Search code examples
amazon-web-servicesaws-cloudformationaws-organizationsaws-backup

AWS-backup: The provided policy document does not meet the requirements of the specified policy type

the policy document im are providing does not conform to the expected format for the backup policy.

Im trying to use This template.

AWSTemplateFormatVersion: '2010-09-09'
Transform:
  - 'AWS::LanguageExtensions'
Parameters:
  pOrgBackupTargetOUs:
    Description: A comma separated list of the AWS Organizations OUs to attach backup policies.
    Type: CommaDelimitedList
  pCentralBackupVaultArn:
    Description: The **ARN** of a centralized AWS Backup Vault that will be the secondary store for all AWS Backups. The defined organization backup policy plans will "copy_to" this vault.
    Type: String
  pCrossAccountBackupRole:
    Description: This is the IAM role name for the cross-account backup role that carries out the backup activities.
    Type: String
  pMemberAccountBackupVault:
    AllowedPattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
    ConstraintDescription: The name of the member account Backup vaults. (Name is case sensitive). 
    Type: String
  pTagKey:
    Type: String 
    Description: This is the tag key to assign to resources.
    Default: 'project'
  pTagValue:
    Type: String 
    Description: This is the tag value to assign to resources.
    Default: 'aws-backup'
Resources:
  rOrgDailyBackUpPolicy:
    Type: AWS::Organizations::Policy
    Properties:
      Name: org-daily-backup-policy
      Description: >-
        BackupPolicy for Daily Backup as per the resource selection criteria
      Type: BACKUP_POLICY
      TargetIds: !Ref pOrgBackupTargetOUs
      Content:
        Fn::ToJsonString:
          plans:
            OrgBackupPlanDaily:
              rules:
                OrgDailyBackupRule:
                  schedule_expression:
                    "@@assign": cron(0 19 ? * * *)
                  start_backup_window_minutes:
                    "@@assign": '60'
                  complete_backup_window_minutes:
                    "@@assign": '1200'
                  lifecycle:
                    delete_after_days:
                      "@@assign": '14'
                  target_backup_vault_name:
                    "@@assign": !Ref pMemberAccountBackupVault
                  recovery_point_tags:
                    project:
                      tag_key:
                        "@@assign": !Ref pTagKey
                      tag_value:
                        "@@assign": !Ref pTagValue
                  copy_actions:
                    "<my-central-vault-ARN-hardcoded>":
                      target_backup_vault_arn:
                        "@@assign": !Ref pCentralBackupVaultArn
                      lifecycle:
                        delete_after_days:
                          "@@assign": '14'
              backup_plan_tags:
                project:
                  tag_key:
                     "@@assign": !Ref pTagKey
                  tag_value:
                     "@@assign": !Ref pTagValue
              regions:
                "@@append":
                  - eu-central-1
              selections:
                tags:
                  OrgDailyBackupSelection:
                    iam_role_arn:
                      "@@assign": !Sub 'arn:aws:iam::$account:role/${pCrossAccountBackupRole}'
                    tag_key:
                      "@@assign": 'backup'
                    tag_value:
                      "@@assign":
                        - daily

Explanation of code:

Overall, this CloudFormation template creates an AWS backup policy for resources within an AWS Organization, specifying the backup rules and the storage locations for the backup data.

  • rOrgDailyBackUpPolicy resource of type AWS::Organizations::Policy that creates a backup policy within the specified target OUs.
  • Name and Description specify the name and description of the backup policy. Type specifies the type of policy as BACKUP_POLICY.
  • TargetIds specifies the AWS Organization OUs to which the policy will be attached.
  • Content specifies the backup policy plan details using the intrinsic function Fn::ToJsonString, which converts the contents to a JSON-formatted string. This backup plan has the name OrgBackupPlanDaily and includes a set of rules that define when and how backups are taken. These rules include scheduling expressions, window duration for backups, and lifecycle details for backup data.
  • backup_plan_tags and recovery_point_tags specify tags to apply to the backup plan and recovery points created by the plan, respectively.
  • regions specifies the regions in which backups are taken.
  • selections specifies the resource selection criteria for backups. In this case, it selects resources with the tag backup set to daily.
  • iam_role_arn specifies the IAM role name for the cross-account backup role that carries out the backup activities.
  • target_backup_vault_name and target_backup_vault_arn specify the name and ARN of the backup vaults where the backups will be stored. target_backup_vault_arn is set to the value of the pCentralBackupVaultArn parameter passed to the template.
  • copy_actions specifies the backup vault where a copy of backups will be stored. This section includes the name of the backup vault, and the lifecycle details for the copied data. The target_backup_vault_arn value is hardcoded and not parameterized.

But I am getting an error The provided policy document does not meet the requirements of the specified policy type. While trying to create the backup policy.

Solution

  • My fault. I was providing the name of the central vault instead of ARN as template parameter.

    So make sure that copy_actions contains the ARN of the central vault, hardcoded and as parameter.