DEV Community

Marko Milosavljevic
Marko Milosavljevic

Posted on • Edited on

2 2 2 2 1

Terraform: Managing Multi-Region Database Backups in AWS

Ensuring data durability and resilience is an essence of robust infrastructure design. While it's common to configure backups within a single region where the data resides, certain compliance or business requirements might demand multi-region backups. This blog explores how to achieve multi-region backups using Terraform by extending existing backup infrastructure.

Core Configuration: Primary Region Backup

To start, a Backup Vault is created to securely store backup data, encrypted with an AWS KMS key. A Backup Plan on the other hand specifies rules for scheduling, lifecycle management, and retention periods. These rules include the following:

  • Backup Vault Reference: All backups are directed to the vault.
  • Retention and Cold Storage: Policies like deleting backups after a certain number of days or transitioning to cold storage.
  • Additionally, IAM roles are configured to allow the AWS Backup service to access the necessary resources.

Example Terraform configuration:

resource "aws_backup_vault" "example" {
  name        = "example_backup_vault"
  kms_key_arn = aws_kms_key.example.arn
}

resource "aws_backup_plan" "this" {
  name = "${var.vault_name}-backup-plan"

  rule {
    rule_name         = "${var.vault_name}-backup-rule"
    target_vault_name = aws_backup_vault.this.name
    schedule          = "cron(${var.backup_cron})"
    copy_action {
      destination_vault_arn = aws_backup_vault.this.arn
      lifecycle {
        delete_after       = var.delete_backup_after
        cold_storage_after = var.cold_storage_after
      }
    }
    copy_action {
      destination_vault_arn = aws_backup_vault.backup.arn
      lifecycle {
        delete_after       = var.delete_backup_after
        cold_storage_after = var.cold_storage_after
      }
    }

    lifecycle {
      delete_after       = var.delete_backup_after
      cold_storage_after = var.cold_storage_after
    }
  }

}

Enter fullscreen mode Exit fullscreen mode

With this configuration, backups are securely stored in the region of deployment. However, to enhance resilience, we can extend this setup to support cross-region backups.

Extending to Cross-Region Backups

To enable cross-region backups, you’ll need:

  1. Secondary Provider Configuration: Define a provider for the secondary region to handle the resources there.
  2. Cross-Region Vault: Create a new backup vault in the secondary region with its KMS key for encryption.
  3. Backup Plan Copy Action: Modify the backup plan in the primary region to include a copy action. This ensures backups are automatically replicated to the secondary region, with their own lifecycle policies for retention and cold storage.

Step 1: Define a new AWS Provider

Add a new provider block for the target region:

provider "aws" {
  alias  = "backup"
  region = "eu-west-1" # Specify the secondary region
}

Enter fullscreen mode Exit fullscreen mode

Step 2: Create a Cross-Region Backup Vault

Provision a backup vault in the secondary region:

resource "aws_backup_vault" "backup" {
  provider    = aws.backup
  name        = var.vault_name
  kms_key_arn = data.aws_kms_key.backup.arn
}

Enter fullscreen mode Exit fullscreen mode

Step 3: Access the KMS Key

Since the vault requires encryption, retrieve or create a KMS key in the secondary region:

data "aws_kms_key" "backup" {
  provider = aws.backup
  key_id   = var.kms_key_arn_backup
}

Enter fullscreen mode Exit fullscreen mode

Step 4: Forward Variables Through Modules

If your Terraform project uses modules, ensure variables like kms_key_arn and vault_name are passed to the respective child modules for multi-region configuration.

Challenges and Best Practices

  • Synchronization: Keep the backup schedules consistent across regions.
  • Access Control: Ensure IAM roles have the appropriate cross-region permissions.
  • Cost Considerations: Multi-region backups may incur additional costs for storage and data transfer.
  • Module Design: Modularize the code to avoid duplication when configuring resources for multiple regions.

Benefits of Multi-Region Backups

  • Increased Resilience: Protect against regional outages.
  • Compliance: Meet data governance and disaster recovery standards.
  • Business Continuity: Minimize downtime during regional failures.

Conclusion

By leveraging Terraform, you can easily extend your existing backup configuration to support multi-region setups. With proper planning and modularized code, adding a secondary backup region ensures enhanced data protection without significantly increasing complexity.

Billboard image

Deploy and scale your apps on AWS and GCP with a world class developer experience

Coherence makes it easy to set up and maintain cloud infrastructure. Harness the extensibility, compliance and cost efficiency of the cloud.

Learn more

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay