amazon-web-servicesaws-cloudformationaws-organizationsaws-backup

AWS-backup: The provided policy document does not meet the requirements of the specified policy type


the policy document im are providing does not conform to the expected format for the backup policy.

Im trying to use This template.

AWSTemplateFormatVersion: '2010-09-09'
Transform:
  - 'AWS::LanguageExtensions'
Parameters:
  pOrgBackupTargetOUs:
    Description: A comma separated list of the AWS Organizations OUs to attach backup policies.
    Type: CommaDelimitedList
  pCentralBackupVaultArn:
    Description: The **ARN** of a centralized AWS Backup Vault that will be the secondary store for all AWS Backups. The defined organization backup policy plans will "copy_to" this vault.
    Type: String
  pCrossAccountBackupRole:
    Description: This is the IAM role name for the cross-account backup role that carries out the backup activities.
    Type: String
  pMemberAccountBackupVault:
    AllowedPattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
    ConstraintDescription: The name of the member account Backup vaults. (Name is case sensitive). 
    Type: String
  pTagKey:
    Type: String 
    Description: This is the tag key to assign to resources.
    Default: 'project'
  pTagValue:
    Type: String 
    Description: This is the tag value to assign to resources.
    Default: 'aws-backup'
Resources:
  rOrgDailyBackUpPolicy:
    Type: AWS::Organizations::Policy
    Properties:
      Name: org-daily-backup-policy
      Description: >-
        BackupPolicy for Daily Backup as per the resource selection criteria
      Type: BACKUP_POLICY
      TargetIds: !Ref pOrgBackupTargetOUs
      Content:
        Fn::ToJsonString:
          plans:
            OrgBackupPlanDaily:
              rules:
                OrgDailyBackupRule:
                  schedule_expression:
                    "@@assign": cron(0 19 ? * * *)
                  start_backup_window_minutes:
                    "@@assign": '60'
                  complete_backup_window_minutes:
                    "@@assign": '1200'
                  lifecycle:
                    delete_after_days:
                      "@@assign": '14'
                  target_backup_vault_name:
                    "@@assign": !Ref pMemberAccountBackupVault
                  recovery_point_tags:
                    project:
                      tag_key:
                        "@@assign": !Ref pTagKey
                      tag_value:
                        "@@assign": !Ref pTagValue
                  copy_actions:
                    "<my-central-vault-ARN-hardcoded>":
                      target_backup_vault_arn:
                        "@@assign": !Ref pCentralBackupVaultArn
                      lifecycle:
                        delete_after_days:
                          "@@assign": '14'
              backup_plan_tags:
                project:
                  tag_key:
                     "@@assign": !Ref pTagKey
                  tag_value:
                     "@@assign": !Ref pTagValue
              regions:
                "@@append":
                  - eu-central-1
              selections:
                tags:
                  OrgDailyBackupSelection:
                    iam_role_arn:
                      "@@assign": !Sub 'arn:aws:iam::$account:role/${pCrossAccountBackupRole}'
                    tag_key:
                      "@@assign": 'backup'
                    tag_value:
                      "@@assign":
                        - daily

Explanation of code:

Overall, this CloudFormation template creates an AWS backup policy for resources within an AWS Organization, specifying the backup rules and the storage locations for the backup data.

But I am getting an error The provided policy document does not meet the requirements of the specified policy type. While trying to create the backup policy.


Solution

  • My fault. I was providing the name of the central vault instead of ARN as template parameter.

    So make sure that copy_actions contains the ARN of the central vault, hardcoded and as parameter.