Search code examples
amazon-web-servicesaws-backup

How to build a AWS CloudFormation YML from AWS Backup

I'm using AWS Backup services to create backups to my DynamoDB, but I don't like that solution because it's very manually and not replicable.

Now, How can I build a AWS Backup (from CloudFormation Designer or template)?

I'm searching about it but I cant do that.

Note: I don't want make the backup using any schedule event with lambda. I need use the AWS Backup but where can I have a CloudFormation Template for easy Creation / Update.

Solution 
  • Description: "Backup Plan template to back up all resources tagged with backup=daily daily at 5am UTC."
Resources:
  KMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: "Encryption key for daily"
      EnableKeyRotation: True
      Enabled: True
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Principal:
            "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" }
          Action:
          - kms:*
          Resource: "*"

  BackupVaultWithDailyBackups:
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithDailyBackups"
      EncryptionKeyArn: !GetAtt KMSKey.Arn

  BackupPlanWithDailyBackups:
    Type: "AWS::Backup::BackupPlan"
    Properties:
      BackupPlan:
        BackupPlanName: "BackupPlanWithDailyBackups"
        BackupPlanRule:
          -
            RuleName: "RuleForDailyBackups"
            TargetBackupVault: !Ref BackupVaultWithDailyBackups
            ScheduleExpression: "cron(0 5 ? * * *)"

    DependsOn: BackupVaultWithDailyBackups

  DDBTableWithDailyBackupTag:
    Type: "AWS::DynamoDB::Table"
    Properties:
      TableName: "TestTable"
      AttributeDefinitions:
        -
          AttributeName: "Album"
          AttributeType: "S"
      KeySchema:
        -
          AttributeName: "Album"
          KeyType: "HASH"
      ProvisionedThroughput:
        ReadCapacityUnits: "5"
        WriteCapacityUnits: "5"
      Tags:
        - 
          Key: "backup"
          Value: "daily"

  BackupRole:
    Type: "AWS::IAM::Role"
    Properties:
     AssumeRolePolicyDocument:
       Version: "2012-10-17"
       Statement:
         -
          Effect: "Allow"
          Principal:
            Service:
              - "backup.amazonaws.com"
          Action:
            - "sts:AssumeRole"
     ManagedPolicyArns:
       -
        "arn:aws:iam::aws:policy/service-role/service role"

  TagBasedBackupSelection:
    Type: "AWS::Backup::BackupSelection"
    Properties:
      BackupSelection:
        SelectionName: "TagBasedBackupSelection"
        IamRoleArn: !GetAtt BackupRole.Arn
        ListOfTags:
         -
           ConditionType: "STRINGEQUALS"
           ConditionKey: "backup"
           ConditionValue: "daily"
      BackupPlanId: !Ref BackupPlanWithDailyBackups
    DependsOn: BackupPlanWithDailyBackups

    Reference:
    https://docs.aws.amazon.com/aws-backup/latest/devguide/integrate-cloudformation-with-aws-backup.html

    https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Backup.html