How do I exclude certain EBS volumes attached to an EC2 instance from being backed up?

Question

I'm working on a system-wide backup solution to back up all EC2 instances that are running in an environment with AWS Backup. Some of them have attached EBS volumes that also seem to be backed up with the instance. Below is my terraform code that allows snapshots to be taken every week:

resource "aws_backup_region_settings" "legacy" {
  resource_type_opt_in_preference = {
    "Aurora"          = false
    "DynamoDB"        = false
    "EFS"             = false
    "FSx"             = false
    "RDS"             = false
    "Storage Gateway" = false
    "EBS"             = true
    "EC2"             = true
    "DocumentDB"      = false
    "Neptune"         = false
    "VirtualMachine"  = false
  }
}

resource "aws_backup_vault" "legacy" {
  name        = "Legacy${var.environment_tag}"
  kms_key_arn = aws_kms_key.mgn.arn

  tags = merge(
    local.tags, {
      "Name" = "Legacy${var.environment_tag}"
    }
  )
}

resource "aws_iam_role" "legacy_backup" {
  name                 = "AWSBackupService"
  permissions_boundary = data.aws_iam_policy.role_permissions_boundary.arn
  assume_role_policy   = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["sts:AssumeRole"],
      "Effect": "allow",
      "Principal": {
        "Service": ["backup.amazonaws.com"]
      }
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "legacy_backup" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
  role       = aws_iam_role.legacy_backup.name
}

###############################################################################
##
## Weekly Backups
##
###############################################################################

resource "aws_backup_plan" "weekly" {
  name = "Legacy${var.environment_tag}Weekly"

  rule {
    enable_continuous_backup = false
    rule_name                = "Legacy${var.environment_tag}Weekly"
    target_vault_name        = aws_backup_vault.legacy.name
    schedule                 = var.backup_plan_weekly_schedule
    start_window             = 60  # minutes
    completion_window        = 180 # minutes

    lifecycle {
      cold_storage_after = 30  # days
      delete_after       = 120 # days
    }

    copy_action {
      destination_vault_arn = aws_backup_vault.legacy.arn

      lifecycle {
        cold_storage_after = 30  # days
        delete_after       = 120 # days
      }
    }

    copy_action {
      destination_vault_arn = aws_backup_vault.secondary.arn

      lifecycle {
        cold_storage_after = 30  # days
        delete_after       = 120 # days
      }
    }
  }

  advanced_backup_setting {
    backup_options = {
      WindowsVSS = "enabled"
    }
    resource_type = "EC2"
  }

  tags = merge(
    local.tags, {
      "Name" = "Legacy${var.environment_tag}Weekly"
    }
  )
}

resource "aws_backup_selection" "weekly" {
  iam_role_arn = aws_iam_role.legacy_backup.arn
  name         = "Legacy${var.environment_tag}Weekly"
  plan_id      = aws_backup_plan.weekly.id

  selection_tag {
    type  = "STRINGEQUALS"
    key   = "AWSBackup"
    value = "weekly"
  }

}

In the EC2 code, I will tag the instances with "AWSBackup" and "Weekly", and this seems to work fine - for all instances and attached volumes. If I don't want one of the EBS volumes backed up - is there a way to exclude it from being backed up?

Answer 1

It's possible but not yet in Terraform. The PR is created so it shouldn't take too long.

After the PR is merged you should be able to create an aws_backup_selection and use "NotResources" to exclude your EBS volume.

You can also tag all resources which need to be backed up. Then you can create a backup plan without an exclude.