Categorygithub.com/aws/aws-cdk-go/awscdk/v2awsbackup
package
2.166.0
Repository: https://github.com/aws/aws-cdk-go.git
Documentation: pkg.go.dev
Overview
Versions
2
Dependencies
15
Dependents
0
Files
11.2k SLOC

# README

AWS Backup Construct Library

AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services in the cloud and on premises. Using AWS Backup, you can configure backup policies and monitor backup activity for your AWS resources in one place.

Backup plan and selection

In AWS Backup, a backup plan is a policy expression that defines when and how you want to back up your AWS resources, such as Amazon DynamoDB tables or Amazon Elastic File System (Amazon EFS) file systems. You can assign resources to backup plans, and AWS Backup automatically backs up and retains backups for those resources according to the backup plan. You can create multiple backup plans if you have workloads with different backup requirements.

This module provides ready-made backup plans (similar to the console experience):

// Daily, weekly and monthly with 5 year retention
plan := backup.BackupPlan_DailyWeeklyMonthly5YearRetention(this, jsii.String("Plan"))

Assigning resources to a plan can be done with addSelection():

var plan backupPlan
var vpc vpc

myTable := dynamodb.Table_FromTableName(this, jsii.String("Table"), jsii.String("myTableName"))
myDatabaseInstance := rds.NewDatabaseInstance(this, jsii.String("DatabaseInstance"), &DatabaseInstanceProps{
	Engine: rds.DatabaseInstanceEngine_Mysql(&MySqlInstanceEngineProps{
		Version: rds.MysqlEngineVersion_VER_8_0_26(),
	}),
	Vpc: Vpc,
})
myDatabaseCluster := rds.NewDatabaseCluster(this, jsii.String("DatabaseCluster"), &DatabaseClusterProps{
	Engine: rds.DatabaseClusterEngine_AuroraMysql(&AuroraMysqlClusterEngineProps{
		Version: rds.AuroraMysqlEngineVersion_VER_2_08_1(),
	}),
	Credentials: rds.Credentials_FromGeneratedSecret(jsii.String("clusteradmin")),
	InstanceProps: &InstanceProps{
		Vpc: *Vpc,
	},
})
myServerlessCluster := rds.NewServerlessCluster(this, jsii.String("ServerlessCluster"), &ServerlessClusterProps{
	Engine: rds.DatabaseClusterEngine_AURORA_POSTGRESQL(),
	ParameterGroup: rds.ParameterGroup_FromParameterGroupName(this, jsii.String("ParameterGroup"), jsii.String("default.aurora-postgresql11")),
	Vpc: Vpc,
})
myCoolConstruct := constructs.NewConstruct(this, jsii.String("MyCoolConstruct"))

plan.AddSelection(jsii.String("Selection"), &BackupSelectionOptions{
	Resources: []backupResource{
		backup.*backupResource_FromDynamoDbTable(myTable),
		backup.*backupResource_FromRdsDatabaseInstance(myDatabaseInstance),
		backup.*backupResource_FromRdsDatabaseCluster(myDatabaseCluster),
		backup.*backupResource_FromRdsServerlessCluster(myServerlessCluster),
		backup.*backupResource_FromTag(jsii.String("stage"), jsii.String("prod")),
		backup.*backupResource_FromConstruct(myCoolConstruct),
	},
})

If not specified, a new IAM role with a managed policy for backup will be created for the selection. The BackupSelection implements IGrantable.

To disable the plan from assigning the default AWSBackupServiceRolePolicyForBackup backup policy use the disableDefaultBackupPolicy property.

This is useful if you want to avoid granting unnecessary permissions to the role.

var plan backupPlan


role := iam.NewRole(this, jsii.String("BackupRole"), &RoleProps{
	AssumedBy: iam.NewServicePrincipal(jsii.String("backup.amazonaws.com")),
})
// Assign S3-specific backup policy
role.AddManagedPolicy(iam.ManagedPolicy_FromAwsManagedPolicyName(jsii.String("AWSBackupServiceRolePolicyForS3Backup")))

plan.AddSelection(jsii.String("Selection"), &BackupSelectionOptions{
	Resources: []backupResource{
		backup.*backupResource_FromTag(jsii.String("stage"), jsii.String("prod")),
	},
	Role: Role,
	DisableDefaultBackupPolicy: jsii.Boolean(true),
})

To add rules to a plan, use addRule():

var plan backupPlan

plan.AddRule(backup.NewBackupPlanRule(&BackupPlanRuleProps{
	CompletionWindow: awscdk.Duration_Hours(jsii.Number(2)),
	StartWindow: awscdk.Duration_*Hours(jsii.Number(1)),
	ScheduleExpression: events.Schedule_Cron(&CronOptions{
		 // Only cron expressions are supported
		Day: jsii.String("15"),
		Hour: jsii.String("3"),
		Minute: jsii.String("30"),
	}),
	MoveToColdStorageAfter: awscdk.Duration_Days(jsii.Number(30)),
}))

Continuous backup and point-in-time restores (PITR) can be configured. Property deleteAfter defines the retention period for the backup. It is mandatory if PITR is enabled. If no value is specified, the retention period is set to 35 days which is the maximum retention period supported by PITR. Property moveToColdStorageAfter must not be specified because PITR does not support this option. This example defines an AWS Backup rule with PITR and a retention period set to 14 days:

var plan backupPlan

plan.AddRule(backup.NewBackupPlanRule(&BackupPlanRuleProps{
	EnableContinuousBackup: jsii.Boolean(true),
	DeleteAfter: awscdk.Duration_Days(jsii.Number(14)),
}))

Rules can also specify to copy recovery points to another Backup Vault using copyActions. Copied recovery points can optionally have moveToColdStorageAfter and deleteAfter configured.

var plan backupPlan
var secondaryVault backupVault

plan.AddRule(backup.NewBackupPlanRule(&BackupPlanRuleProps{
	CopyActions: []backupPlanCopyActionProps{
		&backupPlanCopyActionProps{
			DestinationBackupVault: secondaryVault,
			MoveToColdStorageAfter: awscdk.Duration_Days(jsii.Number(30)),
			DeleteAfter: awscdk.Duration_*Days(jsii.Number(120)),
		},
	},
}))

You can assign your own metadata to the resources that are associated with the rule when restored from backup using recoveryPointTags. Each tag is a key-value pair.

var plan backupPlan

plan.AddRule(backup.NewBackupPlanRule(&BackupPlanRuleProps{
	RecoveryPointTags: map[string]*string{
		"key": jsii.String("value"),
	},
}))

Ready-made rules are also available:

var plan backupPlan

plan.AddRule(backup.BackupPlanRule_Daily())
plan.AddRule(backup.BackupPlanRule_Weekly())

By default a new vault is created when creating a plan. It is also possible to specify a vault either at the plan level or at the rule level.

myVault := backup.BackupVault_FromBackupVaultName(this, jsii.String("Vault1"), jsii.String("myVault"))
otherVault := backup.BackupVault_FromBackupVaultName(this, jsii.String("Vault2"), jsii.String("otherVault"))

plan := backup.BackupPlan_Daily35DayRetention(this, jsii.String("Plan"), myVault) // Use `myVault` for all plan rules
plan.AddRule(backup.BackupPlanRule_Monthly1Year(otherVault))

You can backup VSS-enabled Windows applications running on Amazon EC2 instances by setting the windowsVss parameter to true. If the application has VSS writer registered with Windows VSS, then AWS Backup creates a snapshot that will be consistent for that application.

plan := backup.NewBackupPlan(this, jsii.String("Plan"), &BackupPlanProps{
	WindowsVss: jsii.Boolean(true),
})

Backup vault

In AWS Backup, a backup vault is a container that you organize your backups in. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. If you require different encryption keys or access policies for different groups of backups, you can optionally create multiple backup vaults.

myKey := kms.Key_FromKeyArn(this, jsii.String("MyKey"), jsii.String("aaa"))
myTopic := sns.Topic_FromTopicArn(this, jsii.String("MyTopic"), jsii.String("bbb"))

vault := backup.NewBackupVault(this, jsii.String("Vault"), &BackupVaultProps{
	EncryptionKey: myKey,
	 // Custom encryption key
	NotificationTopic: myTopic,
})

A vault has a default RemovalPolicy set to RETAIN. Note that removing a vault that contains recovery points will fail.

You can assign policies to backup vaults and the resources they contain. Assigning policies allows you to do things like grant access to users to create backup plans and on-demand backups, but limit their ability to delete recovery points after they're created.

Use the accessPolicy property to create a backup vault policy:

vault := backup.NewBackupVault(this, jsii.String("Vault"), &BackupVaultProps{
	AccessPolicy: iam.NewPolicyDocument(&PolicyDocumentProps{
		Statements: []policyStatement{
			iam.NewPolicyStatement(&PolicyStatementProps{
				Effect: iam.Effect_DENY,
				Principals: []iPrincipal{
					iam.NewAnyPrincipal(),
				},
				Actions: []*string{
					jsii.String("backup:DeleteRecoveryPoint"),
				},
				Resources: []*string{
					jsii.String("*"),
				},
				Conditions: map[string]interface{}{
					"StringNotLike": map[string][]*string{
						"aws:userId": []*string{
							jsii.String("user1"),
							jsii.String("user2"),
						},
					},
				},
			}),
		},
	}),
})

Alternativately statements can be added to the vault policy using addToAccessPolicy().

Use the blockRecoveryPointDeletion property or the blockRecoveryPointDeletion() method to add a statement to the vault access policy that prevents recovery point deletions in your vault:

var backupVault backupVault
backup.NewBackupVault(this, jsii.String("Vault"), &BackupVaultProps{
	BlockRecoveryPointDeletion: jsii.Boolean(true),
})
backupVault.BlockRecoveryPointDeletion()

By default access is not restricted.

Use the lockConfiguration property to enable AWS Backup Vault Lock:

backup.NewBackupVault(this, jsii.String("Vault"), &BackupVaultProps{
	LockConfiguration: &LockConfiguration{
		MinRetention: awscdk.Duration_Days(jsii.Number(30)),
	},
})

Importing existing backup vault

To import an existing backup vault into your CDK application, use the BackupVault.fromBackupVaultArn or BackupVault.fromBackupVaultName static method. Here is an example of giving an IAM Role permission to start a backup job:

importedVault := backup.BackupVault_FromBackupVaultName(this, jsii.String("Vault"), jsii.String("myVaultName"))

role := iam.NewRole(this, jsii.String("Access Role"), &RoleProps{
	AssumedBy: iam.NewServicePrincipal(jsii.String("lambda.amazonaws.com")),
})

importedVault.Grant(role, jsii.String("backup:StartBackupJob"))

# Functions

Daily with 35 day retention.
Daily and monthly with 1 year retention.
Daily, weekly and monthly with 5 year retention.
Daily, weekly and monthly with 7 year retention.
Import an existing backup plan.
Checks if `x` is a construct.
Returns true if the construct was created by CDK, and false otherwise.
Check whether the given construct is a Resource.
Daily with 35 days retention.
Monthly 1 year retention, move to cold storage after 1 month.
Monthly 5 year retention, move to cold storage after 3 months.
Monthly 7 year retention, move to cold storage after 3 months.
Weekly with 3 months retention.
A list of ARNs or match patterns such as `arn:aws:ec2:us-east-1:123456789012:volume/*`.
Adds all supported resources in a construct.
A DynamoDB table.
An EC2 instance.
An EFS file system.
A RDS database cluter.
A RDS database instance.
An Aurora database instance.
A tag condition.
Checks if `x` is a construct.
Returns true if the construct was created by CDK, and false otherwise.
Check whether the given construct is a Resource.
Import an existing backup vault by arn.
Import an existing backup vault by name.
Checks if `x` is a construct.
Returns true if the construct was created by CDK, and false otherwise.
Check whether the given construct is a Resource.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# Constants

BACKUP_JOB_COMPLETED.
BACKUP_JOB_EXPIRED.
BACKUP_JOB_FAILED.
BACKUP_JOB_STARTED.
BACKUP_JOB_SUCCESSFUL.
BACKUP_PLAN_CREATED.
BACKUP_PLAN_MODIFIED.
COPY_JOB_FAILED.
COPY_JOB_STARTED.
COPY_JOB_SUCCESSFUL.
RECOVERY_POINT_MODIFIED.
RESTORE_JOB_COMPLETED.
RESTORE_JOB_FAILED.
RESTORE_JOB_STARTED.
RESTORE_JOB_SUCCESSFUL.
S3_BACKUP_OBJECT_FAILED.
BACKUP_PLAN_MODIFIED.
Dummy member.
StringEquals.

# Structs

Properties for a BackupPlanCopyAction.
Properties for a BackupPlan.
Properties for a BackupPlanRule.
Options for a BackupSelection.
Properties for a BackupSelection.
Properties for a BackupVault.
Specifies an object containing resource type and backup options.
Specifies an object containing properties used to create a backup plan.
Specifies an object containing properties used to schedule a task to back up a selection of resources.
Copies backups created by a backup rule to another vault.
Specifies an object containing an array of `Transition` objects that determine how long in days before a recovery point transitions to cold storage or is deleted.
Properties for defining a `CfnBackupPlan`.
Specifies an object containing properties used to assign a set of resources to a backup plan.
Includes information about tags you define to assign tagged resources to a backup plan.
Specifies an object that contains an array of triplets made up of a condition type (such as `STRINGEQUALS` ), a key, and a value.
Contains information about which resources to include or exclude from a backup plan using their tags.
Properties for defining a `CfnBackupSelection`.
The `LockConfigurationType` property type specifies configuration for [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html) .
Specifies an object containing SNS event notification properties for the target backup vault.
Properties for defining a `CfnBackupVault`.
The parameters for a control.
A framework consists of one or more controls.
Contains detailed information about all of the controls of a framework.
Properties for defining a `CfnFramework`.
Example: // The code below shows an example of how to instantiate this type.
Properties for defining a `CfnLogicallyAirGappedBackupVault`.
Contains information from your report plan about where to deliver your reports, specifically your Amazon S3 bucket name, S3 key prefix, and the formats of your reports.
Contains detailed information about a report setting.
Properties for defining a `CfnReportPlan`.
`RecoveryPointSelection` has five parameters (three required and two optional).
Properties for defining a `CfnRestoreTestingPlan`.
Pair of two related strings.
The conditions that you define for resources in your restore testing plan using tags.
Properties for defining a `CfnRestoreTestingSelection`.
Configuration for AWS Backup Vault Lock.
A tag condition.

# Interfaces

A backup plan.
A backup plan rule.
A resource to backup.
A backup selection.
A backup vault.
Contains an optional backup plan display name and an array of `BackupRule` objects, each of which specifies a backup rule.
Specifies a set of resources to assign to a backup plan.
Creates a logical container where backups are stored.
Creates a framework with one or more controls.
Creates a logical container to where backups may be copied.
Creates a report plan.
Creates a restore testing plan.
This request can be sent after CreateRestoreTestingPlan request returns successfully.
A backup plan.
A backup vault.

# Type aliases

Backup vault events.
An operation that is applied to a key-value pair.