stackset.yml

AWSTemplateFormatVersion: '2010-09-09'

Description: Resources for Cornell standard SomeResource. Do not alter. Contact cloud-support@cornell.edu with questions.

Metadata:
  Source: https://github.com/CU-CommunityApps/cu-aws-cloudformation/template-template/template.yaml
  Version: "1.0.1"
  RecommendedStackName: $ENV-recommended-stack-name
  ChangeLog:
    "1.0.1":
      - added change log
      - added deployment script
      - added EnvironmentParam
      - added DocumentationURLParam
    "1.0.0":
      - inital release

Parameters:

  VersionParam:
    Description: CIT template version
    Type: String
    
  ContactEmailParam:
    Description: CIT contact email tag value version
    Default: cloud-support@cornell.edu
    Type: String
    
  SourceURLParam:
    Description: URL of this template in source code repository (not necessarily public)
    Default: https://github.com/CU-CommunityApps/cu-aws-cloudformation/template-template/template.yaml
    Type: String

  EnvironmentParam:
    Description: Environment for the resources this template creates.
    Default: dev
    Type: String
    AllowedValues:
      - dev
      - test
      - prod
  
  DocumentationURLParam:
    Description: URL of documentation about this deployment or these resources
    Default: https://confluence.cornell.edu/pages/viewpage.action?spaceKey=CLOUD&title=AWS+Backup+Service+Deployment+Process+via+Cloudformation+Gitsync
    Type: String

  BackupVaultName:
    Description: Name of the backup vault created in AWS Backup Service where restore points are stored.
    Default: backupVault
    Type: String
    
  BackupPlanName:
    Description: Name of the backup plan created in AWS Backup Service.
    Default: backupPlan
    Type: String

  BackupPlanRuleName:
    Description: Name of Backup rule name. This is just the name of the rule used to specify the type of backup being performed.
    Default: DailyBackup
    Type: String
  
  BackupMinute:
    Type: String
    Default: "0"
    Description: "The minute at which the backup should occur (0-59)."

  BackupHour:
    Type: String
    Default: "9"
    Description: "The hour at which the backup should occur (0-23 in UTC). 9am will be 4am EST."

  BackupDayOfMonth:
    Type: String
    Default: "*"
    Description: "The day of the month the backup should occur (1-31). Use '*' for every day."

  BackupMonth:
    Type: String
    Default: "*"
    Description: "The month in which the backup should occur (1-12). Use '*' for every month."

  BackupDayOfWeek:
    Type: String
    Default: "?"
    Description: "The day of the week the backup should occur (SUN-SAT). Use '?' if day of month is specified."

  BackupYear:
    Type: String
    Default: "*"
    Description: "The year for the backup schedule. Use '*' for every year."

  BackupStartWindow:
    Description: A value in minutes the backup must start by. Must be between 60 (1 hour) and 259,200 (180 days).
    Default: 60
    Type: Number
    MinValue: 60
    MaxValue: 259200

  BackupCompletionWindow:
    Description: A value in minutes after a backup job is successfully started before it must be completed or it is canceled by AWS Backup. Must be at least as long as the BackupStartWindow.
    Default: 120
    Type: Number
    MinValue: 60
    MaxValue: 259200

  BackupRetention:
    Description: Specifies the number of days after creation that a recovery point is deleted. Must be a positive, non-zero integer.
    Default: 7
    Type: Number
    MinValue: 1

  BackupTagName:
    Description: This is the name of the tag used to perform the backups.
    Default: "cit:backup-scheme"
    Type: String

  BackupTagValue:
    Description: Value of Tag set for an instance with set value to be backed up.
    Default: "default"
    Type: String

Mappings: 
  RegionMap:
    us-east-1:
      AMI: ami-0c7217cdde317cfec # Ubuntu Server 22.04 LTS (HVM),EBS General Purpose (SSD) Volume Type

Conditions: {} 

Resources:

  # MyEC2Instance1:
  #   Type: AWS::EC2::Instance
  #   DeletionPolicy: Delete
  #   Properties:
  #     InstanceType: t2.micro
  #     ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI]
  #     Tags:
  #       - Key: "Name"
  #         Value: "ec2backupTestInstance1"
  #       - Key: !Ref BackupTagName
  #         Value: !Ref BackupTagValue
  #       - Key: Environment
  #         Value: !Ref EnvironmentParam
  #       - Key: Description
  #         Value: "Ubuntu EC2 Instance for Testing"
  #       - Key: Documentation
  #         Value: !Ref DocumentationURLParam
  #       - Key: cit:contact-email
  #         Value: !Ref ContactEmailParam
  #       - Key: cit:version
  #         Value: !Ref VersionParam
  #       - Key: cit:source
  #         Value: !Ref SourceURLParam
  #     BlockDeviceMappings:
  #       - DeviceName: "/dev/sdh"
  #         Ebs:
  #           VolumeSize: 10
  #           DeleteOnTermination: true
  #           VolumeType: gp2

  # Backup Vault
  Vault:
    Type: AWS::Backup::BackupVault
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Properties:
      BackupVaultName: !Ref BackupVaultName
      # You can also set encryption settings and access policies here

  # Backup Plan
  BackupPlan:
    Type: AWS::Backup::BackupPlan
    Properties:
      BackupPlan:
        BackupPlanName: !Ref BackupPlanName
        BackupPlanRule:
          - RuleName: !Ref BackupPlanRuleName
            TargetBackupVault: !Ref Vault
            ScheduleExpression:
              Fn::Sub: "cron(${BackupMinute} ${BackupHour} ${BackupDayOfMonth} ${BackupMonth} ${BackupDayOfWeek} ${BackupYear})"
            StartWindowMinutes: !Ref BackupStartWindow
            CompletionWindowMinutes: !Ref BackupCompletionWindow
            Lifecycle:
              DeleteAfterDays: !Ref BackupRetention

  # IAM Role for AWS Backup
  IAMrole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: backup.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: BackupRolePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - ec2:DescribeVolumes
                  - ec2:DescribeSnapshots
                  - ec2:CreateTags
                  - ec2:CreateSnapshot
                  - ec2:DeleteSnapshot
                  - ec2:DescribeTags
                  - ec2:DescribeImages
                  - ec2:DescribeInstances
                  - ec2:DescribeVolumes
                  - ec2:CreateImage
                  - ec2:DescribeInstanceCreditSpecifications
                  - ec2:DescribeInstanceAttribute
                  - ec2:DescribeSnapshotTierStatus
                  - ec2:RestoreSnapshotTier
                  - ec2:ModifySnapshotTier
                  - ec2:DescribeNetworkInterfaces
                  - tag:GetResources
                Resource: "*"

  BackupSelection:
    Type: AWS::Backup::BackupSelection
    Properties:
      BackupPlanId: !Ref BackupPlan
      BackupSelection:
        SelectionName: AllInstancesSelection
        IamRoleArn: !GetAtt IAMrole.Arn
        ListOfTags:
          - ConditionType: STRINGEQUALS
            ConditionKey: !Ref BackupTagName
            ConditionValue: !Ref BackupTagValue