如何从 AWS Backup 构建 AWS CloudFormation YAML

How to build a AWS CloudFormation YML from AWS Backup

我正在使用 AWS Backup 服务为我的 DynamoDB 创建备份,但我不喜欢该解决方案,因为它非常手动且不可复制。

现在,我如何构建 AWS Backup(从 CloudFormation Designer 或模板)?

我正在搜索它,但我做不到。

注意:我不想使用任何带有 lambda 的计划事件进行备份。我需要使用 AWS Backup,但我在哪里可以找到用于轻松创建/更新的 CloudFormation 模板。

Description: "Backup Plan template to back up all resources tagged with backup=daily daily at 5am UTC."
Resources:
  KMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: "Encryption key for daily"
      EnableKeyRotation: True
      Enabled: True
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Principal:
            "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" }
          Action:
          - kms:*
          Resource: "*"

  BackupVaultWithDailyBackups:
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithDailyBackups"
      EncryptionKeyArn: !GetAtt KMSKey.Arn

  BackupPlanWithDailyBackups:
    Type: "AWS::Backup::BackupPlan"
    Properties:
      BackupPlan:
        BackupPlanName: "BackupPlanWithDailyBackups"
        BackupPlanRule:
          -
            RuleName: "RuleForDailyBackups"
            TargetBackupVault: !Ref BackupVaultWithDailyBackups
            ScheduleExpression: "cron(0 5 ? * * *)"

    DependsOn: BackupVaultWithDailyBackups

  DDBTableWithDailyBackupTag:
    Type: "AWS::DynamoDB::Table"
    Properties:
      TableName: "TestTable"
      AttributeDefinitions:
        -
          AttributeName: "Album"
          AttributeType: "S"
      KeySchema:
        -
          AttributeName: "Album"
          KeyType: "HASH"
      ProvisionedThroughput:
        ReadCapacityUnits: "5"
        WriteCapacityUnits: "5"
      Tags:
        - 
          Key: "backup"
          Value: "daily"

  BackupRole:
    Type: "AWS::IAM::Role"
    Properties:
     AssumeRolePolicyDocument:
       Version: "2012-10-17"
       Statement:
         -
          Effect: "Allow"
          Principal:
            Service:
              - "backup.amazonaws.com"
          Action:
            - "sts:AssumeRole"
     ManagedPolicyArns:
       -
        "arn:aws:iam::aws:policy/service-role/service role"

  TagBasedBackupSelection:
    Type: "AWS::Backup::BackupSelection"
    Properties:
      BackupSelection:
        SelectionName: "TagBasedBackupSelection"
        IamRoleArn: !GetAtt BackupRole.Arn
        ListOfTags:
         -
           ConditionType: "STRINGEQUALS"
           ConditionKey: "backup"
           ConditionValue: "daily"
      BackupPlanId: !Ref BackupPlanWithDailyBackups
    DependsOn: BackupPlanWithDailyBackups 

参考:
https://docs.aws.amazon.com/aws-backup/latest/devguide/integrate-cloudformation-with-aws-backup.html

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Backup.html

Description: "Backup Plan template to back up all resources tagged with 
backup=daily daily at 5am UTC."
Resources:
  KMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: "Encryption key for daily"

      EnableKeyRotation: True
      Enabled: True
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              "AWS": { "Fn::Sub": "arn:aws:iam::***********:root" }
#              "AWS": 'arn:aws:iam::***********:root'
            Action:
              - kms:*
            Resource: "*"

  BackupVaultWithDailyBackups:
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: "BackupVaultWithDailyBackups"
      EncryptionKeyArn: { "Fn::GetAtt": [ KMSKey, Arn ] } #${self:custom.keyArn}

  BackupPlanWithDailyBackups:
    Type: "AWS::Backup::BackupPlan"
    Properties:
      BackupPlan:
        BackupPlanName: "BackupPlanWithDailyBackups"
        BackupPlanRule:
          -
            RuleName: DailyBackups
            ScheduleExpression: cron(0 5 ? * * *)
            StartWindowMinutes: 480
            TargetBackupVault: {Ref: BackupVaultWithDailyBackups}
            Lifecycle:
              DeleteAfterDays: 35
          -
            RuleName: WeeklyBackups
            ScheduleExpression: cron(0 5 ? * 7 *)
            TargetBackupVault: {Ref: BackupVaultWithDailyBackups}
            StartWindowMinutes: 480
            Lifecycle:
              DeleteAfterDays: 90
          -
            RuleName: MonthlyBackups
            ScheduleExpression: cron(0 5 1 * ? *)
            TargetBackupVault: {Ref: BackupVaultWithDailyBackups}
            StartWindowMinutes: 480
            Lifecycle:
              MoveToColdStorageAfterDays: 90
              DeleteAfterDays: 1825

    DependsOn: BackupVaultWithDailyBackups


#  BackupRole:
#    Type: "AWS::IAM::Role"
#    Properties:
#      AssumeRolePolicyDocument:
#        Version: "2012-10-17"
#        Statement:
#          -
#            Effect: "Allow"
#            Principal:
#              Service:
#                - "backup.amazonaws.com"
#            Action:
#              - "sts:AssumeRole"
#      ManagedPolicyArns:
#        -
#          "arn:aws:iam::**********:role/service-role/AWSBackupDefaultServiceRole"

  TagBasedBackupSelection:
    Type: "AWS::Backup::BackupSelection"
    Properties:
      BackupSelection:
        SelectionName: "TagBasedBackupSelection"
        IamRoleArn: "arn:aws:iam::***********:role/service-role/AWSBackupDefaultServiceRole"
        ListOfTags:
          -
            ConditionType: "STRINGEQUALS"
            ConditionKey: "backup"
            ConditionValue: "dev-pci"
          -
            ConditionType: "STRINGEQUALS"
            ConditionKey: "backup"
            ConditionValue: "uat-pci"
          -
            ConditionType: "STRINGEQUALS"
            ConditionKey: "backup"
            ConditionValue: "prod-pci"
      BackupPlanId: {Ref: BackupPlanWithDailyBackups}
    DependsOn: BackupPlanWithDailyBackups

注意:*********** 替换为您的 AWS AccountId

您需要添加 dynamoDB 标签,例如:

DDBTableWithDailyBackupTag:
        Type: "AWS::DynamoDB::Table"
        Properties:
          TableName: "TestTable"
          AttributeDefinitions:
            -
              AttributeName: "Album"
              AttributeType: "S"
          KeySchema:
            -
              AttributeName: "Album"
              KeyType: "HASH"
          ProvisionedThroughput:
            ReadCapacityUnits: "5"
            WriteCapacityUnits: "5"
          Tags:
            -
              Key: "backup"
              Value: "daily"