amazon-web-servicesterraformaws-backup

How do I use AWS Backup in Terraform to create a vault in a different region?


I'm implementing a solution to backup my Oracle RDS database using AWS Backup. I'd like to have one vault in my current region and a backup vault in a different region. Being somewhat new to Terraform, I'm not quite sure how to accomplish this. Would I add another AWS provider in a different region? some of my code is below for reference:

providers.tf:

# Configure the AWS Provider

provider "aws" {
  profile = "sandbox"
  region  = var.primary_region # resolves to us-east-1
  alias   = "primary"
  allowed_account_ids = [
    var.account_id
  ]
}

------------------------------------------------------

backups.tf:

resource "aws_backup_region_settings" "test" {
  resource_type_opt_in_preference = {
    "RDS" = true
  }
}

resource "aws_backup_vault" "test" {
  name        = "backup_vault"
  kms_key_arn = aws_kms_key.sensitive.arn
}

# Would like this to be created in us-west-2:

resource "aws_backup_vault" "test_destination" {
  name        = backup_destination_vault"
  kms_key_arn = aws_kms_key.sensitive.arn
}

resource "aws_backup_plan" "backup" {
  name = "oasis-backup-plan"

  rule {
    rule_name         = "backup"
    target_vault_name = aws_backup_vault.backup.name
    schedule          = "cron(0 12-20 * * ? *)"

    copy_action {
      destination_vault_arn = aws_backup_vault.backup_destination.arn
    }
  }
}

resource "aws_iam_role" "backup" {
  name               = "backup_role"
  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["sts:AssumeRole"],
      "Effect": "allow",
      "Principal": {
        "Service": ["backup.amazonaws.com"]
      }
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "backup" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
  role       = aws_iam_role.backup.name
}

resource "aws_backup_selection" "backup" {
  iam_role_arn = aws_iam_role.backup.arn
  name         = "backup_selection"
  plan_id      = aws_backup_plan.backup.id

  resources = [
    aws_db_instance.oasis.arn
    data.aws_db_instance.backup.db_instance_arn  # My Oracle DB, already existing
  ]
}

I am aware that AWS Backup is heavily leveraged within AWS Organizations; Despite the fact we are using that pattern for our numerous accounts, I'm trying to avoid getting that level of control involved at this point; I'm just doing a POC to try to get a reasonable backup plan to a DR region going.


Solution

  • So in order to do what you want to do you need to use a feature of terraform that allows you to configure multiple providers:

    https://www.terraform.io/docs/language/providers/configuration.html

    Once you've configured that you can specify what provider to use when you want to provision the second vault and everything should work without much issue.