Logo

dev-resources.site

for different kinds of informations.

Terraform: Managing Multi-Region Database Backups in AWS

Published at
12/13/2024
Categories
terraform
automation
aws
devops
Author
Marko Milosavljevic
Categories
4 categories in total
terraform
open
automation
open
aws
open
devops
open
Terraform: Managing Multi-Region Database Backups in AWS

Ensuring data durability and resilience is an essence of robust infrastructure design. While it's common to configure backups within a single region where the data resides, certain compliance or business requirements might demand multi-region backups. This blog explores how to achieve multi-region backups using Terraform by extending existing backup infrastructure.

Core Configuration: Primary Region Backup

To start, a Backup Vault is created to securely store backup data, encrypted with an AWS KMS key. A Backup Plan on the other hand specifies rules for scheduling, lifecycle management, and retention periods. These rules include the following:

  • Backup Vault Reference: All backups are directed to the vault.
  • Retention and Cold Storage: Policies like deleting backups after a certain number of days or transitioning to cold storage.
  • Additionally, IAM roles are configured to allow the AWS Backup service to access the necessary resources.

Example Terraform configuration:

resource "aws_backup_vault" "example" {
  name        = "example_backup_vault"
  kms_key_arn = aws_kms_key.example.arn
}

resource "aws_backup_plan" "this" {
  name = "${var.vault_name}-backup-plan"

  rule {
    rule_name         = "${var.vault_name}-backup-rule"
    target_vault_name = aws_backup_vault.this.name
    schedule          = "cron(${var.backup_cron})"
    copy_action {
      destination_vault_arn = aws_backup_vault.this.arn
      lifecycle {
        delete_after       = var.delete_backup_after
        cold_storage_after = var.cold_storage_after
      }
    }
    copy_action {
      destination_vault_arn = aws_backup_vault.backup.arn
      lifecycle {
        delete_after       = var.delete_backup_after
        cold_storage_after = var.cold_storage_after
      }
    }

    lifecycle {
      delete_after       = var.delete_backup_after
      cold_storage_after = var.cold_storage_after
    }
  }

}

With this configuration, backups are securely stored in the region of deployment. However, to enhance resilience, we can extend this setup to support cross-region backups.

Extending to Cross-Region Backups

To enable cross-region backups, you’ll need:

  1. Secondary Provider Configuration: Define a provider for the secondary region to handle the resources there.
  2. Cross-Region Vault: Create a new backup vault in the secondary region with its KMS key for encryption.
  3. Backup Plan Copy Action: Modify the backup plan in the primary region to include a copy action. This ensures backups are automatically replicated to the secondary region, with their own lifecycle policies for retention and cold storage.

Step 1: Define a new AWS Provider

Add a new provider block for the target region:

provider "aws" {
  alias  = "backup"
  region = "eu-west-1" # Specify the secondary region
}

Step 2: Create a Cross-Region Backup Vault

Provision a backup vault in the secondary region:

resource "aws_backup_vault" "backup" {
  provider    = aws.backup
  name        = var.vault_name
  kms_key_arn = data.aws_kms_key.backup.arn
}

Step 3: Access the KMS Key

Since the vault requires encryption, retrieve or create a KMS key in the secondary region:

data "aws_kms_key" "backup" {
  provider = aws.backup
  key_id   = var.kms_key_arn_backup
}

Step 4: Forward Variables Through Modules

If your Terraform project uses modules, ensure variables like kms_key_arn and vault_name are passed to the respective child modules for multi-region configuration.

Challenges and Best Practices

  • Synchronization: Keep the backup schedules consistent across regions.
  • Access Control: Ensure IAM roles have the appropriate cross-region permissions.
  • Cost Considerations: Multi-region backups may incur additional costs for storage and data transfer.
  • Module Design: Modularize the code to avoid duplication when configuring resources for multiple regions.

Benefits of Multi-Region Backups

  • Increased Resilience: Protect against regional outages.
  • Compliance: Meet data governance and disaster recovery standards.
  • Business Continuity: Minimize downtime during regional failures.

Conclusion

By leveraging Terraform, you can easily extend your existing backup configuration to support multi-region setups. With proper planning and modularized code, adding a secondary backup region ensures enhanced data protection without significantly increasing complexity.

Featured ones: