如何在 Terraform 中使用 AWS Backup 在不同区域创建文件库?
How do I use AWS Backup in Terraform to create a vault in a different region?
我正在实施一个解决方案来使用 AWS Backup 备份我的 Oracle RDS 数据库。我想在我当前的区域有一个保险库,在不同的区域有一个备份保险库。作为 Terraform 的新手,我不太确定如何完成此操作。我会在不同区域添加另一个 AWS 提供商吗?下面是我的一些代码供参考:
providers.tf:
# Configure the AWS Provider
provider "aws" {
profile = "sandbox"
region = var.primary_region # resolves to us-east-1
alias = "primary"
allowed_account_ids = [
var.account_id
]
}
------------------------------------------------------
backups.tf:
resource "aws_backup_region_settings" "test" {
resource_type_opt_in_preference = {
"RDS" = true
}
}
resource "aws_backup_vault" "test" {
name = "backup_vault"
kms_key_arn = aws_kms_key.sensitive.arn
}
# Would like this to be created in us-west-2:
resource "aws_backup_vault" "test_destination" {
name = backup_destination_vault"
kms_key_arn = aws_kms_key.sensitive.arn
}
resource "aws_backup_plan" "backup" {
name = "oasis-backup-plan"
rule {
rule_name = "backup"
target_vault_name = aws_backup_vault.backup.name
schedule = "cron(0 12-20 * * ? *)"
copy_action {
destination_vault_arn = aws_backup_vault.backup_destination.arn
}
}
}
resource "aws_iam_role" "backup" {
name = "backup_role"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["sts:AssumeRole"],
"Effect": "allow",
"Principal": {
"Service": ["backup.amazonaws.com"]
}
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "backup" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
role = aws_iam_role.backup.name
}
resource "aws_backup_selection" "backup" {
iam_role_arn = aws_iam_role.backup.arn
name = "backup_selection"
plan_id = aws_backup_plan.backup.id
resources = [
aws_db_instance.oasis.arn
data.aws_db_instance.backup.db_instance_arn # My Oracle DB, already existing
]
}
我知道 AWS Backup 在 AWS Organizations 中得到了很大的利用;尽管我们正在为我们的众多帐户使用该模式,但我正在努力避免在这一点上涉及那种级别的控制;我只是在做一个 POC,试图为正在进行的 DR 区域制定一个合理的备份计划。
因此,为了做您想做的事,您需要使用 terraform 的一项功能,该功能允许您配置多个提供商:
https://www.terraform.io/docs/language/providers/configuration.html
配置完后,您可以指定要配置第二个保管库时要使用的提供程序,一切都应该正常运行。
我正在实施一个解决方案来使用 AWS Backup 备份我的 Oracle RDS 数据库。我想在我当前的区域有一个保险库,在不同的区域有一个备份保险库。作为 Terraform 的新手,我不太确定如何完成此操作。我会在不同区域添加另一个 AWS 提供商吗?下面是我的一些代码供参考:
providers.tf:
# Configure the AWS Provider
provider "aws" {
profile = "sandbox"
region = var.primary_region # resolves to us-east-1
alias = "primary"
allowed_account_ids = [
var.account_id
]
}
------------------------------------------------------
backups.tf:
resource "aws_backup_region_settings" "test" {
resource_type_opt_in_preference = {
"RDS" = true
}
}
resource "aws_backup_vault" "test" {
name = "backup_vault"
kms_key_arn = aws_kms_key.sensitive.arn
}
# Would like this to be created in us-west-2:
resource "aws_backup_vault" "test_destination" {
name = backup_destination_vault"
kms_key_arn = aws_kms_key.sensitive.arn
}
resource "aws_backup_plan" "backup" {
name = "oasis-backup-plan"
rule {
rule_name = "backup"
target_vault_name = aws_backup_vault.backup.name
schedule = "cron(0 12-20 * * ? *)"
copy_action {
destination_vault_arn = aws_backup_vault.backup_destination.arn
}
}
}
resource "aws_iam_role" "backup" {
name = "backup_role"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["sts:AssumeRole"],
"Effect": "allow",
"Principal": {
"Service": ["backup.amazonaws.com"]
}
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "backup" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
role = aws_iam_role.backup.name
}
resource "aws_backup_selection" "backup" {
iam_role_arn = aws_iam_role.backup.arn
name = "backup_selection"
plan_id = aws_backup_plan.backup.id
resources = [
aws_db_instance.oasis.arn
data.aws_db_instance.backup.db_instance_arn # My Oracle DB, already existing
]
}
我知道 AWS Backup 在 AWS Organizations 中得到了很大的利用;尽管我们正在为我们的众多帐户使用该模式,但我正在努力避免在这一点上涉及那种级别的控制;我只是在做一个 POC,试图为正在进行的 DR 区域制定一个合理的备份计划。
因此,为了做您想做的事,您需要使用 terraform 的一项功能,该功能允许您配置多个提供商:
https://www.terraform.io/docs/language/providers/configuration.html
配置完后,您可以指定要配置第二个保管库时要使用的提供程序,一切都应该正常运行。