How does this differ from RDS automatic snapshots?
Note that RDS comes with nightly snapshots by default. The main reason to use this function is:
You want to take snapshots of your database more often than once per night.
You want to store all of your snapshots in a separate AWS account for security and redundancy purposes.
You want to retain backups for longer than the 35-day limit for automatic snapshots.
How do you backup your RDS snapshots to a separate AWS account?
One of the main use cases for this module is to be able to store your RDS snapshots in a completely separate AWS account. That reduces the chances that you, or perhaps an intruder who breaks into your AWS account, can accidentally or intentionally delete all your snapshots.
Let's say you have an RDS database in account A and you want to store snapshots in account B. To set that up, you need to do the following:
Create a KMS key and grant permission access to account B . Your key configuration should look something like this:
Note: it is not possible to use the default AWS-managed KMS key because you cannot change the key policy to grant permission to account B to access this key. The KMS key is required to copy the snapshot over to account B.
Note: we also have a KMS module to define a new CMK for this purpose. Please refer to this module for more information
"Statement": [
...
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_B>:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:DescribeKey"
],
"Resource": "*"
}
...
]
Deploy the following lambda functions in account A to i) create RDS snapshot and ii) share it with account B
lambda-create-snapshot : lambda function to periodically create RDS snapshot with your desired schedule and invoke lambda-share-snapshot lambda function to share the snapshot with account B
lambda-share-snapshot : lambda function to share a RDS snapshot with another account (e.g., account B). Note that you will not see the RDS snapshot in account B because the snapshot only exists in account A. This lambda function simply changes the attribute of the snapshot so that the account B can see the snapshot.
Create a cross-account IAM policy in account A to allow account B to access the KMS key. Your cross-account IAM policy should look something like this:
Deploy the lambda-copy-shared-snapshot lambda function in account B to copy the shared snapshot. You need the following informations to use this lambda function:
rds_db_identifier - RDS identifier of the shared snapshot.
external_account_id - original account that shared the snapshot.
kms_key_id: KMS key used to encrypt the RDS snapshot.
Note: before running this lambda function, you need to grant permission explicitly for the lambda function to access the KMS key in account A by attaching a policy something like this:
The reason we use lambda functions for handling snapshots is:
It's easy to use scheduled events and
schedule expressions
to run a lambda function on a periodic basis that is more reliable than just using cron.
You can give your lambda function access to RDS via IAM roles instead of using API keys with an external app.
The main use case for these lambda snapshot modules is to copy RDS snapshots to an external AWS account. That means
you need to run code in multiple accounts. It's easier to deploy the necessary lambda functions in each account
and give those functions access to RDS via IAM roles than it is to create a CI job that can securely access both
accounts.
How do you configure this module?
This module allows you to configure a number of parameters, such as which database to backup, how often to run the
backups, what account to share the backups with, and more. For a list of all available variables and their
descriptions, see variables.tf.
How do you configure multiple backup schedules?
You can use this module multiple times by configuring different namespaces for the snapshots, which allows you to have
multiple backup schedules with different retention periods. For example you could keep hourly backups for three days,
and weekly backups for one year by configuring two instances of this modules.
Configure sharing in the same way as described earlier. Only the snapshots from the module with sharing enabled will be
copied.
It's important to use both snapshot and lambda namespaces in all instances to avoid ambiguity for the
lambda-cleanup-snapshots module. The
lambda-cleanup-snapshots module can be configured with a snapshot_namespace too so
different retention periods can be configured for each set of snapshots. See the
lambda-rds-snapshot-multiple-schedules example.
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"5ca43f553aa780f1b002fd2d2fbb2e03e3e3d69c"},{"name":"post-upgrade-test-results.sh","path":".circleci/post-upgrade-test-results.sh","sha":"a4867e8fbdc334b7a90259568ee41ea577fbe764"},{"name":"set-upgrade-test-vars.sh","path":".circleci/set-upgrade-test-vars.sh","sha":"04ccab865d51c1169f7ae4648c38a3d98a9889ab"}]},{"name":".github","children":[{"name":"ISSUE_TEMPLATE","children":[{"name":"bug_report.md","path":".github/ISSUE_TEMPLATE/bug_report.md","sha":"d2e87e27c601e423865ed660ec697082470ca60f"},{"name":"feature_request.md","path":".github/ISSUE_TEMPLATE/feature_request.md","sha":"023a33099be2336476930c96e17ff1ba5dc55348"}]},{"name":"pull_request_template.md","path":".github/pull_request_template.md","sha":"6b100e40e323b5b07f40ed30616277c51c9f4b9e"}]},{"name":".gitignore","path":".gitignore","sha":"b647d70b39746f8ebc58bdb81766f30296fa1297"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"d7a7dd3d641e0c3fabb4ab45a0976c0fa0b93fc0"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"e281b9861bc3ad0446432b4156744923064b3b69"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"b64f3d12153e88d892a7471c2c0254db4a072e34"},{"name":"README.adoc","path":"README.adoc","sha":"1737652cf1b9c4bee32f790eb2bcb28e8f221123"},{"name":"_docs","children":[{"name":"aurora-serverless.png","path":"_docs/aurora-serverless.png","sha":"5a53145be56705c76f7f7aa6a25aa0ddee78e4a3"},{"name":"aurora.png","path":"_docs/aurora.png","sha":"fc218831bfa34097a56f1b0e47fe05521bdb4a8a"},{"name":"backup-architecture.png","path":"_docs/backup-architecture.png","sha":"61b138cd6ad58c7a37fa1b37fef43c44a371a97c"},{"name":"data-backup-architecture.png","path":"_docs/data-backup-architecture.png","sha":"fcc7ce8753e28c19af87ea5cea96e6ded648d429"},{"name":"data-backup.png","path":"_docs/data-backup.png","sha":"116b10f231073f8c52255ca98e48cc228c48a2c3"},{"name":"mariadb.png","path":"_docs/mariadb.png","sha":"d540d3d3ff8797c4a4c3a62c65e7d3f63621568f"},{"name":"mysql.png","path":"_docs/mysql.png","sha":"73b55bd0d517dcba53c878712544abf96be3a66e"},{"name":"oracle.png","path":"_docs/oracle.png","sha":"b5f1ca801f5af4a30f1b812eea17cec516c1fe6c"},{"name":"postgresql.png","path":"_docs/postgresql.png","sha":"fd9c7ec282aef38a5813e8542d92227b96bd5be8"},{"name":"rds-architecture.png","path":"_docs/rds-architecture.png","sha":"8f2b1b5b4015a5777032c6aa64627ceee24330fc"},{"name":"redshift-architecture.png","path":"_docs/redshift-architecture.png","sha":"0ebffc1b1fbecdb0335a09c6bf7fe7c5f073d16e"},{"name":"redshift-icon.png","path":"_docs/redshift-icon.png","sha":"add0f05edb29726e62c784edf428eef60aed4d5f"},{"name":"sqlserver.png","path":"_docs/sqlserver.png","sha":"a800d188398262593f4f89f27c8f3ce2ce1e76a4"}]},{"name":"examples","children":[{"name":"aurora-global-cluster","children":[{"name":"README.md","path":"examples/aurora-global-cluster/README.md","sha":"5dcc5d206605d4e4a55bd1eed3137d589e1e025c"},{"name":"main.tf","path":"examples/aurora-global-cluster/main.tf","sha":"0f34da525a4456acb72060932adee97b24f47227"},{"name":"outputs.tf","path":"examples/aurora-global-cluster/outputs.tf","sha":"ad1a6164878d086b7aba2e2d6dcece92b57db2e6"},{"name":"variables.tf","path":"examples/aurora-global-cluster/variables.tf","sha":"621ea044d4e7a1d4df291ee6a316f249ea799dcd"}]},{"name":"aurora-managed-password","children":[{"name":"README.md","path":"examples/aurora-managed-password/README.md","sha":"73e4467497f792bfed61ffad3b0620fddabf6f18"},{"name":"main.tf","path":"examples/aurora-managed-password/main.tf","sha":"c94813d696eaf11bce0ffc0fa86465c21fac0076"},{"name":"outputs.tf","path":"examples/aurora-managed-password/outputs.tf","sha":"bfd599b111da577b696ef038c80466290644b890"},{"name":"variables.tf","path":"examples/aurora-managed-password/variables.tf","sha":"c2a0d5daafa62b1def1f88b1cbadafce32cc1e02"}]},{"name":"aurora-serverless-v2","children":[{"name":"README.md","path":"examples/aurora-serverless-v2/README.md","sha":"dfe32720e88f7f30a54ef676b00806caabb8bf6d"},{"name":"main.tf","path":"examples/aurora-serverless-v2/main.tf","sha":"4679d7ca9f662a66b2c67556a1154974c2f71328"},{"name":"outputs.tf","path":"examples/aurora-serverless-v2/outputs.tf","sha":"6a1d215eb6ada03646e810f7ef68802fad057bad"},{"name":"variables.tf","path":"examples/aurora-serverless-v2/variables.tf","sha":"88ef2e9f1c7bfcc77de324e1c426e6003d20f7a0"}]},{"name":"aurora-serverless","children":[{"name":"README.md","path":"examples/aurora-serverless/README.md","sha":"24a714baec84945056b7d3280952c446f5bd4506"},{"name":"main.tf","path":"examples/aurora-serverless/main.tf","sha":"0470cda0be2932f61e0faa1eb3300d8bf46aab5c"},{"name":"outputs.tf","path":"examples/aurora-serverless/outputs.tf","sha":"7da44a91e9ac6e14a5c7c144c60c5ad0ceb5ce1b"},{"name":"variables.tf","path":"examples/aurora-serverless/variables.tf","sha":"dfc3278b1b6dadc9a223bd22c21aca590ad025c0"}]},{"name":"aurora-with-cross-region-replica","children":[{"name":"README.md","path":"examples/aurora-with-cross-region-replica/README.md","sha":"fc875ed3aae9bdfb2eb361e6d6ea11d10373f22a"},{"name":"main.tf","path":"examples/aurora-with-cross-region-replica/main.tf","sha":"a268c95842f11be1ec8587181576c9a17a82ad0c"},{"name":"outputs.tf","path":"examples/aurora-with-cross-region-replica/outputs.tf","sha":"58a3862180d107c3d0501ec9b289b08ed09af3a8"},{"name":"variables.tf","path":"examples/aurora-with-cross-region-replica/variables.tf","sha":"2590a5418aa0cb3ea5c19935bf32a56150c9f41d"}]},{"name":"aurora","children":[{"name":"README.md","path":"examples/aurora/README.md","sha":"2074c75377de7708369a003aa74ba9cd78fcf56f"},{"name":"main.tf","path":"examples/aurora/main.tf","sha":"4e5f7ce0e8990259b428eb22c55e8bf85733924d"},{"name":"outputs.tf","path":"examples/aurora/outputs.tf","sha":"14ed19ce89fa6a6fd9037ed745ee9f43a47ca92e"},{"name":"variables.tf","path":"examples/aurora/variables.tf","sha":"41537cf52913f66379be347867d9fe6d1c0986dc"}]},{"name":"default-vault-plan-and-selection","children":[{"name":"README.md","path":"examples/default-vault-plan-and-selection/README.md","sha":"654dff28a302481e32e4a9985afd6fced0d55d7e"},{"name":"main.tf","path":"examples/default-vault-plan-and-selection/main.tf","sha":"1e412640d057652c6027cd84f9b688a1b9a21d84"},{"name":"variables.tf","path":"examples/default-vault-plan-and-selection/variables.tf","sha":"b41526930c798d19c4dd3d744a3ffcce4538535d"}]},{"name":"efs","children":[{"name":"README.md","path":"examples/efs/README.md","sha":"a0fb53395cdf99f122cea46e8174b2684fb0a363"},{"name":"main.tf","path":"examples/efs/main.tf","sha":"9d886f3ab8ddaea849cfe7c398d4d96bb9c0941b"},{"name":"outputs.tf","path":"examples/efs/outputs.tf","sha":"d724c2d6aadba89c8de9f07ca9a9696d32322c49"},{"name":"variables.tf","path":"examples/efs/variables.tf","sha":"3c49e13f2e303786c32ca45a0408a270b4a43bae"}]},{"name":"lambda-rds-snapshot-copy-shared-snapshot","children":[{"name":"README.md","path":"examples/lambda-rds-snapshot-copy-shared-snapshot/README.md","sha":"961e281f1fba921d5c3da95cc711375f42b8f227"},{"name":"main.tf","path":"examples/lambda-rds-snapshot-copy-shared-snapshot/main.tf","sha":"f7c0b7e2c6f31b116f82bb42aaba8bbbf768a549"},{"name":"outputs.tf","path":"examples/lambda-rds-snapshot-copy-shared-snapshot/outputs.tf","sha":"df649a61494bf66d985517f1ef620833619400e3"},{"name":"variables.tf","path":"examples/lambda-rds-snapshot-copy-shared-snapshot/variables.tf","sha":"886d7ba54db417aa553a40a64b3fe7494039a761"}]},{"name":"lambda-rds-snapshot-multiple-schedules","children":[{"name":"README.md","path":"examples/lambda-rds-snapshot-multiple-schedules/README.md","sha":"63be84a5d148b9de4c27a20c533177bcccc55f5d"},{"name":"main.tf","path":"examples/lambda-rds-snapshot-multiple-schedules/main.tf","sha":"c6b5f9e28e96e70f6641b9bec3370c28fc36180d"},{"name":"outputs.tf","path":"examples/lambda-rds-snapshot-multiple-schedules/outputs.tf","sha":"7a8f966782c659d1568f35684197f232939ea9ec"},{"name":"variables.tf","path":"examples/lambda-rds-snapshot-multiple-schedules/variables.tf","sha":"f6ae16692c02a1ae6ed95d58e16bd3e02b98f703"}]},{"name":"lambda-rds-snapshot","children":[{"name":"README.md","path":"examples/lambda-rds-snapshot/README.md","sha":"74f8c4e97a22520769224a914da858687a3a7cee"},{"name":"main.tf","path":"examples/lambda-rds-snapshot/main.tf","sha":"f535f703c00d5443bac6826e515166cff7557ef0"},{"name":"outputs.tf","path":"examples/lambda-rds-snapshot/outputs.tf","sha":"443e3ba61050e5c35d29e2ee267775b273139dbf"},{"name":"variables.tf","path":"examples/lambda-rds-snapshot/variables.tf","sha":"b777711ea9860aa43f766a5e5edf8b817e994885"}]},{"name":"rds-bastion-host","children":[{"name":"README.md","path":"examples/rds-bastion-host/README.md","sha":"b578a092a3d357832bfb696400048bf58aac1c6a"},{"name":"main.tf","path":"examples/rds-bastion-host/main.tf","sha":"33f0ded5e8c862499b6620c3b4a8696623e17459"},{"name":"mysql-cli-install.sh","path":"examples/rds-bastion-host/mysql-cli-install.sh","sha":"b8761648380fb4e2411604cda72ec27119247d4c"},{"name":"outputs.tf","path":"examples/rds-bastion-host/outputs.tf","sha":"ed63b2572f3813bd183dc5c48d21ce606ac6392e"},{"name":"variables.tf","path":"examples/rds-bastion-host/variables.tf","sha":"4c69fde912b66da2989ad5eaf36de7d62db10c7c"}]},{"name":"rds-managed-password","children":[{"name":"README.md","path":"examples/rds-managed-password/README.md","sha":"528b187e88957a9c23c0e56627b08146359de968"},{"name":"main.tf","path":"examples/rds-managed-password/main.tf","sha":"69760f10fd324109321e535d25033df88b5a53ff"},{"name":"outputs.tf","path":"examples/rds-managed-password/outputs.tf","sha":"f4db34a971ad78b28f83666bf30985d698059e97"},{"name":"variables.tf","path":"examples/rds-managed-password/variables.tf","sha":"1e6a5d353aa666e1a0d1fabdc50236c7a825f6ab"}]},{"name":"rds-mariadb","children":[{"name":"README.md","path":"examples/rds-mariadb/README.md","sha":"049bd92e67b2b6405ef9bc5c0d9926ca207e7dbb"},{"name":"main.tf","path":"examples/rds-mariadb/main.tf","sha":"65889864272e1a8829b5f2bb830cfd91f5e63000"},{"name":"outputs.tf","path":"examples/rds-mariadb/outputs.tf","sha":"d373f3c1f773a1e8d579c3294488e2c7ccfed805"},{"name":"variables.tf","path":"examples/rds-mariadb/variables.tf","sha":"ed361337d097a2bcc4a9b2682e2e9b4d1074fde4"}]},{"name":"rds-mysql-with-cross-region-replica","children":[{"name":"README.md","path":"examples/rds-mysql-with-cross-region-replica/README.md","sha":"3df99ed94f0560ca426dec107f3c80e599d90b9d"},{"name":"main.tf","path":"examples/rds-mysql-with-cross-region-replica/main.tf","sha":"dbf407aa895616faf8f2f8e0f9d2d9c25686ab98"},{"name":"outputs.tf","path":"examples/rds-mysql-with-cross-region-replica/outputs.tf","sha":"acbae00ee749a1539ea50f529f14657226fa3cc2"},{"name":"variables.tf","path":"examples/rds-mysql-with-cross-region-replica/variables.tf","sha":"36b40138a7164361014465352c60d0fb02e7b84b"}]},{"name":"rds-mysql","children":[{"name":"README.md","path":"examples/rds-mysql/README.md","sha":"1c79d544ac1711ba0edc3ef1435ae14ed9584e4c"},{"name":"main.tf","path":"examples/rds-mysql/main.tf","sha":"82200a1b6790b057ed4315fa7c86621bad8430c3"},{"name":"outputs.tf","path":"examples/rds-mysql/outputs.tf","sha":"f4db34a971ad78b28f83666bf30985d698059e97"},{"name":"variables.tf","path":"examples/rds-mysql/variables.tf","sha":"5082fe4baadfe6f8590b4095db17f20c0ecbb635"}]},{"name":"rds-oracle","children":[{"name":"README.md","path":"examples/rds-oracle/README.md","sha":"2e2645f9078a7a13f74081d03f9bcc20b77d9f46"},{"name":"main.tf","path":"examples/rds-oracle/main.tf","sha":"35867dc7ac06bc7b0e925312d26f06216a64ab79"},{"name":"outputs.tf","path":"examples/rds-oracle/outputs.tf","sha":"c0f452528a4ac04d9f3fb842fb20a2c56fa698ab"},{"name":"variables.tf","path":"examples/rds-oracle/variables.tf","sha":"0a812bfa48159caedabfc0f3f0b1211a7b3211b8"}]},{"name":"rds-postgres","children":[{"name":"README.md","path":"examples/rds-postgres/README.md","sha":"15af33be939aee1629228ab8cad166c799f85068"},{"name":"main.tf","path":"examples/rds-postgres/main.tf","sha":"bda264c35162a6271d288a64d193b369d5b729ad"},{"name":"outputs.tf","path":"examples/rds-postgres/outputs.tf","sha":"905ba674ef6e4944bcdc21e6e789ac63f0cdc8ed"},{"name":"variables.tf","path":"examples/rds-postgres/variables.tf","sha":"c11f11b9a65ea65e4f33b04952a645222fa344d7"}]},{"name":"rds-proxy","children":[{"name":"README.md","path":"examples/rds-proxy/README.md","sha":"fb74051fa749cad1ffeee72a0a06ea83d6a61097"},{"name":"main.tf","path":"examples/rds-proxy/main.tf","sha":"313d67294ad0935849a863238071e17c0ead5d35"},{"name":"outputs.tf","path":"examples/rds-proxy/outputs.tf","sha":"ee2b6baaec21d2f6da66e8ca0b5e488e976cb838"},{"name":"variables.tf","path":"examples/rds-proxy/variables.tf","sha":"2020671d6fdc9dc802dab4da663a6493671fa152"}]},{"name":"rds-sqlserver","children":[{"name":"README.md","path":"examples/rds-sqlserver/README.md","sha":"3b2919cc48b03ad5ec113e25767d431f202026f9"},{"name":"main.tf","path":"examples/rds-sqlserver/main.tf","sha":"246913b7cbd047ca778264bd3bcc66636dffccc4"},{"name":"outputs.tf","path":"examples/rds-sqlserver/outputs.tf","sha":"070fea4677bad6fb5be0200a05360da70d171c2f"},{"name":"variables.tf","path":"examples/rds-sqlserver/variables.tf","sha":"5964c13126c3b9d28c84e5466dd361997f83c213"}]},{"name":"rds-with-replicas","children":[{"name":"README.md","path":"examples/rds-with-replicas/README.md","sha":"b92f42c362ed4d25c0144378b7acaa0600e30a12"},{"name":"main.tf","path":"examples/rds-with-replicas/main.tf","sha":"e3672e8eff11dbd1cac7f8a2328497c941db53f0"},{"name":"outputs.tf","path":"examples/rds-with-replicas/outputs.tf","sha":"991d5436a635194fec1ad1476eb7be6616032c7a"},{"name":"variables.tf","path":"examples/rds-with-replicas/variables.tf","sha":"97ec2c17dd836540e94bfd0b4863a6e67ffc6f30"}]},{"name":"redshift-serverless","children":[{"name":"README.md","path":"examples/redshift-serverless/README.md","sha":"743e0fec9c6d6109a74ac024d5eb84be2ee671e3"},{"name":"main.tf","path":"examples/redshift-serverless/main.tf","sha":"109fa74f5f74963c62240671d75227d419bb15c2"},{"name":"outputs.tf","path":"examples/redshift-serverless/outputs.tf","sha":"fc94fb51c8c1a060c4fdf0f446f0954fca641a78"},{"name":"variables.tf","path":"examples/redshift-serverless/variables.tf","sha":"bda1638f8565a402e4815b55d90f677d6fa04503"}]},{"name":"redshift","children":[{"name":"README.md","path":"examples/redshift/README.md","sha":"d10ff00e5c64f98d5600f88f1cf8e5c9d5dfdb21"},{"name":"main.tf","path":"examples/redshift/main.tf","sha":"eab2e4c82f17b68c647c22a1bf4729c91d19a6e8"},{"name":"outputs.tf","path":"examples/redshift/outputs.tf","sha":"779c37290dc1c986bfd8d629cc9b2ba1d98c68aa"},{"name":"variables.tf","path":"examples/redshift/variables.tf","sha":"e89ac7c94a3aa6fd900dc5a31a17923c84091fab"}]},{"name":"vault-locks","children":[{"name":"README.md","path":"examples/vault-locks/README.md","sha":"7a49496e40c5bc5c8d2f1cacc23573e2d50ccc94"},{"name":"main.tf","path":"examples/vault-locks/main.tf","sha":"cf8fa5277588ba392aad028d6d9c41e7adffe002"},{"name":"outputs.tf","path":"examples/vault-locks/outputs.tf","sha":"dd9af28381868df768797dad02f01224c08bc0a1"},{"name":"variables.tf","path":"examples/vault-locks/variables.tf","sha":"c10e2df32d32c72fcd591b75bb9cc4d1ae7a0eb0"}]},{"name":"vault-notifications","children":[{"name":"README.md","path":"examples/vault-notifications/README.md","sha":"0cb4cfa60f1f9da100d2e9c3320deb1bae4ace6f"},{"name":"main.tf","path":"examples/vault-notifications/main.tf","sha":"aa411a330556da72e241b28611bd61f8e2d9e79f"},{"name":"outputs.tf","path":"examples/vault-notifications/outputs.tf","sha":"dd9af28381868df768797dad02f01224c08bc0a1"},{"name":"variables.tf","path":"examples/vault-notifications/variables.tf","sha":"c10e2df32d32c72fcd591b75bb9cc4d1ae7a0eb0"}]},{"name":"vault-plan-and-selection","children":[{"name":"README.md","path":"examples/vault-plan-and-selection/README.md","sha":"fe4c265fd82bc2159aa713b31eb7eefe9c43803b"},{"name":"main.tf","path":"examples/vault-plan-and-selection/main.tf","sha":"c96da877bf9592d08db4fdb33b8f820fe519ac0b"},{"name":"outputs.tf","path":"examples/vault-plan-and-selection/outputs.tf","sha":"dd9af28381868df768797dad02f01224c08bc0a1"},{"name":"variables.tf","path":"examples/vault-plan-and-selection/variables.tf","sha":"c10e2df32d32c72fcd591b75bb9cc4d1ae7a0eb0"}]},{"name":"vault-recovery-points","children":[{"name":"README.md","path":"examples/vault-recovery-points/README.md","sha":"175e9a8c304f9e04a0735289c0c9abfaa4c1a595"},{"name":"main.tf","path":"examples/vault-recovery-points/main.tf","sha":"9d0c888cf1052fa4019e648b2c8449a335a03227"},{"name":"outputs.tf","path":"examples/vault-recovery-points/outputs.tf","sha":"b39a216ef2dfa3a71a2aca8d34a78843d459a4bd"},{"name":"variables.tf","path":"examples/vault-recovery-points/variables.tf","sha":"c10e2df32d32c72fcd591b75bb9cc4d1ae7a0eb0"}]},{"name":"vault-with-custom-policy","children":[{"name":"README.md","path":"examples/vault-with-custom-policy/README.md","sha":"4d18ebcfb7c7f6e9f1f80c39569f731bcca376b9"},{"name":"main.tf","path":"examples/vault-with-custom-policy/main.tf","sha":"256d8dac161b18f9d6278efe2a0c637b8d0f4603"},{"name":"outputs.tf","path":"examples/vault-with-custom-policy/outputs.tf","sha":"dd9af28381868df768797dad02f01224c08bc0a1"},{"name":"variables.tf","path":"examples/vault-with-custom-policy/variables.tf","sha":"6c5bab480dd2fd4cb575f0387cc70038660255d1"}]}]},{"name":"modules","children":[{"name":"aurora","children":[{"name":"CHANGELOG.md","path":"modules/aurora/CHANGELOG.md","sha":"edb61e795e7a06a86ef050003b1ec5e15bbe1573"},{"name":"README.md","path":"modules/aurora/README.md","sha":"f6f7d1ea0827f47f218d76d28e29c7a166c3b92d"},{"name":"main.tf","path":"modules/aurora/main.tf","sha":"0101ca13ac4b993df89b077749cf884a18ece537"},{"name":"outputs.tf","path":"modules/aurora/outputs.tf","sha":"b770f1c7761a2f916cd1db4b5f95edf687c54b29"},{"name":"variables.tf","path":"modules/aurora/variables.tf","sha":"497bf42a0a5202a28d8445ce2831ffb1729c95fa"}]},{"name":"backup-plan","children":[{"name":"CHANGELOG.md","path":"modules/backup-plan/CHANGELOG.md","sha":"6621cc172ff50a2d87c9329cbedd005e14c4e8b6"},{"name":"README.md","path":"modules/backup-plan/README.md","sha":"bbfdb5f91ff5c469e755ba5dacac21b80e01c175"},{"name":"core-concepts.md","path":"modules/backup-plan/core-concepts.md","sha":"f72addac44723e0037bdb5d4f4c4f253454fa0dc"},{"name":"main.tf","path":"modules/backup-plan/main.tf","sha":"92aa713814c80606c342bb2b7357609f6d00173e"},{"name":"outputs.tf","path":"modules/backup-plan/outputs.tf","sha":"7baaa43ded4ab3597ce120c202611ca7d1379a0b"},{"name":"variables.tf","path":"modules/backup-plan/variables.tf","sha":"a5bb4d9e5177649f5c041c2ba9cb88925176e713"}]},{"name":"backup-vault","children":[{"name":"CHANGELOG.md","path":"modules/backup-vault/CHANGELOG.md","sha":"02932598418284ac50b8beee7fa517df9e021e98"},{"name":"README.md","path":"modules/backup-vault/README.md","sha":"9b4fb120d06fb5008825052f9263cd85814bc9ab"},{"name":"core-concepts.md","path":"modules/backup-vault/core-concepts.md","sha":"f72addac44723e0037bdb5d4f4c4f253454fa0dc"},{"name":"main.tf","path":"modules/backup-vault/main.tf","sha":"dd18144cae13c0c12d882372528ca30e55702c68"},{"name":"outputs.tf","path":"modules/backup-vault/outputs.tf","sha":"6f9126dc37e7ffabb067ecc02fd9614d32be8c03"},{"name":"variables.tf","path":"modules/backup-vault/variables.tf","sha":"ab63764d5d40263d3514cd832fe0a3b013ff9f6d"}]},{"name":"efs","children":[{"name":"CHANGELOG.md","path":"modules/efs/CHANGELOG.md","sha":"d7e35c2c120bc59a25aa2eb76463592a3e266dfd"},{"name":"README.adoc","path":"modules/efs/README.adoc","sha":"1b13e1f238d444728b6b81a67e4b38c78d33a1ba"},{"name":"main.tf","path":"modules/efs/main.tf","sha":"e55834ba3a5c22242567c3ff503bdab2e4f390df"},{"name":"outputs.tf","path":"modules/efs/outputs.tf","sha":"b505b3d3c4ade32e06286ebea60be1a5f67ce77a"},{"name":"variables.tf","path":"modules/efs/variables.tf","sha":"b5a0571a2ff59a95f3510b7658d23330ce4721dd"}]},{"name":"lambda-cleanup-snapshots","children":[{"name":"CHANGELOG.md","path":"modules/lambda-cleanup-snapshots/CHANGELOG.md","sha":"e8f52ab10e0d2b87a0af852b7854e26bd7090cb2"},{"name":"README.md","path":"modules/lambda-cleanup-snapshots/README.md","sha":"0117ca051d45f2b9f1e21263b7d44b4814b16b76"},{"name":"cleanup-rds-snapshots","children":[{"name":"index.py","path":"modules/lambda-cleanup-snapshots/cleanup-rds-snapshots/index.py","sha":"9e651d2d57310054e21d891aec481d02c9d79489"}]},{"name":"main.tf","path":"modules/lambda-cleanup-snapshots/main.tf","sha":"34caa43428eb9f019b096143a84576b170daf8c4"},{"name":"outputs.tf","path":"modules/lambda-cleanup-snapshots/outputs.tf","sha":"a99c0265d859dd0c87a6eba62aaf2b013e224873"},{"name":"variables.tf","path":"modules/lambda-cleanup-snapshots/variables.tf","sha":"6a8d68f55cf51d75ec84caed75ebcb2ea25a5dab"}]},{"name":"lambda-copy-shared-snapshot","children":[{"name":"CHANGELOG.md","path":"modules/lambda-copy-shared-snapshot/CHANGELOG.md","sha":"c945d0ac200367c96e05b3b8e896430ed9c1bd42"},{"name":"README.md","path":"modules/lambda-copy-shared-snapshot/README.md","sha":"6fc6ed6b551a35d7f0cb49667c1087eeea22a9b9"},{"name":"copy-shared-rds-snapshot","children":[{"name":"index.py","path":"modules/lambda-copy-shared-snapshot/copy-shared-rds-snapshot/index.py","sha":"6b1a0331ee9ffc57c95e0923a4b1db46dec0b2c5"}]},{"name":"main.tf","path":"modules/lambda-copy-shared-snapshot/main.tf","sha":"103cfd59868c0c0684fd33bd0c0814508ce8e75c"},{"name":"outputs.tf","path":"modules/lambda-copy-shared-snapshot/outputs.tf","sha":"f4833d96fa6d47190b9d2c3af243142aefc59d59"},{"name":"variables.tf","path":"modules/lambda-copy-shared-snapshot/variables.tf","sha":"d2256cb15149dbbcfc3593312e532e1a3323b22d"}]},{"name":"lambda-create-snapshot","children":[{"name":"CHANGELOG.md","path":"modules/lambda-create-snapshot/CHANGELOG.md","sha":"f5fc10292bd8fc57a57106c6dfd449aea484077c"},{"name":"README.adoc","path":"modules/lambda-create-snapshot/README.adoc","sha":"88e7a3ccbb2e2bcdede5916267d02eaf3608a538"},{"name":"core-concepts.md","path":"modules/lambda-create-snapshot/core-concepts.md","sha":"61bd0892c5597716e19cc5ed7d7a2b5533cbe1a4","toggled":true},{"name":"create-rds-snapshot","children":[{"name":"index.py","path":"modules/lambda-create-snapshot/create-rds-snapshot/index.py","sha":"16bc7d1b67dcee20577808cdbf39b1938972c5cb"}]},{"name":"main.tf","path":"modules/lambda-create-snapshot/main.tf","sha":"5c98fb40d6b445f1b20c088e048a7b4362848022"},{"name":"outputs.tf","path":"modules/lambda-create-snapshot/outputs.tf","sha":"a0f5ffafa8ef11d00b72f1858b81e182ab2471dd"},{"name":"variables.tf","path":"modules/lambda-create-snapshot/variables.tf","sha":"f18942d85d2e7c5dc4c629b1503a1c32a52e4b56"}],"toggled":true},{"name":"lambda-share-snapshot","children":[{"name":"CHANGELOG.md","path":"modules/lambda-share-snapshot/CHANGELOG.md","sha":"19c11b32649f128566b5656c3e21fbb921fc5ee1"},{"name":"README.md","path":"modules/lambda-share-snapshot/README.md","sha":"9006e578e4c850804ddccdc2de9fbc733fb46e29"},{"name":"main.tf","path":"modules/lambda-share-snapshot/main.tf","sha":"479fe250283479a6b6111c74a8db19c43d83d2d3"},{"name":"outputs.tf","path":"modules/lambda-share-snapshot/outputs.tf","sha":"c0d2854f967a6c963662c660d6ae96d8cabe471a"},{"name":"share-rds-snapshot","children":[{"name":"index.py","path":"modules/lambda-share-snapshot/share-rds-snapshot/index.py","sha":"b4e784ff72172d1f3e84f0f97a48fdf60405ed27"}]},{"name":"variables.tf","path":"modules/lambda-share-snapshot/variables.tf","sha":"683571dbf98c2fb4f8077e7adadcb4df4241b9b4"}]},{"name":"rds-proxy","children":[{"name":"README.md","path":"modules/rds-proxy/README.md","sha":"6ce47c19bc6743931bb2a9bc4b572373ab81e35a"},{"name":"main.tf","path":"modules/rds-proxy/main.tf","sha":"ccb0e086589f14382b03b5289fc9b41cf3f3220f"},{"name":"outputs.tf","path":"modules/rds-proxy/outputs.tf","sha":"08ce8176157e53bb23e5f5ae8d76f8b4310dccda"},{"name":"variables.tf","path":"modules/rds-proxy/variables.tf","sha":"5388980f03bcd8be74f82527cba6348bd0ab907d"}]},{"name":"rds-replicas","children":[{"name":"README.md","path":"modules/rds-replicas/README.md","sha":"29800af570eedf9c0240f01342a5fdd1ac706fef"},{"name":"main.tf","path":"modules/rds-replicas/main.tf","sha":"91a134d6d4fd6cac369a89a8036329feee7215b4"},{"name":"outputs.tf","path":"modules/rds-replicas/outputs.tf","sha":"30703bf2512308c29289a912ef93f51b7887e299"},{"name":"variables.tf","path":"modules/rds-replicas/variables.tf","sha":"149c3b2c548b7a152525e45e4474bd525626d38b"}]},{"name":"rds","children":[{"name":"CHANGELOG.md","path":"modules/rds/CHANGELOG.md","sha":"2b56736f5478e2056d04aad4a9e520d757f1405a"},{"name":"README.md","path":"modules/rds/README.md","sha":"b8df0b9d969db6f10480fcf1fb83755e6c40750d"},{"name":"main.tf","path":"modules/rds/main.tf","sha":"b8ed5db0c417fe5069738163034264c36e1525f0"},{"name":"outputs.tf","path":"modules/rds/outputs.tf","sha":"3cf359f44b2fc3d968a457f7057f77b70a9a1b91"},{"name":"variables.tf","path":"modules/rds/variables.tf","sha":"8edc0e544569205acaecfa674abb9642fd51c095"}]},{"name":"redshift","children":[{"name":"CHANGELOG.md","path":"modules/redshift/CHANGELOG.md","sha":"474edd1fabb97de31f22e241624232a52033f136"},{"name":"README.md","path":"modules/redshift/README.md","sha":"28eae0bd40d06491c7f27c54f2e33e49c3941649"},{"name":"main.tf","path":"modules/redshift/main.tf","sha":"ba582bd91ae8f5c0e59361dad5ca4d5f5b63133e"},{"name":"outputs.tf","path":"modules/redshift/outputs.tf","sha":"8503fdcfb8e92f535148b9be6ffe3567be38e170"},{"name":"variables.tf","path":"modules/redshift/variables.tf","sha":"5834686fb499e3b5c57eac33b999c04f2e50aa1f"}]}],"toggled":true},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"289d0c06b582828ff762304cc907d80e889c19d7"},{"name":"backup_test_helpers.go","path":"test/backup_test_helpers.go","sha":"51bdc48c508abbae30da4079e7a4e58318afa268"},{"name":"db_util.go","path":"test/db_util.go","sha":"8caa917a2446fa22a60d6374d6a1673ecbec57fb"},{"name":"example_aurora_global_test.go","path":"test/example_aurora_global_test.go","sha":"64132fba5356b47ef10d984bb1135e446ca88d05"},{"name":"example_aurora_test.go","path":"test/example_aurora_test.go","sha":"d4a789a352557c190ce07748971e9a46f60cdf4b"},{"name":"example_aurora_with_cross_region_replica_test.go","path":"test/example_aurora_with_cross_region_replica_test.go","sha":"6db2b52b8fcf914a1faf6ef93085406dd08dc981"},{"name":"example_backup_default_vault_and_plan_test.go","path":"test/example_backup_default_vault_and_plan_test.go","sha":"9087e372b53c9dff14c03b5334dae7237e77ed69"},{"name":"example_backup_recovery_point_test.go","path":"test/example_backup_recovery_point_test.go","sha":"944035130d5cc776f5a2c6846684fc286fef62ab"},{"name":"example_backup_vault_and_plan_test.go","path":"test/example_backup_vault_and_plan_test.go","sha":"95a7d67ebd962cc7ac85e5fce1e2a119373a48b3"},{"name":"example_backup_vault_notifications_test.go","path":"test/example_backup_vault_notifications_test.go","sha":"742b1a01da35a48cacf0dcc448428d811c520e62"},{"name":"example_backup_vault_with_custom_policy_test.go","path":"test/example_backup_vault_with_custom_policy_test.go","sha":"6568822143bc0b99c0dcfc1af50fae8bfdbd9a56"},{"name":"example_efs_test.go","path":"test/example_efs_test.go","sha":"c721f5e694ccddefb9debf245cd6bbca0e36b2a7"},{"name":"example_lambda_rds_snapshot_create_resources_test.go","path":"test/example_lambda_rds_snapshot_create_resources_test.go","sha":"f16395c838019af3e574cd5476856e1b12ad562f"},{"name":"example_lambda_rds_snapshot_multiple_schedules_test.go","path":"test/example_lambda_rds_snapshot_multiple_schedules_test.go","sha":"0962d6149bdcf92151f1257fbb96217f1e8d0d60"},{"name":"example_lambda_rds_snapshot_test.go","path":"test/example_lambda_rds_snapshot_test.go","sha":"8df8dcaf23bc4d48c2fabc8f804d10632fc708f4"},{"name":"example_rds_mariadb_test.go","path":"test/example_rds_mariadb_test.go","sha":"506f01aca258a083a0d54395c7c6fda0d257a48c"},{"name":"example_rds_mysql_test.go","path":"test/example_rds_mysql_test.go","sha":"0ad8f776093364cf47d3db027d4ead24f8de4ccb"},{"name":"example_rds_mysql_with_cross_region_replica_test.go","path":"test/example_rds_mysql_with_cross_region_replica_test.go","sha":"e12392ecc36bda3afa4d6339e0d0ba490efdd7b8"},{"name":"example_rds_oracle_test.go","path":"test/example_rds_oracle_test.go","sha":"f19ca0c2cbc09e5672c8a1baedf07ed4aa1a650f"},{"name":"example_rds_postgres_test.go","path":"test/example_rds_postgres_test.go","sha":"344434b159383692ddd58d849b9e5d59ca7ba896"},{"name":"example_rds_proxy_test.go","path":"test/example_rds_proxy_test.go","sha":"87c2e10701105a974315be338499daa674f0adc6"},{"name":"example_rds_sqlserver_test.go","path":"test/example_rds_sqlserver_test.go","sha":"b3ac12a562ed1653d212f4598fe9097ccd2f82c6"},{"name":"example_rds_with_replicas_test.go","path":"test/example_rds_with_replicas_test.go","sha":"907ddf0ee34979924ff73737e8930faf286f65a8"},{"name":"example_redshift_test.go","path":"test/example_redshift_test.go","sha":"616087f8f54f096f4265dc5402b220b723e692e3"},{"name":"go.mod","path":"test/go.mod","sha":"4b01cc0cc7564e428160f71495aeccf241e53510"},{"name":"go.sum","path":"test/go.sum","sha":"91411b1fbb236ff9db8a8a2011adac4154cfde77"},{"name":"rds_connection.go","path":"test/rds_connection.go","sha":"8a68b6b92234300849ee6a1fcda63b68dc7835b5"},{"name":"upgrades","children":[{"name":"upgrade_test.go","path":"test/upgrades/upgrade_test.go","sha":"6db1e947ac470e48dbc5f137454d7a470cd7a68e"}]},{"name":"util.go","path":"test/util.go","sha":"10791215b62782aca1e500f11ccf1f931ccf7342"},{"name":"validation","children":[{"name":"validate_all_modules_and_examples_test.go","path":"test/validation/validate_all_modules_and_examples_test.go","sha":"74c928d0cbc2914e5cd708277bd857cb2375b660"}]}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"data-backup-core-concepts\">Data backup core concepts</h1><div class=\"preview__body--border\"></div><h2 class=\"preview__body--subtitle\" id=\"how-does-this-differ-from-rds-automatic-snapshots\">How does this differ from RDS automatic snapshots?</h2>\n<p>Note that RDS comes with nightly snapshots by default. The main reason to use this function is:</p>\n<ol>\n<li>You want to take snapshots of your database more often than once per night.</li>\n<li>You want to store all of your snapshots in a separate AWS account for security and redundancy purposes.</li>\n<li>You want to retain backups for longer than the 35-day limit for automatic snapshots.</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-backup-your-rds-snapshots-to-a-separate-aws-account\">How do you backup your RDS snapshots to a separate AWS account?</h2>\n<p>One of the main use cases for this module is to be able to store your RDS snapshots in a completely separate AWS account. That reduces the chances that you, or perhaps an intruder who breaks into your AWS account, can accidentally or intentionally delete all your snapshots.</p>\n<p>Let's say you have an RDS database in <code>account A</code> and you want to store snapshots in <code>account B</code>. To set that up, you need to do the following:</p>\n<ol>\n<li>\n<p>Create a KMS key and grant permission access to <code>account B</code> . Your key configuration should look something like this:</p>\n<ul>\n<li><strong>Note</strong>: it is not possible to use the default AWS-managed KMS key because you cannot change the key policy to grant permission to <code>account B</code> to access this key. The KMS key is required to copy the snapshot over to <code>account B</code>.</li>\n<li><strong>Note</strong>: we also have a KMS module to define a new CMK for this purpose. Please refer to <a href=\"/repos/terraform-aws-security/modules/kms-master-key\" class=\"preview__body--description--blue\">this module</a> for more information</li>\n</ul>\n<pre><span class=\"hljs-string\">\"Statement\"</span>: [\n\t\t...\n {\n <span class=\"hljs-string\">\"Sid\"</span>: <span class=\"hljs-string\">\"Allow use of the key\"</span>,\n <span class=\"hljs-string\">\"Effect\"</span>: <span class=\"hljs-string\">\"Allow\"</span>,\n <span class=\"hljs-string\">\"Principal\"</span>: {\n <span class=\"hljs-string\">\"AWS\"</span>: <span class=\"hljs-string\">\"arn:aws:iam::<account_B>:root\"</span>\n },\n <span class=\"hljs-string\">\"Action\"</span>: [\n <span class=\"hljs-string\">\"kms:Encrypt\"</span>,\n <span class=\"hljs-string\">\"kms:Decrypt\"</span>,\n <span class=\"hljs-string\">\"kms:ReEncrypt*\"</span>,\n <span class=\"hljs-string\">\"kms:DescribeKey\"</span>\n ],\n <span class=\"hljs-string\">\"Resource\"</span>: <span class=\"hljs-string\">\"*\"</span>\n }\n\t\t...\n]\n</pre>\n</li>\n<li>\n<p>Deploy the following lambda functions in <code>account A</code> to i) create RDS snapshot and ii) share it with <code>account B</code></p>\n<ul>\n<li><code>lambda-create-snapshot</code> : lambda function to periodically create RDS snapshot with your desired schedule and invoke <code>lambda-share-snapshot</code> lambda function to share the snapshot with <code>account B</code></li>\n<li><code>lambda-share-snapshot</code> : lambda function to share a RDS snapshot with another account (e.g., <code>account B</code>). Note that you will not see the RDS snapshot in <code>account B</code> because the snapshot only exists in <code>account A</code>. This lambda function simply changes the attribute of the snapshot so that the <code>account B</code> can see the snapshot.</li>\n</ul>\n<p><strong>Note</strong>: look at <a href=\"/repos/terraform-aws-data-storage/examples/lambda-rds-snapshot\" class=\"preview__body--description--blue\">examples/lambda-rds-snapshot</a> as reference to use the lambda modules along with your RDS cluster.</p>\n</li>\n<li>\n<p>Create a cross-account IAM policy in <code>account A</code> to allow <code>account B</code> to access the KMS key. Your cross-account IAM policy should look something like this:</p>\n<ul>\n<li>\n<p><strong>Trust Entity:</strong></p>\n<pre>{\n <span class=\"hljs-attr\">\"Version\"</span>: <span class=\"hljs-string\">\"2012-10-17\"</span>,\n <span class=\"hljs-attr\">\"Statement\"</span>: [\n {\n <span class=\"hljs-attr\">\"Effect\"</span>: <span class=\"hljs-string\">\"Allow\"</span>,\n <span class=\"hljs-attr\">\"Principal\"</span>: {\n <span class=\"hljs-attr\">\"AWS\"</span>: <span class=\"hljs-string\">\"arn:aws:iam::<account_B>:root\"</span>\n },\n <span class=\"hljs-attr\">\"Action\"</span>: <span class=\"hljs-string\">\"sts:AssumeRole\"</span>,\n <span class=\"hljs-attr\">\"Condition\"</span>: {}\n }\n ]\n}\n</pre>\n</li>\n<li>\n<p><strong>Permission Policy:</strong></p>\n<pre>{\n <span class=\"hljs-attr\">\"Version\"</span>: <span class=\"hljs-string\">\"2012-10-17\"</span>,\n <span class=\"hljs-attr\">\"Statement\"</span>: [\n {\n <span class=\"hljs-attr\">\"Sid\"</span>: <span class=\"hljs-string\">\"VisualEditor0\"</span>,\n <span class=\"hljs-attr\">\"Effect\"</span>: <span class=\"hljs-string\">\"Allow\"</span>,\n\t\t <span class=\"hljs-attr\">\"Action\"</span>: [\n\t\t <span class=\"hljs-string\">\"kms:Encrypt\"</span>,\n\t\t <span class=\"hljs-string\">\"kms:Decrypt\"</span>,\n\t\t <span class=\"hljs-string\">\"kms:ReEncrypt*\"</span>,\n\t\t <span class=\"hljs-string\">\"kms:DescribeKey\"</span>\n\t\t ],\n <span class=\"hljs-attr\">\"Resource\"</span>: <span class=\"hljs-string\">\"arn:aws:kms:<region>:<account_A>:key/<kms_key>\"</span>\n }\n ]\n}\n</pre>\n</li>\n</ul>\n</li>\n<li>\n<p>Deploy the <code>lambda-copy-shared-snapshot</code> lambda function in <code>account B</code> to copy the shared snapshot. You need the following informations to use this lambda function:</p>\n<ul>\n<li><code>rds_db_identifier</code> - RDS identifier of the shared snapshot.</li>\n<li><code>external_account_id</code> - original account that shared the snapshot.</li>\n<li><code>kms_key_id</code>: KMS key used to encrypt the RDS snapshot.</li>\n</ul>\n</li>\n</ol>\n<p><strong>Note</strong>: before running this lambda function, you need to grant permission explicitly for the lambda function to access the KMS key in <code>account A</code> by attaching a policy something like this:</p>\n<pre>{\n <span class=\"hljs-attr\">\"Version\"</span>: <span class=\"hljs-string\">\"2012-10-17\"</span>,\n <span class=\"hljs-attr\">\"Statement\"</span>: [\n {\n <span class=\"hljs-attr\">\"Sid\"</span>: <span class=\"hljs-string\">\"VisualEditor0\"</span>,\n <span class=\"hljs-attr\">\"Effect\"</span>: <span class=\"hljs-string\">\"Allow\"</span>,\n\t\t <span class=\"hljs-attr\">\"Action\"</span>: [\n\t\t <span class=\"hljs-string\">\"kms:Encrypt\"</span>,\n\t\t <span class=\"hljs-string\">\"kms:Decrypt\"</span>,\n\t\t <span class=\"hljs-string\">\"kms:ReEncrypt*\"</span>,\n\t\t <span class=\"hljs-string\">\"kms:DescribeKey\"</span>\n\t\t ],\n <span class=\"hljs-attr\">\"Resource\"</span>: <span class=\"hljs-string\">\"arn:aws:kms:<region>:<account A>:key/<KMS key>\"</span>\n }\n ]\n}\n</pre>\n<h2 class=\"preview__body--subtitle\" id=\"why-use-lambda-functions\">Why use lambda functions?</h2>\n<p>The reason we use lambda functions for handling snapshots is:</p>\n<ol>\n<li>\n<p>It's easy to use <a href=\"http://docs.aws.amazon.com/lambda/latest/dg/with-scheduled-events.html\" class=\"preview__body--description--blue\" target=\"_blank\">scheduled events</a> and\n<a href=\"http://docs.aws.amazon.com/lambda/latest/dg/tutorial-scheduled-events-schedule-expressions.html\" class=\"preview__body--description--blue\" target=\"_blank\">schedule expressions</a>\nto run a lambda function on a periodic basis that is more reliable than just using cron.</p>\n</li>\n<li>\n<p>You can give your lambda function access to RDS via IAM roles instead of using API keys with an external app.</p>\n</li>\n<li>\n<p>The main use case for these lambda snapshot modules is to copy RDS snapshots to an external AWS account. That means\nyou need to run code in multiple accounts. It's easier to deploy the necessary lambda functions in each account\nand give those functions access to RDS via IAM roles than it is to create a CI job that can securely access both\naccounts.</p>\n</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-configure-this-module\">How do you configure this module?</h2>\n<p>This module allows you to configure a number of parameters, such as which database to backup, how often to run the\nbackups, what account to share the backups with, and more. For a list of all available variables and their\ndescriptions, see <a href=\"/repos/v0.29.2/module-data-storage/modules/lambda-create-snapshot/variables.tf\" class=\"preview__body--description--blue\">variables.tf</a>.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-configure-multiple-backup-schedules\">How do you configure multiple backup schedules?</h2>\n<p>You can use this module multiple times by configuring different namespaces for the snapshots, which allows you to have\nmultiple backup schedules with different retention periods. For example you could keep hourly backups for three days,\nand weekly backups for one year by configuring two instances of this modules.</p>\n<pre><span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"create_daily_snapshot\"</span> {\n source = <span class=\"hljs-string\">\"git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/lambda-create-snapshot?ref=v1.0.8\"</span>\n\n <span class=\"hljs-comment\"># ... (other params omitted) ...</span>\n\n lambda_namespace = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${var.rds_db_identifier}</span>-create-weekly-snapshot\"</span>\n snapshot_namespace = <span class=\"hljs-string\">\"daily\"</span>\n schedule_expression = <span class=\"hljs-string\">\"rate(1 day)\"</span>\n}\n\n<span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"create_weekly_snapshot\"</span> {\n source = <span class=\"hljs-string\">\"git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/lambda-create-snapshot?ref=v1.0.8\"</span>\n\n <span class=\"hljs-comment\"># ... (other params omitted) ...</span>\n lambda_namespace = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${var.rds_db_identifier}</span>-create-weekly-snapshot\"</span>\n snapshot_namespace = <span class=\"hljs-string\">\"weekly\"</span>\n schedule_expression = <span class=\"hljs-string\">\"rate(1 week)\"</span>\n}\n</pre>\n<p>Configure sharing in the same way as described earlier. Only the snapshots from the module with sharing enabled will be\ncopied.</p>\n<p>It's important to use both snapshot and lambda namespaces in all instances to avoid ambiguity for the\n<a href=\"/repos/v0.29.2/module-data-storage/modules/lambda-cleanup-snapshots\" class=\"preview__body--description--blue\">lambda-cleanup-snapshots</a> module. The\n<a href=\"/repos/v0.29.2/module-data-storage/modules/lambda-cleanup-snapshots\" class=\"preview__body--description--blue\">lambda-cleanup-snapshots</a> module can be configured with a <code>snapshot_namespace</code> too so\ndifferent retention periods can be configured for each set of snapshots. See the\n<a href=\"/repos/v0.29.2/module-data-storage/examples/lambda-rds-snapshot-multiple-schedules\" class=\"preview__body--description--blue\">lambda-rds-snapshot-multiple-schedules</a> example.</p>\n","repoName":"module-data-storage","repoRef":"v0.30.0","serviceDescriptor":{"serviceName":"Database backup","serviceRepoName":"module-data-storage","serviceRepoOrg":"gruntwork-io","serviceMainReadmePath":"/modules/lambda-create-snapshot/README.adoc","cloudProviders":["aws"],"description":"Snapshot your RDS databases and copy the snapshots to other AWS accounts on a scheduled basis for disaster recovery.","imageUrl":"grunt.png","licenseType":"subscriber","technologies":["Terraform","JavaScript","Lambda"],"compliance":[],"tags":[""]},"serviceCategoryName":"Backup & recovery","fileName":"core-concepts.md","filePath":"/modules/lambda-create-snapshot/core-concepts.md","title":"Repo Browser: Database backup","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}