Manages selection conditions for AWS Backup plan resources.
The below example creates an IAM role with the default managed IAM Policy for allowing AWS Backup to create backups.
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["backup.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "example" {
name = "example"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy_attachment" "example" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
role = aws_iam_role.example.name
}
resource "aws_backup_selection" "example" {
# ... other configuration ...
iam_role_arn = aws_iam_role.example.arn
}
resource "aws_backup_selection" "example" {
iam_role_arn = aws_iam_role.example.arn
name = "tf_example_backup_selection"
plan_id = aws_backup_plan.example.id
selection_tag {
type = "STRINGEQUALS"
key = "foo"
value = "bar"
}
}
resource "aws_backup_selection" "example" {
iam_role_arn = aws_iam_role.example.arn
name = "tf_example_backup_selection"
plan_id = aws_backup_plan.example.id
resources = ["*"]
condition {
string_equals {
key = "aws:ResourceTag/Component"
value = "rds"
}
string_like {
key = "aws:ResourceTag/Application"
value = "app*"
}
string_not_equals {
key = "aws:ResourceTag/Backup"
value = "false"
}
string_not_like {
key = "aws:ResourceTag/Environment"
value = "test*"
}
}
}
resource "aws_backup_selection" "example" {
iam_role_arn = aws_iam_role.example.arn
name = "tf_example_backup_selection"
plan_id = aws_backup_plan.example.id
resources = [
aws_db_instance.example.arn,
aws_ebs_volume.example.arn,
aws_efs_file_system.example.arn,
]
}
resource "aws_backup_selection" "example" {
iam_role_arn = aws_iam_role.example.arn
name = "tf_example_backup_selection"
plan_id = aws_backup_plan.example.id
not_resources = [
aws_db_instance.example.arn,
aws_ebs_volume.example.arn,
aws_efs_file_system.example.arn,
]
}
This resource supports the following arguments:
name
- (Required) The display name of a resource selection document.plan_id
- (Required) The backup plan ID to be associated with the selection of resources.iam_role_arn
- (Required) The ARN of the IAM role that AWS Backup uses to authenticate when restoring and backing up the target resource. See the AWS Backup Developer Guide for additional information about using AWS managed policies or creating custom policies attached to the IAM role.selection_tag
- (Optional) Tag-based conditions used to specify a set of resources to assign to a backup plan.condition
- (Optional) A list of conditions that you define to assign resources to your backup plans using tags.resources
- (Optional) An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan.not_resources
- (Optional) An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan.Tag conditions (selection_tag
) support the following:
type
- (Required) An operation, such as StringEquals
, that is applied to a key-value pair used to filter resources in a selection.key
- (Required) The key in a key-value pair.value
- (Required) The value in a key-value pair.This resource exports the following attributes in addition to the arguments above:
id
- Backup Selection identifierIn Terraform v1.5.0 and later, use an import
block to import Backup selection using the role plan_id and id separated by |
. For example:
import {
to = aws_backup_selection.example
id = "plan-id|selection-id"
}
Using terraform import
, import Backup selection using the role plan_id and id separated by |
. For example:
% terraform import aws_backup_selection.example plan-id|selection-id