feat: add support for aws_backup_global_settings

claude[bot] · lgallard · claude[bot] · commit 14b0df9c687f · 2025-09-28T11:25:03.000Z
- Add enable_global_settings and global_settings variables with comprehensive validation - Implement conditional aws_backup_global_settings resource in main.tf - Add outputs for global settings management and monitoring - Create backup_global_settings example with full documentation - Enable centralized cross-account backup governance capabilities - Support enterprise compliance and security requirements Closes #235 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Luis M. Gallardo D. <lgallard@users.noreply.github.com>
diff --git a/examples/backup_global_settings/README.md b/examples/backup_global_settings/README.md
@@ -0,0 +1,123 @@
+# AWS Backup Global Settings Example
+
+This example demonstrates how to configure AWS Backup global settings for centralized cross-account backup governance.
+
+## Features Demonstrated
+
+- **Global Settings Management**: Enable and configure AWS Backup global settings
+- **Cross-Account Backup**: Enable centralized backup governance across multiple AWS accounts
+- **Enterprise Governance**: Account-level settings for backup operations
+- **Backup Configuration**: Basic vault, plan, and selection setup with global settings
+
+## Architecture
+
+```
+AWS Account (Management/Central)
+├── Global Settings (Account-level)
+│   └── isCrossAccountBackupEnabled: true
+├── Backup Vault
+├── Backup Plan
+└── Resource Selections
+```
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example will create resources which may cost money. Run `terraform destroy` when you don't need these resources.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws_backup_global_settings"></a> [aws\_backup\_global\_settings](#module\_aws\_backup\_global\_settings) | ../.. | n/a |
+
+## Resources
+
+Created by the module:
+- `aws_backup_global_settings` - Account-level backup settings
+- `aws_backup_vault` - Backup vault for storing recovery points
+- `aws_backup_plan` - Backup plan with scheduling and lifecycle policies
+- `aws_backup_selection` - Resource selection for automated backups
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_backup_retention_days"></a> [backup\_retention\_days](#input\_backup\_retention\_days) | Number of days to retain backups | `number` | `30` | no |
+| <a name="input_backup_schedule"></a> [backup\_schedule](#input\_backup\_schedule) | Cron expression for backup schedule | `string` | `"cron(0 2 * * ? *)"` | no |
+| <a name="input_enable_cross_account_backup"></a> [enable\_cross\_account\_backup](#input\_enable\_cross\_account\_backup) | Enable cross-account backup functionality | `bool` | `true` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to resources | `map(string)` | `{"BackupGovernance": "centralized", "Environment": "production", "Owner": "backup-team", "Terraform": true}` | no |
+| <a name="input_vault_name"></a> [vault\_name](#input\_vault\_name) | Name of the backup vault to create | `string` | `"centralized-backup-vault"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cross_account_backup_enabled"></a> [cross\_account\_backup\_enabled](#output\_cross\_account\_backup\_enabled) | Whether cross-account backup is enabled |
+| <a name="output_global_settings"></a> [global\_settings](#output\_global\_settings) | Configured global settings |
+| <a name="output_global_settings_id"></a> [global\_settings\_id](#output\_global\_settings\_id) | AWS Account ID where global settings are applied |
+| <a name="output_global_settings_summary"></a> [global\_settings\_summary](#output\_global\_settings\_summary) | Summary of global settings configuration |
+| <a name="output_plan_arn"></a> [plan\_arn](#output\_plan\_arn) | ARN of the backup plan |
+| <a name="output_vault_arn"></a> [vault\_arn](#output\_vault\_arn) | ARN of the backup vault |
+
+## Global Settings Configuration
+
+### Cross-Account Backup Enablement
+
+When `isCrossAccountBackupEnabled` is set to `"true"`:
+
+1. **Centralized Governance**: Enables centralized backup management across AWS accounts
+2. **Organization Policies**: Allows AWS Organizations backup policies to be applied
+3. **Cross-Account IAM**: Enables backup operations across account boundaries
+4. **Compliance**: Supports enterprise compliance frameworks requiring centralized backup
+
+### Enterprise Use Cases
+
+- **Multi-Account Organizations**: Centralized backup governance for AWS Organizations
+- **Compliance Requirements**: Meeting regulatory requirements for backup management
+- **Security**: Controlled cross-account backup operations
+- **Cost Optimization**: Centralized backup strategies and policies
+
+## Next Steps
+
+After deploying this example:
+
+1. **Configure AWS Organizations Backup Policies** for centralized governance
+2. **Set up cross-account IAM roles** for backup operations
+3. **Implement backup compliance frameworks** across accounts
+4. **Monitor backup activities** through AWS CloudTrail and CloudWatch
+
+## Important Notes
+
+- Global settings are **account-level** configurations (one per AWS account)
+- Cross-account backup requires proper **IAM permissions** across accounts
+- This feature is particularly valuable for **enterprise environments**
+- Consider **AWS Organizations integration** for complete centralized governance
+
+## Compliance and Security
+
+This configuration supports:
+- SOC 2 compliance for backup governance
+- GDPR requirements for data retention
+- HIPAA backup and recovery standards
+- Financial services backup regulations
diff --git a/examples/backup_global_settings/main.tf b/examples/backup_global_settings/main.tf
@@ -0,0 +1,72 @@
+# AWS Backup Global Settings Example
+# 
+# This example demonstrates how to configure AWS Backup global settings
+# for centralized cross-account backup governance.
+
+# AWS Backup with Global Settings
+module "aws_backup_global_settings" {
+  source = "../.."
+
+  # Enable global settings management
+  enable_global_settings = true
+
+  # Configure global settings for cross-account backup governance
+  global_settings = {
+    "isCrossAccountBackupEnabled" = "true"
+  }
+
+  # Basic vault configuration
+  vault_name = "centralized-backup-vault"
+
+  # Basic plan for demonstration
+  plan_name = "global-settings-plan"
+
+  # Simple rule
+  rules = [
+    {
+      name              = "daily-backup"
+      schedule          = "cron(0 2 * * ? *)" # Daily at 2 AM
+      start_window      = 120
+      completion_window = 360
+      lifecycle = {
+        delete_after = 30
+      }
+      copy_actions = []
+      recovery_point_tags = {
+        BackupType  = "Automated"
+        Governance  = "Centralized"
+        Environment = "production"
+      }
+    }
+  ]
+
+  # Resource selection
+  selections = [
+    {
+      name = "production-resources"
+      resources = [
+        "arn:aws:ec2:*:*:instance/*",
+        "arn:aws:rds:*:*:db:*"
+      ]
+      selection_tags = [
+        {
+          type  = "STRINGEQUALS"
+          key   = "Environment"
+          value = "production"
+        },
+        {
+          type  = "STRINGEQUALS"
+          key   = "BackupRequired"
+          value = "true"
+        }
+      ]
+    }
+  ]
+
+  tags = {
+    Owner            = "backup-team"
+    Environment      = "production"
+    BackupGovernance = "centralized"
+    Terraform        = true
+  }
+}
diff --git a/examples/backup_global_settings/outputs.tf b/examples/backup_global_settings/outputs.tf
@@ -0,0 +1,31 @@
+# Global Settings Outputs
+output "global_settings_id" {
+  description = "AWS Account ID where global settings are applied"
+  value       = module.aws_backup_global_settings.global_settings_id
+}
+
+output "global_settings" {
+  description = "Configured global settings"
+  value       = module.aws_backup_global_settings.global_settings
+}
+
+output "cross_account_backup_enabled" {
+  description = "Whether cross-account backup is enabled"
+  value       = module.aws_backup_global_settings.cross_account_backup_enabled
+}
+
+output "global_settings_summary" {
+  description = "Summary of global settings configuration"
+  value       = module.aws_backup_global_settings.global_settings_summary
+}
+
+# Additional backup outputs for reference
+output "vault_arn" {
+  description = "ARN of the backup vault"
+  value       = module.aws_backup_global_settings.vault_arn
+}
+
+output "plan_arn" {
+  description = "ARN of the backup plan"
+  value       = module.aws_backup_global_settings.plan_arn
+}
diff --git a/examples/backup_global_settings/variables.tf b/examples/backup_global_settings/variables.tf
@@ -0,0 +1,36 @@
+# Optional variables for customizing the example
+
+variable "vault_name" {
+  description = "Name of the backup vault to create"
+  type        = string
+  default     = "centralized-backup-vault"
+}
+
+variable "enable_cross_account_backup" {
+  description = "Enable cross-account backup functionality"
+  type        = bool
+  default     = true
+}
+
+variable "backup_schedule" {
+  description = "Cron expression for backup schedule"
+  type        = string
+  default     = "cron(0 2 * * ? *)"  # Daily at 2 AM
+}
+
+variable "backup_retention_days" {
+  description = "Number of days to retain backups"
+  type        = number
+  default     = 30
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to resources"
+  type        = map(string)
+  default = {
+    Owner            = "backup-team"
+    Environment      = "production"
+    BackupGovernance = "centralized"
+    Terraform        = true
+  }
+}
diff --git a/examples/backup_global_settings/versions.tf b/examples/backup_global_settings/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -206,6 +206,20 @@ resource "aws_backup_plan" "ab_plan" {
   }
 }
 
+# AWS Backup Global Settings
+resource "aws_backup_global_settings" "ab_global_settings" {
+  count = var.enabled && var.enable_global_settings ? 1 : 0
+
+  global_settings = var.global_settings
+
+  lifecycle {
+    precondition {
+      condition     = var.enable_global_settings ? length(var.global_settings) > 0 : true
+      error_message = "When enable_global_settings is true, global_settings map cannot be empty. At minimum, specify isCrossAccountBackupEnabled."
+    }
+  }
+}
+
 # Multiple AWS Backup plans with optimized timeouts
 resource "aws_backup_plan" "ab_plans" {
   for_each = var.enabled ? local.plans_map : {}
diff --git a/outputs.tf b/outputs.tf
@@ -185,3 +185,55 @@ output "restore_testing_summary" {
     }
   } : null
 }
+
+#
+# Global Settings
+#
+output "global_settings_id" {
+  description = "AWS Account ID where global settings are applied"
+  value       = try(aws_backup_global_settings.ab_global_settings[0].id, null)
+}
+
+output "global_settings" {
+  description = "AWS Backup global settings configuration"
+  value       = try(aws_backup_global_settings.ab_global_settings[0].global_settings, null)
+}
+
+output "cross_account_backup_enabled" {
+  description = "Whether cross-account backup is enabled for centralized governance"
+  value = try(aws_backup_global_settings.ab_global_settings[0].global_settings["isCrossAccountBackupEnabled"], null) == "true"
+}
+
+#
+# Global Settings Summary
+#
+output "global_settings_summary" {
+  description = "Summary of global settings configuration and governance capabilities"
+  value = var.enable_global_settings ? {
+    enabled                         = true
+    cross_account_backup_enabled    = try(aws_backup_global_settings.ab_global_settings[0].global_settings["isCrossAccountBackupEnabled"], "false") == "true"
+    account_id                      = try(aws_backup_global_settings.ab_global_settings[0].id, null)
+    configured_settings             = var.global_settings
+
+    # Governance and compliance information
+    governance_impact = {
+      "cross_account_backup" = try(aws_backup_global_settings.ab_global_settings[0].global_settings["isCrossAccountBackupEnabled"], "false") == "true" ? "Enabled - centralized backup governance active" : "Disabled - account-level backup management"
+      "enterprise_ready"     = try(aws_backup_global_settings.ab_global_settings[0].global_settings["isCrossAccountBackupEnabled"], "false") == "true"
+    }
+
+    # Next steps and recommendations
+    next_steps = {
+      "1" = "Configure AWS Organizations backup policies for centralized governance"
+      "2" = "Set up cross-account IAM roles for backup operations"
+      "3" = "Implement backup compliance frameworks across accounts"
+      "4" = "Monitor backup activities through AWS CloudTrail and CloudWatch"
+    }
+
+    # CLI commands for management
+    management_commands = {
+      describe_settings    = "aws backup describe-global-settings"
+      list_backup_policies = "aws organizations list-policies --filter BACKUP_POLICY"
+      check_compliance     = "aws backup list-backup-jobs --by-account-id ${try(aws_backup_global_settings.ab_global_settings[0].id, "ACCOUNT_ID")}"
+    }
+  } : null
+}
diff --git a/variables.tf b/variables.tf
@@ -770,3 +770,39 @@ variable "restore_testing_iam_role_arn" {
     error_message = "The restore_testing_iam_role_arn must be a valid IAM role ARN. Avoid using 'test', 'temp', 'delete', or 'remove' in role names for security reasons."
   }
 }
+
+#
+# AWS Backup Global Settings
+#
+variable "enable_global_settings" {
+  description = "Whether to manage AWS Backup global settings. Enable this to configure account-level backup settings."
+  type        = bool
+  default     = false
+}
+
+variable "global_settings" {
+  description = "Global settings for AWS Backup. Currently supports isCrossAccountBackupEnabled for centralized cross-account backup governance."
+  type        = map(string)
+  default = {
+    "isCrossAccountBackupEnabled" = "false"
+  }
+
+  validation {
+    condition = can(var.global_settings["isCrossAccountBackupEnabled"]) ? contains(["true", "false"], var.global_settings["isCrossAccountBackupEnabled"]) : true
+    error_message = "isCrossAccountBackupEnabled must be either 'true' or 'false' as a string (not boolean). This setting controls cross-account backup capabilities for enterprise governance."
+  }
+
+  validation {
+    condition = alltrue([
+      for key, value in var.global_settings : can(regex("^[a-zA-Z][a-zA-Z0-9]*$", key))
+    ])
+    error_message = "Global setting keys must start with a letter and contain only alphanumeric characters. Currently supported: 'isCrossAccountBackupEnabled'."
+  }
+
+  validation {
+    condition = alltrue([
+      for key, value in var.global_settings : length(value) > 0
+    ])
+    error_message = "Global setting values cannot be empty strings. Use 'true' or 'false' for boolean settings."
+  }
+}
