Skip to content

Resource: awsDlmLifecyclePolicy

Provides a Data Lifecycle Manager (DLM) lifecycle policy for managing snapshots.

Example Usage

Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["dlm.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const dataAwsIamPolicyDocumentDlmLifecycle =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "dlm_lifecycle",
    {
      statement: [
        {
          actions: [
            "ec2:CreateSnapshot",
            "ec2:CreateSnapshots",
            "ec2:DeleteSnapshot",
            "ec2:DescribeInstances",
            "ec2:DescribeVolumes",
            "ec2:DescribeSnapshots",
          ],
          effect: "Allow",
          resources: ["*"],
        },
        {
          actions: ["ec2:CreateTags"],
          effect: "Allow",
          resources: ["arn:aws:ec2:*::snapshot/*"],
        },
      ],
    }
  );
const awsIamRoleDlmLifecycleRole = new aws.iamRole.IamRole(
  this,
  "dlm_lifecycle_role",
  {
    assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
    name: "dlm-lifecycle-role",
  }
);
const awsIamRolePolicyDlmLifecycle = new aws.iamRolePolicy.IamRolePolicy(
  this,
  "dlm_lifecycle_3",
  {
    name: "dlm-lifecycle-policy",
    policy: dataAwsIamPolicyDocumentDlmLifecycle.json,
    role: awsIamRoleDlmLifecycleRole.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyDlmLifecycle.overrideLogicalId("dlm_lifecycle");
new aws.dlmLifecyclePolicy.DlmLifecyclePolicy(this, "example", {
  description: "example DLM lifecycle policy",
  executionRoleArn: awsIamRoleDlmLifecycleRole.arn,
  policyDetails: {
    resourceTypes: ["VOLUME"],
    schedule: [
      {
        copyTags: false,
        createRule: {
          interval: 24,
          intervalUnit: "HOURS",
          times: ["23:45"],
        },
        name: "2 weeks of daily snapshots",
        retainRule: {
          count: 14,
        },
        tagsToAdd: {
          snapshotCreator: "DLM",
        },
      },
    ],
    targetTags: {
      snapshot: "true",
    },
  },
  state: "ENABLED",
});

Example Cross-Region Snapshot Copy Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsCallerIdentityCurrent =
  new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const dataAwsIamPolicyDocumentKey =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "key", {
    statement: [
      {
        actions: ["kms:*"],
        effect: "Allow",
        principals: [
          {
            identifiers: [
              `arn:aws:iam::\${${dataAwsCallerIdentityCurrent.accountId}}:root`,
            ],
            type: "AWS",
          },
        ],
        resources: ["*"],
        sid: "Enable IAM User Permissions",
      },
    ],
  });
const awsKmsKeyDlmCrossRegionCopyCmk = new aws.kmsKey.KmsKey(
  this,
  "dlm_cross_region_copy_cmk",
  {
    description: "Example Alternate Region KMS Key",
    policy: dataAwsIamPolicyDocumentKey.json,
    provider: "${aws.alternate}",
  }
);
new aws.dlmLifecyclePolicy.DlmLifecyclePolicy(this, "example", {
  description: "example DLM lifecycle policy",
  executionRoleArn: "${aws_iam_role.dlm_lifecycle_role.arn}",
  policyDetails: {
    resourceTypes: ["VOLUME"],
    schedule: [
      {
        copyTags: false,
        createRule: {
          interval: 24,
          intervalUnit: "HOURS",
          times: ["23:45"],
        },
        crossRegionCopyRule: [
          {
            cmkArn: awsKmsKeyDlmCrossRegionCopyCmk.arn,
            copyTags: true,
            encrypted: true,
            retainRule: {
              interval: 30,
              intervalUnit: "DAYS",
            },
            target: "us-west-2",
          },
        ],
        name: "2 weeks of daily snapshots",
        retainRule: {
          count: 14,
        },
        tagsToAdd: {
          snapshotCreator: "DLM",
        },
      },
    ],
    targetTags: {
      snapshot: "true",
    },
  },
  state: "ENABLED",
});

Example Event Based Policy Usage

data "aws_caller_identity" "current" {}

resource "aws_dlm_lifecycle_policy" "example" {
  description        = "tf-acc-basic"
  execution_role_arn = aws_iam_role.example.arn

  policy_details {
    policy_type = "EVENT_BASED_POLICY"

    action {
      name = "tf-acc-basic"
      cross_region_copy {
        encryption_configuration {}
        retain_rule {
          interval      = 15
          interval_unit = "MONTHS"
        }

        target = %[1]q
      }
    }

    event_source {
      type = "MANAGED_CWE"
      parameters {
        description_regex = "^.*Created for policy: policy-1234567890abcdef0.*$"
        event_type        = "shareSnapshot"
        snapshot_owner    = [data.aws_caller_identity.current.account_id]
      }
    }
  }
}

data "aws_iam_policy" "example" {
  name = "AWSDataLifecycleManagerServiceRole"
}

resource "aws_iam_role_policy_attachment" "example" {
  role       = aws_iam_role.example.id
  policy_arn = data.aws_iam_policy.example.arn
}

Argument Reference

The following arguments are supported:

  • description - (Required) A description for the DLM lifecycle policy.
  • executionRoleArn - (Required) The ARN of an IAM role that is able to be assumed by the DLM service.
  • policyDetails - (Required) See the policyDetails configuration block. Max of 1.
  • state - (Optional) Whether the lifecycle policy should be enabled or disabled. enabled or disabled are valid values. Defaults to enabled.
  • tags - (Optional) Key-value map of resource tags. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Policy Details arguments

  • action - (Optional) The actions to be performed when the event-based policy is triggered. You can specify only one action per policy. This parameter is required for event-based policies only. If you are creating a snapshot or AMI policy, omit this parameter. See the action configuration block.
  • eventSource - (Optional) The event that triggers the event-based policy. This parameter is required for event-based policies only. If you are creating a snapshot or AMI policy, omit this parameter. See the eventSource configuration block.
  • resourceTypes - (Optional) A list of resource types that should be targeted by the lifecycle policy. Valid values are volume and instance.
  • resourceLocations - (Optional) The location of the resources to backup. If the source resources are located in an AWS Region, specify cloud. If the source resources are located on an Outpost in your account, specify outpost. If you specify outpost, Amazon Data Lifecycle Manager backs up all resources of the specified type with matching target tags across all of the Outposts in your account. Valid values are cloud and outpost.
  • policyType - (Optional) The valid target resource types and actions a policy can manage. Specify EBS_SNAPSHOT_MANAGEMENT to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify IMAGE_MANAGEMENT to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. Specify EVENT_BASED_POLICY to create an event-based policy that performs specific actions when a defined event occurs in your AWS account. Default value is EBS_SNAPSHOT_MANAGEMENT.
  • parameters - (Optional) A set of optional parameters for snapshot and AMI lifecycle policies. See the parameters configuration block.
  • schedule - (Optional) See the schedule configuration block.
  • targetTags (Optional) A map of tag keys and their values. Any resources that match the resourceTypes and are tagged with any of these tags will be targeted.

\~> Note: You cannot have overlapping lifecycle policies that share the same targetTags. Terraform is unable to detect this at plan time but it will fail during apply.

Action arguments

  • crossRegionCopy - (Optional) The rule for copying shared snapshots across Regions. See the crossRegionCopy configuration block.
  • name - (Optional) A descriptive name for the action.
Action Cross Region Copy Rule arguments
  • encryptionConfiguration - (Required) The encryption settings for the copied snapshot. See the encryptionConfiguration block. Max of 1 per action.
  • retainRule - (Required) Specifies the retention rule for cross-Region snapshot copies. See the retainRule block. Max of 1 per action.
  • target - (Required) The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.
Encryption Configuration arguments
  • cmkArn - (Optional) The Amazon Resource Name (ARN) of the AWS KMS key to use for EBS encryption. If this parameter is not specified, the default KMS key for the account is used.
  • encrypted - (Required) To encrypt a copy of an unencrypted snapshot when encryption by default is not enabled, enable encryption using this parameter. Copies of encrypted snapshots are encrypted, even if this parameter is false or when encryption by default is not enabled.

Event Source arguments

  • parameters - (Required) Information about the event. See the parameters configuration block.
  • type - (Required) The source of the event. Currently only managed CloudWatch Events rules are supported. Valid values are MANAGED_CWE.
Event Source Parameters arguments
  • descriptionRegex - (Required) The snapshot description that can trigger the policy. The description pattern is specified using a regular expression. The policy runs only if a snapshot with a description that matches the specified pattern is shared with your account.
  • eventType - (Required) The type of event. Currently, only shareSnapshot events are supported.
  • snapshotOwner - (Required) The IDs of the AWS accounts that can trigger policy by sharing snapshots with your account. The policy only runs if one of the specified AWS accounts shares a snapshot with your account.

Parameters arguments

  • excludeBootVolume - (Optional) Indicates whether to exclude the root volume from snapshots created using CreateSnapshots. The default is false.
  • noReboot - (Optional) Applies to AMI lifecycle policies only. Indicates whether targeted instances are rebooted when the lifecycle policy runs. true indicates that targeted instances are not rebooted when the policy runs. false indicates that target instances are rebooted when the policy runs. The default is true (instances are not rebooted).

Schedule arguments

  • copyTags - (Optional) Copy all user-defined tags on a source volume to snapshots of the volume created by this policy.
  • createRule - (Required) See the createRule block. Max of 1 per schedule.
  • crossRegionCopyRule (Optional) - See the crossRegionCopyRule block. Max of 3 per schedule.
  • name - (Required) A name for the schedule.
  • deprecateRule - (Required) See the deprecateRule block. Max of 1 per schedule.
  • fastRestoreRule - (Required) See the fastRestoreRule block. Max of 1 per schedule.
  • retainRule - (Required) See the retainRule block. Max of 1 per schedule.
  • shareRule - (Required) See the shareRule block. Max of 1 per schedule.
  • tagsToAdd - (Optional) A map of tag keys and their values. DLM lifecycle policies will already tag the snapshot with the tags on the volume. This configuration adds extra tags on top of these.
  • variableTags - (Optional) A map of tag keys and variable values, where the values are determined when the policy is executed. Only $(instanceId) or $(timestamp) are valid values. Can only be used when resourceTypes is instance.

Create Rule arguments

  • cronExpression - (Optional) The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year.
  • interval - (Optional) How often this lifecycle policy should be evaluated. 1, 2,3,4,6,8,12 or 24 are valid values.
  • intervalUnit - (Optional) The unit for how often the lifecycle policy should be evaluated. hours is currently the only allowed value and also the default value.
  • location - (Optional) Specifies the destination for snapshots created by the policy. To create snapshots in the same Region as the source resource, specify cloud. To create snapshots on the same Outpost as the source resource, specify OUTPOST_LOCAL. If you omit this parameter, cloud is used by default. If the policy targets resources in an AWS Region, then you must create snapshots in the same Region as the source resource. If the policy targets resources on an Outpost, then you can create snapshots on the same Outpost as the source resource, or in the Region of that Outpost. Valid values are cloud and OUTPOST_LOCAL.
  • times - (Optional) A list of times in 24 hour clock format that sets when the lifecycle policy should be evaluated. Max of 1.

Deprecate Rule arguments

  • count - (Optional) Specifies the number of oldest AMIs to deprecate. Must be an integer between 1 and 1000.
  • interval - (Optional) Specifies the period after which to deprecate AMIs created by the schedule. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.
  • intervalUnit - (Optional) The unit of time for time-based retention. Valid values are days, weeks, months, years.

Fast Restore Rule arguments

  • availabilityZones - (Required) The Availability Zones in which to enable fast snapshot restore.
  • count - (Optional) The number of snapshots to be enabled with fast snapshot restore. Must be an integer between 1 and 1000.
  • interval - (Optional) The amount of time to enable fast snapshot restore. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.
  • intervalUnit - (Optional) The unit of time for enabling fast snapshot restore. Valid values are days, weeks, months, years.

Retain Rule arguments

  • count - (Optional) How many snapshots to keep. Must be an integer between 1 and 1000.
  • interval - (Optional) The amount of time to retain each snapshot. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.
  • intervalUnit - (Optional) The unit of time for time-based retention. Valid values are days, weeks, months, years.

Share Rule arguments

  • targetAccounts - (Required) The IDs of the AWS accounts with which to share the snapshots.
  • interval - (Optional) The period after which snapshots that are shared with other AWS accounts are automatically unshared.
  • intervalUnit - (Optional) The unit of time for the automatic unsharing interval. Valid values are days, weeks, months, years.

Cross Region Copy Rule arguments

  • cmkArn - (Optional) The Amazon Resource Name (ARN) of the AWS KMS customer master key (CMK) to use for EBS encryption. If this argument is not specified, the default KMS key for the account is used.
  • copyTags - (Optional) Whether to copy all user-defined tags from the source snapshot to the cross-region snapshot copy.
  • deprecateRule - (Optional) The AMI deprecation rule for cross-Region AMI copies created by the rule. See the deprecateRule block.
  • encrypted - (Required) To encrypt a copy of an unencrypted snapshot if encryption by default is not enabled, enable encryption using this parameter. Copies of encrypted snapshots are encrypted, even if this parameter is false or if encryption by default is not enabled.
  • retainRule - (Required) The retention rule that indicates how long snapshot copies are to be retained in the destination Region. See the retainRule block. Max of 1 per schedule.
  • target - (Required) The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.

Cross Region Copy Rule Deprecate Rule arguments

  • interval - (Required) The period after which to deprecate the cross-Region AMI copies. The period must be less than or equal to the cross-Region AMI copy retention period, and it can't be greater than 10 years. This is equivalent to 120 months, 520 weeks, or 3650 days.
  • intervalUnit - (Required) The unit of time in which to measure the interval. Valid values: days, weeks, months, or years.

Cross Region Copy Rule Retain Rule arguments

  • interval - (Required) The amount of time to retain each snapshot. The maximum is 100 years. This is equivalent to 1200 months, 5200 weeks, or 36500 days.
  • intervalUnit - (Required) The unit of time for time-based retention. Valid values: days, weeks, months, or years.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - Amazon Resource Name (ARN) of the DLM Lifecycle Policy.
  • id - Identifier of the DLM Lifecycle Policy.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

DLM lifecycle policies can be imported by their policy ID:

$ terraform import aws_dlm_lifecycle_policy.example policy-abcdef12345678901