyBackups',
})

// 4. Add a rule to the backup plan to backup the table every day at  5:00 am UTC
backupPlan.addRule(
  new backup.BackupPlanRule({
    ruleName: 'RuleForDailyBackups',
    scheduleExpression: events.Schedule.expression('cron(0 5 ? * *)'), // Run daily at 5:00 am UTC
    backupVault: backupVault,
    deleteAfter: Duration.days(14), // Expire after 2 weeks
  })
)

// 5. add a backup selection to the backup plan
backupPlan.addSelection('TagBasedBackupSelection', {
  backupSelectionName: 'TagBasedBackupSelection',
  resources: [
    // back up all resources tagged with stag=prod
    backup.BackupResource.fromTag('stag', 'prod', backup.TagOperation.STRING_EQUALS),
    // back up all resources tagged with service=blog
    backup.BackupResource.fromTag('service', 'blog', backup.TagOperation.STRING_EQUALS),
  ],
})
// ----- END AWS Backup Plan -----
Advertisement
  1. We created a kms key for the backup vault
  2. We created a backup vault with the kms key as the encryption key
  3. We created a backup plan
  4. We added a rule to the backup plan to backup the table every day at 5:00 am UTC
  5. We added a backup selection to the backup plan. This selection will backup all resources tagged with stag=prod and service=blog

From here, any resource tagged with stag=prod and service=blog will be backed up by the backup plan.

Tags.of(table).add('stag', 'prod')
Tags.of(table).add('service', 'blog')

That is all you need to do to backup a table.

References:

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_backup-readme.html https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html

Advertisement