Policy Packs
Enforce Backups of EBS Volumes

Policy Setting: AWS > Backup > Stack > Source

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "aws_backup_stack_source" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/aws-backup#/policy/types/backupStackSource"
template_input = <<-EOT
{
account {
id: get(path: "Id")
}
}
EOT
template = <<-EOT
|
resource "aws_backup_vault" "vault" {
name = "guardrails-backup-vault"
tags = {
turbot_version = "v5"
}
}
resource "aws_backup_plan" "guardrails_ebs_backups" {
name = "guardrails-backup-plan"
rule {
# The time allowed for the job to start, any longer and it will be cancelled.
start_window = 480
# The amount of time allowed for the backup to complete, before it is cancelled.
completion_window = 10080
#
rule_name = "guardrails-ebs-backups-rule"
schedule = "cron(0 5 ? * * *)"
target_vault_name = aws_backup_vault.vault.name
lifecycle {
delete_after = 1
}
}
}
resource "aws_backup_selection" "ebs_resource_assignment" {
iam_role_arn = "arn:aws:iam::{{ $.account.id }}:role/turbot/core/guardrails_backup_service_role"
name = "guardrails-ebs-resource-assignment"
plan_id = aws_backup_plan.guardrails_ebs_backups.id
resources = ["arn:aws:ec2:*:*:volume/*"]
}
EOT
# value = "[]" # To decommission the backup vault, uncomment this line and comment out the template and template_input.
}