Create Aws Lifecycle Policy Using Terraform for Taking EBS Snapshots

AWS service Data Lifecycle Manager, which helps you to take snapshots of AWS EBS volumes, retain them for several days, and also delete the outdated backups

The advantages of using this service are

*It’s automated.

*Protection of valuable data by enforcing regular data backups.

*Cost saving by deleting outdated backups automatically.

*Find this Lifecycle Manager service on the EC2 dashboard, under the Elastic Block Store menu.

If you go by the manual method, you will be asked to fill in some information and it will create the policy for you. we are going to create this entire policy using Terraform. It’s an amazing open-source ‘infrastructure as code’ (IaC) tool that can be used to deploy your infrastructure efficiently. What it means is, you run a Terraform code from your local computer and the code will deploy instances and other resources for you automatically. Terraform should have access to your AWS infrastructure for the code to work I am assuming that you know how to configure Terraform and provide AWS credentials to it.

Let’s have a look at the Terraform script

resource "aws_iam_role" "dlm_lifecycle_role" {

  name = "dlm-lifecycle-role"

  assume_role_policy = <<>

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Action": "sts:AssumeRole",

      "Principal": {

        "Service": "dlm.amazonaws.com"

      },

      "Effect": "Allow",

      "Sid": ""

    }

  ]

}

EOF

}

resource "aws_iam_role_policy" "dlm_lifecycle" {

  name = "dlm-lifecycle-policy"

  role = "${aws_iam_role.dlm_lifecycle_role.id}"

  policy = <<>

{

   "Version": "2012-10-17",

   "Statement": [

      {

         "Effect": "Allow",

         "Action": [

            "ec2:CreateSnapshot",

            "ec2:DeleteSnapshot",

            "ec2:DescribeVolumes",

            "ec2:DescribeSnapshots"

         ],

         "Resource": "*"

      },

      {

         "Effect": "Allow",

         "Action": [

            "ec2:CreateTags"

         ],

         "Resource": "arn:aws:ec2:*::snapshot/*"

      }

   ]

}

EOF

}

resource "aws_dlm_lifecycle_policy" "test_lifecyclerole" {

  description        = "DLM lifecycle policy"

  execution_role_arn = "${aws_iam_role.dlm_lifecycle_role.arn}"

  state              = "ENABLED"

  policy_details {

    resource_types = ["VOLUME"]

    schedule {

      name = "2 weeks of daily snapshots"

      create_rule {

        interval      = 24

        interval_unit = "HOURS"

        times         = ["23:45"]

      }

      retain_rule {

        count = 14

      }

      tags_to_add = {

        SnapshotCreator = "DLM"

      }

      copy_tags = false

    }

    target_tags = {

      Snapshot = "true"

    }

  }

}

First, we will create an IAM role and attach a policy to it. This policy requires permissions to do operations on EC2, which are create snapshots, delete snapshots, describe volumes and describe snapshots.  Additionally, it should have permission to create tags on the snapshot volumes.

Even though the Terraform script is self-explanatory, I have added some details for a better understanding for people who are new to Terraform scripting. The latter part of the code with the ‘create_rule’ module, specifies the interval between snapshots and the time of running the snapshots. For this one, I am running the policy at 11:45 PM every 24 hrs.