[Improvement] state/dynamodb - Enable AWS Backup (widdix#337)

jalawala · Aug 6, 2019 · ef0dd94 · ef0dd94
1 parent 732f76d
commit ef0dd94
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 7 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -10,7 +10,7 @@ python:
 install:
 - 'pip install yamllint==1.15.0'
 - 'pip install awscli==1.16.167'
-- 'pip install cfn-lint==0.21.3'
+- 'pip install cfn-lint==0.22.4'
 script:
 - 'yamllint .'
 - 'cfn-lint -i E3002 W2001 W6001 W2030 -t ''**/*.yaml''' # TODO get rid of check ignores

diff --git a/docs/state.md b/docs/state.md
@@ -40,7 +40,6 @@ DynamoDB table with auto scaling for read and write capacity.
 * `operations/alert.yaml` (recommended)
 
 ## Limitations
-* No backup (see `operations/backup-dynamodb-native.yaml`)
 * Encryption at rest with AWS managed CMK (customer managed is not supported)
 
 # ElastiCache memcached

diff --git a/operations/alert.yaml b/operations/alert.yaml
@@ -68,6 +68,7 @@ Resources:
             - 'budgets.amazonaws.com' # Allow Budget Notifications
             - 'rds.amazonaws.com' # Allow RDS Events
             - 's3.amazonaws.com' # Allow S3 Event Notifications
+            - 'backup.amazonaws.com' # Allow Backup Events
           Action: 'sns:Publish'
           Resource: !Ref Topic
         - Sid: Sid2

diff --git a/operations/backup-dynamodb-native.yaml b/operations/backup-dynamodb-native.yaml
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 AWSTemplateFormatVersion: '2010-09-09'
-Description: 'Operations: DynamoDB native backup, a cloudonaut.io template'
+Description: 'Operations: DynamoDB native backup, deprecated in v9, will be removed in v11, use state/dynamodb instead with AWS Backup enabled, a cloudonaut.io template'
 Metadata:
   'AWS::CloudFormation::Interface':
     ParameterGroups:

diff --git a/state/dynamodb.yaml b/state/dynamodb.yaml
@@ -29,15 +29,21 @@ Metadata:
       - PartitionKeyType
       - SortKeyName
       - SortKeyType
+      - BillingAndScalingMode
+      - Encryption
+      - TimeToLiveAttributeName
+      - StreamViewType
+      - BackupRetentionPeriod
+      - BackupScheduleExpression
+    - Label:
+        default: 'DynamoDB PROVISIONED Mode Parameters'
+      Parameters:
       - MaxWriteCapacityUnits
       - MinWriteCapacityUnits
       - WriteCapacityUnitsUtilizationTarget
       - MaxReadCapacityUnits
       - MinReadCapacityUnits
       - ReadCapacityUnitsUtilizationTarget
-      - Encryption
-      - TimeToLiveAttributeName
-      - StreamViewType
 Parameters:
   ParentAlertStack:
     Description: 'Optional but recommended stack name of parent alert stack based on operations/alert.yaml template.'
@@ -107,6 +113,16 @@ Parameters:
     Type: String
     Default: DISABLED
     AllowedValues: [DISABLED, KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES]
+  BackupRetentionPeriod:
+    Description: 'The number of days to keep backups of the table.'
+    Type: Number
+    MinValue: 1
+    MaxValue: 35
+    Default: 30
+  BackupScheduleExpression:
+    Description: 'A CRON expression specifying when AWS Backup initiates a backup job.'
+    Type: String
+    Default: 'cron(0 5 ? * * *)'
 Conditions:
   HasAlertTopic: !Not [!Equals [!Ref ParentAlertStack, '']]
   HasSortKey: !Not [!Equals [!Ref SortKeyName, '']]
@@ -309,6 +325,58 @@ Resources:
       - {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}
       OKActions:
       - {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}
+  BackupVault: # cannot be deleted with data
+    Type: 'AWS::Backup::BackupVault'
+    Properties:
+      BackupVaultName: !Ref 'AWS::StackName'
+      Notifications: !If [HasAlertTopic, {BackupVaultEvents: [BACKUP_JOB_STARTED, BACKUP_JOB_COMPLETED, RESTORE_JOB_STARTED, RESTORE_JOB_COMPLETED, RECOVERY_POINT_MODIFIED], SNSTopicArn: {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}}, !Ref 'AWS::NoValue']
+  BackupPlan:
+    Type: 'AWS::Backup::BackupPlan'
+    Properties:
+      BackupPlan:
+        BackupPlanName: !Ref 'AWS::StackName'
+        BackupPlanRule:
+        - CompletionWindowMinutes: 1440
+          Lifecycle:
+            DeleteAfterDays: !Ref BackupRetentionPeriod
+          RuleName: !Ref 'AWS::StackName'
+          ScheduleExpression: !Ref BackupScheduleExpression
+          StartWindowMinutes: 60
+          TargetBackupVault: !Ref BackupVault
+  BackupRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service: 'backup.amazonaws.com'
+          Action: 'sts:AssumeRole'
+      Policies:
+      - PolicyName: backup
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Effect: Allow
+            Action:
+            - 'dynamodb:DescribeTable'
+            - 'dynamodb:CreateBackup'
+            Resource: !GetAtt 'Table.Arn'
+          - Effect: Allow
+            Action:
+            - 'dynamodb:DescribeBackup'
+            - 'dynamodb:DeleteBackup'
+            Resource: !Sub '${Table.Arn}/backup/*'
+  BackupSelection:
+    Type: 'AWS::Backup::BackupSelection'
+    Properties:
+      BackupPlanId: !Ref BackupPlan
+      BackupSelection:
+        IamRoleArn: !GetAtt 'BackupRole.Arn'
+        Resources:
+        - !GetAtt 'Table.Arn'
+        SelectionName: !Ref 'AWS::StackName'
 Outputs:
   TemplateID:
     Description: 'cloudonaut.io template id.'

diff --git a/state/s3.yaml b/state/s3.yaml
@@ -85,7 +85,7 @@ Conditions:
   HasExpirationInDays: !Not [!Equals [!Ref ExpirationInDays, 0]]
   HasPrivateAccessAndKmsKey: !And [!Condition HasPrivateAccess, !Condition HasKmsKey]
 Resources:
-  Bucket:
+  Bucket: # cannot be deleted with data
     Type: 'AWS::S3::Bucket'
     Properties:
       BucketName: !If [HasBucketName, !Ref BucketName, !Ref 'AWS::NoValue']