Create AWS Lifecycle Policy Using Terraform for Taking EBS Snapshots

Voiced by Amazon Polly

In this blog, we are going to discuss about AWS service Data Lifecycle Manager, which helps you to take snapshots of AWS EBS volumes, retain them for number of days and also delete the outdated backups.

Customized Cloud Solutions to Drive your Business Success

Cloud Migration
Devops
AIML & IoT

Know More

The advantages of using this service are:

It’s automated.
Protection of valuable data by enforcing regular data backups.
Cost saving by deleting outdated backups automatically.

You will find this service on the EC2 dashboard, under the Elastic Block Store menu.

Create AWS Lifecycle Policy Using Terraform for Taking EBS Snapshots

Figure 1: EC2 dashboard>EBS>Lifecycle Manager

Figure 2: Data Lifecycle Manager

If you go by the manual method, you will be asked to fill some information and it will create the policy for you. But here, we are going to create this entire policy using Terraform. It’s an amazing open-source ‘infrastructure as code’ (IaC) tool which can be used to deploy your infrastructure efficiently. What it means is, you run a Terraform code from your local computer and the code will deploy instances and other resources for you automatically.

Terraform should have access to your AWS infrastructure for the code to work. For this blog, I am assuming that you know how to configure Terraform and provide AWS credentials to it. I will be using Visual Studio Code as a code editor here, but you can use any other editor as per your convenience.

Let’s have a look at the Terraform script that we are going to use.

resource "aws_iam_role" "dlm_lifecycle_role" {
  name = "dlm-lifecycle-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "dlm.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "dlm_lifecycle" {
  name = "dlm-lifecycle-policy"
  role = "${aws_iam_role.dlm_lifecycle_role.id}"

  policy = <<EOF
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "ec2:CreateSnapshot",
            "ec2:DeleteSnapshot",
            "ec2:DescribeVolumes",
            "ec2:DescribeSnapshots"
         ],
         "Resource": "*"
      },
      {
         "Effect": "Allow",
         "Action": [
            "ec2:CreateTags"
         ],
         "Resource": "arn:aws:ec2:*::snapshot/*"
      }
   ]
}
EOF
}

resource "aws_dlm_lifecycle_policy" "test_lifecyclerole" {
  description        = "DLM lifecycle policy"
  execution_role_arn = "${aws_iam_role.dlm_lifecycle_role.arn}"
  state              = "ENABLED"

  policy_details {
    resource_types = ["VOLUME"]

    schedule {
      name = "2 weeks of daily snapshots"

      create_rule {
        interval      = 24
        interval_unit = "HOURS"
        times         = ["23:45"]
      }

      retain_rule {
        count = 14
      }

      tags_to_add = {
        SnapshotCreator = "DLM"
      }

      copy_tags = false
    }

    target_tags = {
      Snapshot = "true"
    }
  }
}

resource "aws_iam_role" "dlm_lifecycle_role" {

name = "dlm-lifecycle-role"

assume_role_policy = <<EOF

{

"Version": "2012-10-17",

"Statement": [

{

"Action": "sts:AssumeRole",

"Principal": {

"Service": "dlm.amazonaws.com"

"Effect": "Allow",

"Sid": ""

}

]

}

EOF

}

resource "aws_iam_role_policy" "dlm_lifecycle" {

name = "dlm-lifecycle-policy"

role = "${aws_iam_role.dlm_lifecycle_role.id}"

policy = <<EOF

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:CreateSnapshot",

"ec2:DeleteSnapshot",

"ec2:DescribeVolumes",

"ec2:DescribeSnapshots"

"Resource": "*"

{

"Effect": "Allow",

"Action": [

"ec2:CreateTags"

"Resource": "arn:aws:ec2:*::snapshot/*"

}

]

}

EOF

}

resource "aws_dlm_lifecycle_policy" "test_lifecyclerole" {

description = "DLM lifecycle policy"

execution_role_arn = "${aws_iam_role.dlm_lifecycle_role.arn}"

state = "ENABLED"

policy_details {

resource_types = ["VOLUME"]

schedule {

name = "2 weeks of daily snapshots"

create_rule {

interval = 24

interval_unit = "HOURS"

times = ["23:45"]

}

retain_rule {

count = 14

}

tags_to_add = {

SnapshotCreator = "DLM"

}

copy_tags = false

}

target_tags = {

Snapshot = "true"

}

First, we will create an IAM role and attach a policy to it. This policy requires permissions to do operations on EC2, which are create snapshots, delete snapshots, describe volumes and describe snapshots. Additionally, it should have the permission to create tags on the snapshot volumes.

The creation of the DLM (Data Lifecycle Manager) policy starts from line 50 in the GitHub gist script which you can see above. You can also find it on the GitHub repository here.

Even though the Terraform script is self-explanatory, I have added some details for a better understanding for people who are new to Terraform scripting. The latter part of the code with ‘create_rule’ module, specifies the interval between snapshots and the time of running the snapshots. For this one, I am running the policy at 11:45 PM every 24 hrs.

Below is the last part of the Terraform code which shows you how to setup the retention policy of the snapshots taken, what tags to give and which volumes to target while taking snapshots.

Steps to follow in Visual Studio Code for running this Terraform script:

Create a directory named ‘aws_lifecyclepolicy’ in your Terraform workspace.
Create 2 tf files. Name one as main.tf and the other as provider.tf
In the provider.tf file, include details as provider:aws and the region as well.
In the main.tf file, write the above given terraform script.
Run a ‘terraform init’ command to initialize Terraform in the directory.
Run the command ‘terraform plan’ to check the script and see what resources will be created once we run it. Note that, no resources will be created if you run this command. This is just to check if the script is correct and what resources it will create.
If everything looks good in step 6, run the command ‘terraform apply’ and type ‘yes’ when it prompts.
Go to the AWS service Lifecycle Manager after this and you will see your policy there.