Adding backup plan for dynamodb #745

sylviamclaughlin · 2025-02-07T22:33:33Z

Summary | Résumé

Adding a backup to the DynamoDB database that will run every at 1:00am EST.

github-actions · 2025-02-07T22:39:02Z

Production: terraform

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 6 to add, 0 to change, 0 to destroy

Show summary

CHANGE	NAME
add	`aws_backup_plan.sre_bot_backup_plan`
	`aws_backup_selection.sre_bot_backup_selection`
	`aws_backup_vault.sre_bot_backup_vault`
	`aws_iam_policy_attachment.sre_bot_backup_role_policy`
	`aws_iam_role.sre_bot_backup_role`
	`aws_kms_key.sre_bot_backup_vault_key`

Show plan

Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_backup_plan.sre_bot_backup_plan will be created
  + resource "aws_backup_plan" "sre_bot_backup_plan" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + name     = "sre-bot-dynamodb-backup-plan"
      + tags_all = (known after apply)
      + version  = (known after apply)

      + rule {
          + completion_window            = 120
          + enable_continuous_backup     = false
          + rule_name                    = "sre-bot-dynamodb-backup-rule"
          + schedule                     = "cron(0 6 * * ? *)"
          + schedule_expression_timezone = "Etc/UTC"
          + start_window                 = 60
          + target_vault_name            = "sre-bot-dynamodb-backup-vault"

          + lifecycle {
              + delete_after                              = 30
              + opt_in_to_archive_for_supported_resources = (known after apply)
            }
        }
    }

  # aws_backup_selection.sre_bot_backup_selection will be created
  + resource "aws_backup_selection" "sre_bot_backup_selection" {
      + iam_role_arn  = (known after apply)
      + id            = (known after apply)
      + name          = "sre-bot-dynamodb-backup-selection"
      + not_resources = (known after apply)
      + plan_id       = (known after apply)
      + resources     = [
          + "arn:aws:dynamodb:ca-central-1:283582579564:table/aws_access_requests",
          + "arn:aws:dynamodb:ca-central-1:283582579564:table/incidents",
          + "arn:aws:dynamodb:ca-central-1:283582579564:table/sre_bot_data",
          + "arn:aws:dynamodb:ca-central-1:283582579564:table/webhooks",
        ]

      + condition {
          + string_equals {
              + key   = (known after apply)
              + value = (known after apply)
            }

          + string_like {
              + key   = (known after apply)
              + value = (known after apply)
            }

          + string_not_equals {
              + key   = (known after apply)
              + value = (known after apply)
            }

          + string_not_like {
              + key   = (known after apply)
              + value = (known after apply)
            }
        }
    }

  # aws_backup_vault.sre_bot_backup_vault will be created
  + resource "aws_backup_vault" "sre_bot_backup_vault" {
      + arn             = (known after apply)
      + force_destroy   = false
      + id              = (known after apply)
      + kms_key_arn     = (known after apply)
      + name            = "sre-bot-dynamodb-backup-vault"
      + recovery_points = (known after apply)
      + tags_all        = (known after apply)
    }

  # aws_iam_policy_attachment.sre_bot_backup_role_policy will be created
  + resource "aws_iam_policy_attachment" "sre_bot_backup_role_policy" {
      + id         = (known after apply)
      + name       = "sre-bot-dynamodb-backup-role-policy"
      + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
      + roles      = [
          + "sre-bot-dynamodb-backup-role",
        ]
    }

  # aws_iam_role.sre_bot_backup_role will be created
  + resource "aws_iam_role" "sre_bot_backup_role" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "backup.amazonaws.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "sre-bot-dynamodb-backup-role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

  # aws_kms_key.sre_bot_backup_vault_key will be created
  + resource "aws_kms_key" "sre_bot_backup_vault_key" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + description                        = "KMS key for DynamoDB backup"
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + rotation_period_in_days            = (known after apply)
      + tags_all                           = (known after apply)
    }

Plan: 6 to add, 0 to change, 0 to destroy.

Warning: Argument is deprecated

  with module.sre_bot_bucket.aws_s3_bucket.this,
  on .terraform/modules/sre_bot_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this":
   8: resource "aws_s3_bucket" "this" {

Use the aws_s3_bucket_server_side_encryption_configuration resource instead

(and 6 more similar warnings elsewhere)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.sre_bot"]
WARN - plan.json - main - Missing Common Tags: ["aws_backup_plan.sre_bot_backup_plan"]
WARN - plan.json - main - Missing Common Tags: ["aws_backup_vault.sre_bot_backup_vault"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sre-bot_group"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sre_bot_dns"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sre_bot_waf_log_group"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.sre_bot_error"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.sre_bot_high_cpu"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.sre_bot_high_memory"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.sre_bot_warning"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.aws_access_requests_table"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.incidents_table"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.sre_bot_data"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.webhooks_table"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.sre-bot"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_cluster.sre-bot"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_service.main"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_task_definition.sre-bot"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.geodb_refresh_policy"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.sre-bot_secrets_manager"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.sre_bot_bucket"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.sre-bot"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.sre_bot_backup_role"]
WARN -...

Adding backup plan for dynamodb

b919474

sylviamclaughlin self-assigned this Feb 7, 2025

sylviamclaughlin requested a review from a team February 7, 2025 22:34

Fixing typo

fabd614

gcharest approved these changes Feb 7, 2025

View reviewed changes

sylviamclaughlin merged commit b7d4e60 into main Feb 7, 2025
6 checks passed

sylviamclaughlin deleted the feat/dynamodb_backups branch February 7, 2025 23:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adding backup plan for dynamodb #745

Adding backup plan for dynamodb #745

sylviamclaughlin commented Feb 7, 2025

github-actions bot commented Feb 7, 2025

Adding backup plan for dynamodb #745

Adding backup plan for dynamodb #745

Conversation

sylviamclaughlin commented Feb 7, 2025

Summary | Résumé

github-actions bot commented Feb 7, 2025

Production: terraform