Skip to content

Resource: awsBackupSelection

Manages selection conditions for AWS Backup plan resources.

Example Usage

IAM Role

-> For more information about creating and managing IAM Roles for backups and restores, see the AWS Backup Developer Guide.

The below example creates an IAM role with the default managed IAM Policy for allowing AWS Backup to create backups.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["backup.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const awsIamRoleExample = new aws.iamRole.IamRole(this, "example", {
  assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
  name: "example",
});
const awsIamRolePolicyAttachmentExample =
  new aws.iamRolePolicyAttachment.IamRolePolicyAttachment(this, "example_2", {
    policyArn:
      "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup",
    role: awsIamRoleExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyAttachmentExample.overrideLogicalId("example");
const awsBackupSelectionExample = new aws.backupSelection.BackupSelection(
  this,
  "example_3",
  {
    iamRoleArn: awsIamRoleExample.arn,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsBackupSelectionExample.overrideLogicalId("example");

Selecting Backups By Tag

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.backupSelection.BackupSelection(this, "example", {
  iamRoleArn: "${aws_iam_role.example.arn}",
  name: "tf_example_backup_selection",
  planId: "${aws_backup_plan.example.id}",
  selectionTag: [
    {
      key: "foo",
      type: "STRINGEQUALS",
      value: "bar",
    },
  ],
});

Selecting Backups By Conditions

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.backupSelection.BackupSelection(this, "example", {
  condition: [
    {
      stringEquals: [
        {
          key: "aws:ResourceTag/Component",
          value: "rds",
        },
      ],
      stringLike: [
        {
          key: "aws:ResourceTag/Application",
          value: "app*",
        },
      ],
      stringNotEquals: [
        {
          key: "aws:ResourceTag/Backup",
          value: "false",
        },
      ],
      stringNotLike: [
        {
          key: "aws:ResourceTag/Environment",
          value: "test*",
        },
      ],
    },
  ],
  iamRoleArn: "${aws_iam_role.example.arn}",
  name: "tf_example_backup_selection",
  planId: "${aws_backup_plan.example.id}",
  resources: ["*"],
});

Selecting Backups By Resource

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.backupSelection.BackupSelection(this, "example", {
  iamRoleArn: "${aws_iam_role.example.arn}",
  name: "tf_example_backup_selection",
  planId: "${aws_backup_plan.example.id}",
  resources: [
    "${aws_db_instance.example.arn}",
    "${aws_ebs_volume.example.arn}",
    "${aws_efs_file_system.example.arn}",
  ],
});

Selecting Backups By Not Resource

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.backupSelection.BackupSelection(this, "example", {
  iamRoleArn: "${aws_iam_role.example.arn}",
  name: "tf_example_backup_selection",
  notResources: [
    "${aws_db_instance.example.arn}",
    "${aws_ebs_volume.example.arn}",
    "${aws_efs_file_system.example.arn}",
  ],
  planId: "${aws_backup_plan.example.id}",
});

Argument Reference

The following arguments are supported:

  • name - (Required) The display name of a resource selection document.
  • planId - (Required) The backup plan ID to be associated with the selection of resources.
  • iamRoleArn - (Required) The ARN of the IAM role that AWS Backup uses to authenticate when restoring and backing up the target resource. See the AWS Backup Developer Guide for additional information about using AWS managed policies or creating custom policies attached to the IAM role.
  • selectionTag - (Optional) Tag-based conditions used to specify a set of resources to assign to a backup plan.
  • condition - (Optional) A list of conditions that you define to assign resources to your backup plans using tags.
  • resources - (Optional) An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan.
  • notResources - (Optional) An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan.

Tag conditions (selectionTag) support the following:

  • type - (Required) An operation, such as stringEquals, that is applied to a key-value pair used to filter resources in a selection.
  • key - (Required) The key in a key-value pair.
  • value - (Required) The value in a key-value pair.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - Backup Selection identifier

Import

Backup selection can be imported using the role plan_id and id separated by |.

$ terraform import aws_backup_selection.example plan-id|selection-id