feat: add support for aws_backup_global_settings (#277)

lgallard · claude[bot] · web-flow · commit 44e99e3fd180 · 2025-10-21T19:16:42.000+02:00
* feat: add support for aws_backup_global_settings - Add enable_global_settings and global_settings variables with comprehensive validation - Implement conditional aws_backup_global_settings resource in main.tf - Add outputs for global settings management and monitoring - Create backup_global_settings example with full documentation - Enable centralized cross-account backup governance capabilities - Support enterprise compliance and security requirements Closes #235 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Luis M. Gallardo D. <lgallard@users.noreply.github.com> * fix: use variables in backup_global_settings example - Use enable_cross_account_backup variable instead of hardcoded 'true' - Use vault_name, backup_schedule, backup_retention_days variables - Use tags variable for consistent tagging - Resolves unused variable issue from bug hunt review Co-authored-by: Luis M. Gallardo D. <lgallard@users.noreply.github.com> --------- Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: Luis M. Gallardo D. <lgallard@users.noreply.github.com>
diff --git a/README.md b/README.md
@@ -80,6 +80,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_backup_framework.ab_framework](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_framework) | resource |
+| [aws_backup_global_settings.ab_global_settings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_global_settings) | resource |
 | [aws_backup_logically_air_gapped_vault.ab_airgapped_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_logically_air_gapped_vault) | resource |
 | [aws_backup_plan.ab_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
 | [aws_backup_plan.ab_plans](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
@@ -123,8 +124,10 @@ No modules.
 | <a name="input_changeable_for_days"></a> [changeable\_for\_days](#input\_changeable\_for\_days) | The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode | `number` | `null` | no |
 | <a name="input_default_lifecycle_cold_storage_after_days"></a> [default\_lifecycle\_cold\_storage\_after\_days](#input\_default\_lifecycle\_cold\_storage\_after\_days) | Default number of days after creation that a recovery point is moved to cold storage. Used when cold\_storage\_after is not specified in lifecycle configuration. | `number` | `0` | no |
 | <a name="input_default_lifecycle_delete_after_days"></a> [default\_lifecycle\_delete\_after\_days](#input\_default\_lifecycle\_delete\_after\_days) | Default number of days after creation that a recovery point is deleted. Used when delete\_after is not specified in lifecycle configuration. | `number` | `90` | no |
+| <a name="input_enable_global_settings"></a> [enable\_global\_settings](#input\_enable\_global\_settings) | Whether to manage AWS Backup global settings. Enable this to configure account-level backup settings. | `bool` | `false` | no |
 | <a name="input_enable_org_policy"></a> [enable\_org\_policy](#input\_enable\_org\_policy) | Enable AWS Organizations backup policy | `bool` | `false` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Change to false to avoid deploying any AWS Backup resources | `bool` | `true` | no |
+| <a name="input_global_settings"></a> [global\_settings](#input\_global\_settings) | Global settings for AWS Backup. Currently supports isCrossAccountBackupEnabled for centralized cross-account backup governance. | `map(string)` | <pre>{<br/>  "isCrossAccountBackupEnabled": "false"<br/>}</pre> | no |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | If configured, the module will attach this role to selections, instead of creating IAM resources by itself | `string` | `null` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Allow to set IAM role name, otherwise use predefined default | `string` | `""` | no |
 | <a name="input_locked"></a> [locked](#input\_locked) | Change to true to add a lock configuration for the backup vault | `bool` | `false` | no |
@@ -169,10 +172,14 @@ No modules.
 |------|-------------|
 | <a name="output_airgapped_vault_arn"></a> [airgapped\_vault\_arn](#output\_airgapped\_vault\_arn) | The ARN of the air gapped vault |
 | <a name="output_airgapped_vault_id"></a> [airgapped\_vault\_id](#output\_airgapped\_vault\_id) | The name of the air gapped vault |
+| <a name="output_cross_account_backup_enabled"></a> [cross\_account\_backup\_enabled](#output\_cross\_account\_backup\_enabled) | Whether cross-account backup is enabled for centralized governance |
 | <a name="output_framework_arn"></a> [framework\_arn](#output\_framework\_arn) | The ARN of the backup framework |
 | <a name="output_framework_creation_time"></a> [framework\_creation\_time](#output\_framework\_creation\_time) | The date and time that the backup framework was created |
 | <a name="output_framework_id"></a> [framework\_id](#output\_framework\_id) | The unique identifier of the backup framework |
 | <a name="output_framework_status"></a> [framework\_status](#output\_framework\_status) | The deployment status of the backup framework |
+| <a name="output_global_settings"></a> [global\_settings](#output\_global\_settings) | AWS Backup global settings configuration |
+| <a name="output_global_settings_id"></a> [global\_settings\_id](#output\_global\_settings\_id) | AWS Account ID where global settings are applied |
+| <a name="output_global_settings_summary"></a> [global\_settings\_summary](#output\_global\_settings\_summary) | Summary of global settings configuration and governance capabilities |
 | <a name="output_plan_arn"></a> [plan\_arn](#output\_plan\_arn) | The ARN of the backup plan |
 | <a name="output_plan_id"></a> [plan\_id](#output\_plan\_id) | The id of the backup plan |
 | <a name="output_plan_role"></a> [plan\_role](#output\_plan\_role) | The service role of the backup plan |
@@ -290,6 +297,21 @@ In case you get an error message similar to this one:
 error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
 ```
 
+Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
+<!-- END_TF_DOCS -->
+
+## Known Issues
+
+During the development of the module, the following issues were found:
+
+### Error creating Backup Vault
+
+In case you get an error message similar to this one:
+
+```
+error creating Backup Vault (): AccessDeniedException: status code: 403, request id: 8e7e577e-5b74-4d4d-95d0-bf63e0b2cc2e,
+```
+
 Add the [required IAM permissions mentioned in the CreateBackupVault row](https://docs.aws.amazon.com/aws-backup/latest/devguide/access-control.html#backup-api-permissions-ref) to the role or user creating the Vault (the one running Terraform CLI). In particular make sure `kms` and `backup-storage` permissions are added.
 
 ## Testing
diff --git a/examples/backup_global_settings/README.md b/examples/backup_global_settings/README.md
@@ -0,0 +1,123 @@
+# AWS Backup Global Settings Example
+
+This example demonstrates how to configure AWS Backup global settings for centralized cross-account backup governance.
+
+## Features Demonstrated
+
+- **Global Settings Management**: Enable and configure AWS Backup global settings
+- **Cross-Account Backup**: Enable centralized backup governance across multiple AWS accounts
+- **Enterprise Governance**: Account-level settings for backup operations
+- **Backup Configuration**: Basic vault, plan, and selection setup with global settings
+
+## Architecture
+
+```
+AWS Account (Management/Central)
+├── Global Settings (Account-level)
+│   └── isCrossAccountBackupEnabled: true
+├── Backup Vault
+├── Backup Plan
+└── Resource Selections
+```
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example will create resources which may cost money. Run `terraform destroy` when you don't need these resources.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws_backup_global_settings"></a> [aws\_backup\_global\_settings](#module\_aws\_backup\_global\_settings) | ../.. | n/a |
+
+## Resources
+
+Created by the module:
+- `aws_backup_global_settings` - Account-level backup settings
+- `aws_backup_vault` - Backup vault for storing recovery points
+- `aws_backup_plan` - Backup plan with scheduling and lifecycle policies
+- `aws_backup_selection` - Resource selection for automated backups
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_backup_retention_days"></a> [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days to retain backups | `number` | `30` | no |
+| <a name="input_backup_schedule"></a> [backup\_schedule](#input\_backup\_schedule) | Cron expression for backup schedule | `string` | `"cron(0 2 * * ? *)"` | no |
+| <a name="input_enable_cross_account_backup"></a> [enable\_cross\_account\_backup](#input\_enable\_cross\_account\_backup) | Enable cross-account backup functionality | `bool` | `true` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to resources | `map(string)` | `{"BackupGovernance": "centralized", "Environment": "production", "Owner": "backup-team", "Terraform": true}` | no |
+| <a name="input_vault_name"></a> [vault\_name](#input\_vault\_name) | Name of the backup vault to create | `string` | `"centralized-backup-vault"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cross_account_backup_enabled"></a> [cross\_account\_backup\_enabled](#output\_cross\_account\_backup\_enabled) | Whether cross-account backup is enabled |
+| <a name="output_global_settings"></a> [global\_settings](#output\_global\_settings) | Configured global settings |
+| <a name="output_global_settings_id"></a> [global\_settings\_id](#output\_global\_settings\_id) | AWS Account ID where global settings are applied |
+| <a name="output_global_settings_summary"></a> [global\_settings\_summary](#output\_global\_settings\_summary) | Summary of global settings configuration |
+| <a name="output_plan_arn"></a> [plan\_arn](#output\_plan\_arn) | ARN of the backup plan |
+| <a name="output_vault_arn"></a> [vault\_arn](#output\_vault\_arn) | ARN of the backup vault |
+
+## Global Settings Configuration
+
+### Cross-Account Backup Enablement
+
+When `isCrossAccountBackupEnabled` is set to `"true"`:
+
+1. **Centralized Governance**: Enables centralized backup management across AWS accounts
+2. **Organization Policies**: Allows AWS Organizations backup policies to be applied
+3. **Cross-Account IAM**: Enables backup operations across account boundaries
+4. **Compliance**: Supports enterprise compliance frameworks requiring centralized backup
+
+### Enterprise Use Cases
+
+- **Multi-Account Organizations**: Centralized backup governance for AWS Organizations
+- **Compliance Requirements**: Meeting regulatory requirements for backup management
+- **Security**: Controlled cross-account backup operations
+- **Cost Optimization**: Centralized backup strategies and policies
+
+## Next Steps
+
+After deploying this example:
+
+1. **Configure AWS Organizations Backup Policies** for centralized governance
+2. **Set up cross-account IAM roles** for backup operations
+3. **Implement backup compliance frameworks** across accounts
+4. **Monitor backup activities** through AWS CloudTrail and CloudWatch
+
+## Important Notes
+
+- Global settings are **account-level** configurations (one per AWS account)
+- Cross-account backup requires proper **IAM permissions** across accounts
+- This feature is particularly valuable for **enterprise environments**
+- Consider **AWS Organizations integration** for complete centralized governance
+
+## Compliance and Security
+
+This configuration supports:
+- SOC 2 compliance for backup governance
+- GDPR requirements for data retention
+- HIPAA backup and recovery standards
+- Financial services backup regulations
diff --git a/examples/backup_global_settings/main.tf b/examples/backup_global_settings/main.tf
@@ -0,0 +1,67 @@
+# AWS Backup Global Settings Example
+# 
+# This example demonstrates how to configure AWS Backup global settings
+# for centralized cross-account backup governance.
+
+# AWS Backup with Global Settings
+module "aws_backup_global_settings" {
+  source = "../.."
+
+  # Enable global settings management
+  enable_global_settings = true
+
+  # Configure global settings for cross-account backup governance
+  global_settings = {
+    "isCrossAccountBackupEnabled" = tostring(var.enable_cross_account_backup)
+  }
+
+  # Basic vault configuration
+  vault_name = var.vault_name
+
+  # Basic plan for demonstration
+  plan_name = "global-settings-plan"
+
+  # Simple rule
+  rules = [
+    {
+      name              = "daily-backup"
+      schedule          = var.backup_schedule
+      start_window      = 120
+      completion_window = 360
+      lifecycle = {
+        delete_after = var.backup_retention_days
+      }
+      copy_actions = []
+      recovery_point_tags = {
+        BackupType  = "Automated"
+        Governance  = "Centralized"
+        Environment = "production"
+      }
+    }
+  ]
+
+  # Resource selection
+  selections = [
+    {
+      name = "production-resources"
+      resources = [
+        "arn:aws:ec2:*:*:instance/*",
+        "arn:aws:rds:*:*:db:*"
+      ]
+      selection_tags = [
+        {
+          type  = "STRINGEQUALS"
+          key   = "Environment"
+          value = "production"
+        },
+        {
+          type  = "STRINGEQUALS"
+          key   = "BackupRequired"
+          value = "true"
+        }
+      ]
+    }
+  ]
+
+  tags = var.tags
+}
diff --git a/examples/backup_global_settings/outputs.tf b/examples/backup_global_settings/outputs.tf
@@ -0,0 +1,31 @@
+# Global Settings Outputs
+output "global_settings_id" {
+  description = "AWS Account ID where global settings are applied"
+  value       = module.aws_backup_global_settings.global_settings_id
+}
+
+output "global_settings" {
+  description = "Configured global settings"
+  value       = module.aws_backup_global_settings.global_settings
+}
+
+output "cross_account_backup_enabled" {
+  description = "Whether cross-account backup is enabled"
+  value       = module.aws_backup_global_settings.cross_account_backup_enabled
+}
+
+output "global_settings_summary" {
+  description = "Summary of global settings configuration"
+  value       = module.aws_backup_global_settings.global_settings_summary
+}
+
+# Additional backup outputs for reference
+output "vault_arn" {
+  description = "ARN of the backup vault"
+  value       = module.aws_backup_global_settings.vault_arn
+}
+
+output "plan_arn" {
+  description = "ARN of the backup plan"
+  value       = module.aws_backup_global_settings.plan_arn
+}
diff --git a/examples/backup_global_settings/variables.tf b/examples/backup_global_settings/variables.tf
@@ -0,0 +1,36 @@
+# Optional variables for customizing the example
+
+variable "vault_name" {
+  description = "Name of the backup vault to create"
+  type        = string
+  default     = "centralized-backup-vault"
+}
+
+variable "enable_cross_account_backup" {
+  description = "Enable cross-account backup functionality"
+  type        = bool
+  default     = true
+}
+
+variable "backup_schedule" {
+  description = "Cron expression for backup schedule"
+  type        = string
+  default     = "cron(0 2 * * ? *)" # Daily at 2 AM
+}
+
+variable "backup_retention_days" {
+  description = "Number of days to retain backups"
+  type        = number
+  default     = 30
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to resources"
+  type        = map(string)
+  default = {
+    Owner            = "backup-team"
+    Environment      = "production"
+    BackupGovernance = "centralized"
+    Terraform        = true
+  }
+}
diff --git a/examples/backup_global_settings/versions.tf b/examples/backup_global_settings/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -206,6 +206,20 @@ resource "aws_backup_plan" "ab_plan" {
   }
 }
 
+# AWS Backup Global Settings
+resource "aws_backup_global_settings" "ab_global_settings" {
+  count = var.enabled && var.enable_global_settings ? 1 : 0
+
+  global_settings = var.global_settings
+
+  lifecycle {
+    precondition {
+      condition     = var.enable_global_settings ? length(var.global_settings) > 0 : true
+      error_message = "When enable_global_settings is true, global_settings map cannot be empty. At minimum, specify isCrossAccountBackupEnabled."
+    }
+  }
+}
+
 # Multiple AWS Backup plans with optimized timeouts
 resource "aws_backup_plan" "ab_plans" {
   for_each = var.enabled ? local.plans_map : {}
diff --git a/outputs.tf b/outputs.tf
diff --git a/variables.tf b/variables.tf
