DEV Community

Marko Milosavljevic
Marko Milosavljevic

Posted on • Edited on

2 2 2 2 1

Terraform: Managing Multi-Region Database Backups in AWS

Ensuring data durability and resilience is an essence of robust infrastructure design. While it's common to configure backups within a single region where the data resides, certain compliance or business requirements might demand multi-region backups. This blog explores how to achieve multi-region backups using Terraform by extending existing backup infrastructure.

Core Configuration: Primary Region Backup

To start, a Backup Vault is created to securely store backup data, encrypted with an AWS KMS key. A Backup Plan on the other hand specifies rules for scheduling, lifecycle management, and retention periods. These rules include the following:

  • Backup Vault Reference: All backups are directed to the vault.
  • Retention and Cold Storage: Policies like deleting backups after a certain number of days or transitioning to cold storage.
  • Additionally, IAM roles are configured to allow the AWS Backup service to access the necessary resources.

Example Terraform configuration:

resource "aws_backup_vault" "example" {
  name        = "example_backup_vault"
  kms_key_arn = aws_kms_key.example.arn
}

resource "aws_backup_plan" "this" {
  name = "${var.vault_name}-backup-plan"

  rule {
    rule_name         = "${var.vault_name}-backup-rule"
    target_vault_name = aws_backup_vault.this.name
    schedule          = "cron(${var.backup_cron})"
    copy_action {
      destination_vault_arn = aws_backup_vault.this.arn
      lifecycle {
        delete_after       = var.delete_backup_after
        cold_storage_after = var.cold_storage_after
      }
    }
    copy_action {
      destination_vault_arn = aws_backup_vault.backup.arn
      lifecycle {
        delete_after       = var.delete_backup_after
        cold_storage_after = var.cold_storage_after
      }
    }

    lifecycle {
      delete_after       = var.delete_backup_after
      cold_storage_after = var.cold_storage_after
    }
  }

}

Enter fullscreen mode Exit fullscreen mode

With this configuration, backups are securely stored in the region of deployment. However, to enhance resilience, we can extend this setup to support cross-region backups.

Extending to Cross-Region Backups

To enable cross-region backups, you’ll need:

  1. Secondary Provider Configuration: Define a provider for the secondary region to handle the resources there.
  2. Cross-Region Vault: Create a new backup vault in the secondary region with its KMS key for encryption.
  3. Backup Plan Copy Action: Modify the backup plan in the primary region to include a copy action. This ensures backups are automatically replicated to the secondary region, with their own lifecycle policies for retention and cold storage.

Step 1: Define a new AWS Provider

Add a new provider block for the target region:

provider "aws" {
  alias  = "backup"
  region = "eu-west-1" # Specify the secondary region
}

Enter fullscreen mode Exit fullscreen mode

Step 2: Create a Cross-Region Backup Vault

Provision a backup vault in the secondary region:

resource "aws_backup_vault" "backup" {
  provider    = aws.backup
  name        = var.vault_name
  kms_key_arn = data.aws_kms_key.backup.arn
}

Enter fullscreen mode Exit fullscreen mode

Step 3: Access the KMS Key

Since the vault requires encryption, retrieve or create a KMS key in the secondary region:

data "aws_kms_key" "backup" {
  provider = aws.backup
  key_id   = var.kms_key_arn_backup
}

Enter fullscreen mode Exit fullscreen mode

Step 4: Forward Variables Through Modules

If your Terraform project uses modules, ensure variables like kms_key_arn and vault_name are passed to the respective child modules for multi-region configuration.

Challenges and Best Practices

  • Synchronization: Keep the backup schedules consistent across regions.
  • Access Control: Ensure IAM roles have the appropriate cross-region permissions.
  • Cost Considerations: Multi-region backups may incur additional costs for storage and data transfer.
  • Module Design: Modularize the code to avoid duplication when configuring resources for multiple regions.

Benefits of Multi-Region Backups

  • Increased Resilience: Protect against regional outages.
  • Compliance: Meet data governance and disaster recovery standards.
  • Business Continuity: Minimize downtime during regional failures.

Conclusion

By leveraging Terraform, you can easily extend your existing backup configuration to support multi-region setups. With proper planning and modularized code, adding a secondary backup region ensures enhanced data protection without significantly increasing complexity.

Speedy emails, satisfied customers

Postmark Image

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay