AWS Backup cross account
Tài nguyên cần thiết để sao lưu AWS trong tài khoản đích:
- KMS Key
- KMS Alias
- Backup Vault
- Backup Vault Policy
- KMS Key
Key policy để share KMS với tài khoản khác:
resource "aws_kms_key" "aws_kms_key" {
description = "KMS Key for Backup"
policy = <<POLICY
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/my_role"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/my_role",
"arn:aws:iam::${local.source_account_number}:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/my_role",
"arn:aws:iam::${local.source_account_number}:root"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
POLICY
}
KMS Alias
resource "aws_kms_alias" "aws_kms_alias" {
name = "alias/aws-backup-kms"
target_key_id = aws_kms_key.aws_kms_key.key_id
}
Backup Vault
resource "aws_backup_vault" "aws_backup_vault" {
name = "aws_backup_vault"
kms_key_arn = aws_kms_key.aws_kms_key.arn
}
Backup Vault Policy
Backup policy này sẽ được gắn vào destination vault:
resource "aws_backup_vault_policy" "iemtrialcluster_backup_vault_policy" {
backup_vault_name = aws_backup_vault.iemtrialcluster_backup_vault.name
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "Allow Tool Prod Account to copy into iemtrialcluster_backup_vault",
"Effect": "Allow",
"Action": "backup:CopyIntoBackupVault",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::${local.source_account_number}:root"
}
}
]
}
POLICY
}
Tài nguyên cần thiết để sao lưu AWS trong tài khoản nguồn:
KMS Key
KMS Alias
Backup Vault
Backup Plan
Backup Selection
KMS Key
resource "aws_kms_key" "aws_kms_key" {
description = "KMS Key for Backup"
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${local.destination_account_number}:root",
"arn:aws:iam::${local.source_account_number}:root"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${local.source_account_number}:role/my_role"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${local.destination_account_number}:root",
"arn:aws:iam::${local.source_account_number}:role/my_role",
"arn:aws:iam::${local.source_account_number}:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${local.destination_account_number}:root",
"arn:aws:iam::${local.source_account_number}:role/my_role",
"arn:aws:iam::${local.source_account_number}:root"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
POLICY
}
KMS Alias
resource "aws_kms_alias" "aws_kms_alias" {
name = "alias/aws-backup-kms"
target_key_id = aws_kms_key.aws_kms_key.key_id
}
Backup Vault
resource "aws_backup_vault" "aws_backup_vault" {
name = "aws_backup_vault"
kms_key_arn = aws_kms_key.aws_kms_key.arn
}
Backup Plan
resource "aws_backup_plan" "aws_backup_plan" {
name = "backup_plan"
rule {
rule_name = "backup_rule"
target_vault_name = aws_backup_vault.aws_backup_vault.name
schedule = "cron(0 5 ? * * *)"
start_window = 480
completion_window = 10080
copy_action {
destination_vault_arn = local.destination_vault
}
lifecycle {
delete_after = 90
}
}
}
Backup Selection
resource "aws_backup_selection" "aws_backup_selection" {
iam_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/service-role/AWSBackupDefaultServiceRole"
name = "backup_selection"
plan_id = aws_backup_plan.aws_backup_plan.id
resources = [local.efs_arn]
}