diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/BackupSelectionTestDefaultTestDeployAssertA837BB17.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/BackupSelectionTestDefaultTestDeployAssertA837BB17.assets.json new file mode 100644 index 0000000000000..007e14d0f79ec --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/BackupSelectionTestDefaultTestDeployAssertA837BB17.assets.json @@ -0,0 +1,19 @@ +{ + "version": "35.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "BackupSelectionTestDefaultTestDeployAssertA837BB17.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/BackupSelectionTestDefaultTestDeployAssertA837BB17.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/BackupSelectionTestDefaultTestDeployAssertA837BB17.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/BackupSelectionTestDefaultTestDeployAssertA837BB17.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/cdk-backup-selection.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/cdk-backup-selection.assets.json new file mode 100644 index 0000000000000..2237e3c78f47c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/cdk-backup-selection.assets.json @@ -0,0 +1,19 @@ +{ + "version": "35.0.0", + "files": { + "d9b59dea9ce2f2e62ac2b8c81ee6334404d6acc6b99fba627ad2b90655a0bc99": { + "source": { + "path": "cdk-backup-selection.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "d9b59dea9ce2f2e62ac2b8c81ee6334404d6acc6b99fba627ad2b90655a0bc99.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/cdk-backup-selection.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/cdk-backup-selection.template.json new file mode 100644 index 0000000000000..0a81c64c8fa1a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/cdk-backup-selection.template.json @@ -0,0 +1,359 @@ +{ + "Resources": { + "TableCD117FA1": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "id", + "AttributeType": "S" + } + ], + "KeySchema": [ + { + "AttributeName": "id", + "KeyType": "HASH" + } + ], + "ProvisionedThroughput": { + "ReadCapacityUnits": 5, + "WriteCapacityUnits": 5 + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "FirstVault1F616CC6": { + "Type": "AWS::Backup::BackupVault", + "Properties": { + "BackupVaultName": "cdkbackupselectionFirstVault835CDB1C", + "LockConfiguration": { + "MinRetentionDays": 5 + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "SecondVaultFAFC72CB": { + "Type": "AWS::Backup::BackupVault", + "Properties": { + "BackupVaultName": "cdkbackupselectionSecondVault1F4AA8E1", + "LockConfiguration": { + "MinRetentionDays": 5 + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "FirstPlanF748325D": { + "Type": "AWS::Backup::BackupPlan", + "Properties": { + "BackupPlan": { + "BackupPlanName": "FirstPlan", + "BackupPlanRule": [ + { + "Lifecycle": { + "DeleteAfterDays": 35 + }, + "RuleName": "Daily", + "ScheduleExpression": "cron(0 5 * * ? *)", + "TargetBackupVault": { + "Fn::GetAtt": [ + "FirstVault1F616CC6", + "BackupVaultName" + ] + } + }, + { + "Lifecycle": { + "DeleteAfterDays": 90 + }, + "RuleName": "Weekly", + "ScheduleExpression": "cron(0 5 ? * SAT *)", + "TargetBackupVault": { + "Fn::GetAtt": [ + "FirstVault1F616CC6", + "BackupVaultName" + ] + } + }, + { + "Lifecycle": { + "DeleteAfterDays": 1825, + "MoveToColdStorageAfterDays": 90 + }, + "RuleName": "Monthly5Year", + "ScheduleExpression": "cron(0 5 1 * ? *)", + "TargetBackupVault": { + "Fn::GetAtt": [ + "FirstVault1F616CC6", + "BackupVaultName" + ] + } + } + ] + } + } + }, + "FirstPlanSelectionWithAutoGeneratedPolicyRoleFBE2AAC4": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "backup.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores" + ] + ] + } + ] + } + }, + "FirstPlanSelectionWithAutoGeneratedPolicyA52B85EF": { + "Type": "AWS::Backup::BackupSelection", + "Properties": { + "BackupPlanId": { + "Fn::GetAtt": [ + "FirstPlanF748325D", + "BackupPlanId" + ] + }, + "BackupSelection": { + "IamRoleArn": { + "Fn::GetAtt": [ + "FirstPlanSelectionWithAutoGeneratedPolicyRoleFBE2AAC4", + "Arn" + ] + }, + "Resources": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":dynamodb:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":table/", + { + "Ref": "TableCD117FA1" + } + ] + ] + } + ], + "SelectionName": "SelectionWithAutoGeneratedPolicy" + } + } + }, + "SecondPlanED732D55": { + "Type": "AWS::Backup::BackupPlan", + "Properties": { + "BackupPlan": { + "BackupPlanName": "SecondPlan", + "BackupPlanRule": [ + { + "Lifecycle": { + "DeleteAfterDays": 35 + }, + "RuleName": "Daily", + "ScheduleExpression": "cron(0 5 * * ? *)", + "TargetBackupVault": { + "Fn::GetAtt": [ + "SecondVaultFAFC72CB", + "BackupVaultName" + ] + } + }, + { + "Lifecycle": { + "DeleteAfterDays": 90 + }, + "RuleName": "Weekly", + "ScheduleExpression": "cron(0 5 ? * SAT *)", + "TargetBackupVault": { + "Fn::GetAtt": [ + "SecondVaultFAFC72CB", + "BackupVaultName" + ] + } + }, + { + "Lifecycle": { + "DeleteAfterDays": 1825, + "MoveToColdStorageAfterDays": 90 + }, + "RuleName": "Monthly5Year", + "ScheduleExpression": "cron(0 5 1 * ? *)", + "TargetBackupVault": { + "Fn::GetAtt": [ + "SecondVaultFAFC72CB", + "BackupVaultName" + ] + } + } + ] + } + } + }, + "SecondPlanSelectionWithoutAutoGeneratedPolicy60F4CE3E": { + "Type": "AWS::Backup::BackupSelection", + "Properties": { + "BackupPlanId": { + "Fn::GetAtt": [ + "SecondPlanED732D55", + "BackupPlanId" + ] + }, + "BackupSelection": { + "IamRoleArn": { + "Fn::GetAtt": [ + "BackupRoleF43CFD90", + "Arn" + ] + }, + "Resources": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":dynamodb:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":table/", + { + "Ref": "TableCD117FA1" + } + ] + ] + } + ], + "SelectionName": "SelectionWithoutAutoGeneratedPolicy" + } + } + }, + "BackupRoleF43CFD90": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "backup.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore" + ] + ] + } + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/cdk.out new file mode 100644 index 0000000000000..c5cb2e5de6344 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"35.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/integ.json new file mode 100644 index 0000000000000..1abd28732b8ca --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "35.0.0", + "testCases": { + "BackupSelectionTest/DefaultTest": { + "stacks": [ + "cdk-backup-selection" + ], + "assertionStack": "BackupSelectionTest/DefaultTest/DeployAssert", + "assertionStackName": "BackupSelectionTestDefaultTestDeployAssertA837BB17" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/manifest.json new file mode 100644 index 0000000000000..f1d09bf6c09e0 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/manifest.json @@ -0,0 +1,161 @@ +{ + "version": "35.0.0", + "artifacts": { + "cdk-backup-selection.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "cdk-backup-selection.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "cdk-backup-selection": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "cdk-backup-selection.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d9b59dea9ce2f2e62ac2b8c81ee6334404d6acc6b99fba627ad2b90655a0bc99.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "cdk-backup-selection.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "cdk-backup-selection.assets" + ], + "metadata": { + "/cdk-backup-selection/Table/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TableCD117FA1" + } + ], + "/cdk-backup-selection/FirstVault/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "FirstVault1F616CC6" + } + ], + "/cdk-backup-selection/SecondVault/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SecondVaultFAFC72CB" + } + ], + "/cdk-backup-selection/FirstPlan/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "FirstPlanF748325D" + } + ], + "/cdk-backup-selection/FirstPlan/SelectionWithAutoGeneratedPolicy/Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "FirstPlanSelectionWithAutoGeneratedPolicyRoleFBE2AAC4" + } + ], + "/cdk-backup-selection/FirstPlan/SelectionWithAutoGeneratedPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "FirstPlanSelectionWithAutoGeneratedPolicyA52B85EF" + } + ], + "/cdk-backup-selection/SecondPlan/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SecondPlanED732D55" + } + ], + "/cdk-backup-selection/SecondPlan/SelectionWithoutAutoGeneratedPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SecondPlanSelectionWithoutAutoGeneratedPolicy60F4CE3E" + } + ], + "/cdk-backup-selection/BackupRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "BackupRoleF43CFD90" + } + ], + "/cdk-backup-selection/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/cdk-backup-selection/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "cdk-backup-selection" + }, + "BackupSelectionTestDefaultTestDeployAssertA837BB17.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "BackupSelectionTestDefaultTestDeployAssertA837BB17.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "BackupSelectionTestDefaultTestDeployAssertA837BB17": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "BackupSelectionTestDefaultTestDeployAssertA837BB17.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "BackupSelectionTestDefaultTestDeployAssertA837BB17.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "BackupSelectionTestDefaultTestDeployAssertA837BB17.assets" + ], + "metadata": { + "/BackupSelectionTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/BackupSelectionTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "BackupSelectionTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/tree.json new file mode 100644 index 0000000000000..69af19acd1aff --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.js.snapshot/tree.json @@ -0,0 +1,602 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "cdk-backup-selection": { + "id": "cdk-backup-selection", + "path": "cdk-backup-selection", + "children": { + "Table": { + "id": "Table", + "path": "cdk-backup-selection/Table", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-backup-selection/Table/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::DynamoDB::Table", + "aws:cdk:cloudformation:props": { + "attributeDefinitions": [ + { + "attributeName": "id", + "attributeType": "S" + } + ], + "keySchema": [ + { + "attributeName": "id", + "keyType": "HASH" + } + ], + "provisionedThroughput": { + "readCapacityUnits": 5, + "writeCapacityUnits": 5 + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.CfnTable", + "version": "0.0.0" + } + }, + "ScalingRole": { + "id": "ScalingRole", + "path": "cdk-backup-selection/Table/ScalingRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_dynamodb.Table", + "version": "0.0.0" + } + }, + "FirstVault": { + "id": "FirstVault", + "path": "cdk-backup-selection/FirstVault", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-backup-selection/FirstVault/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Backup::BackupVault", + "aws:cdk:cloudformation:props": { + "backupVaultName": "cdkbackupselectionFirstVault835CDB1C", + "lockConfiguration": { + "minRetentionDays": 5 + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.CfnBackupVault", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.BackupVault", + "version": "0.0.0" + } + }, + "SecondVault": { + "id": "SecondVault", + "path": "cdk-backup-selection/SecondVault", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-backup-selection/SecondVault/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Backup::BackupVault", + "aws:cdk:cloudformation:props": { + "backupVaultName": "cdkbackupselectionSecondVault1F4AA8E1", + "lockConfiguration": { + "minRetentionDays": 5 + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.CfnBackupVault", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.BackupVault", + "version": "0.0.0" + } + }, + "FirstPlan": { + "id": "FirstPlan", + "path": "cdk-backup-selection/FirstPlan", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-backup-selection/FirstPlan/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Backup::BackupPlan", + "aws:cdk:cloudformation:props": { + "backupPlan": { + "backupPlanName": "FirstPlan", + "backupPlanRule": [ + { + "lifecycle": { + "deleteAfterDays": 35 + }, + "ruleName": "Daily", + "scheduleExpression": "cron(0 5 * * ? *)", + "targetBackupVault": { + "Fn::GetAtt": [ + "FirstVault1F616CC6", + "BackupVaultName" + ] + } + }, + { + "lifecycle": { + "deleteAfterDays": 90 + }, + "ruleName": "Weekly", + "scheduleExpression": "cron(0 5 ? * SAT *)", + "targetBackupVault": { + "Fn::GetAtt": [ + "FirstVault1F616CC6", + "BackupVaultName" + ] + } + }, + { + "lifecycle": { + "deleteAfterDays": 1825, + "moveToColdStorageAfterDays": 90 + }, + "ruleName": "Monthly5Year", + "scheduleExpression": "cron(0 5 1 * ? *)", + "targetBackupVault": { + "Fn::GetAtt": [ + "FirstVault1F616CC6", + "BackupVaultName" + ] + } + } + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.CfnBackupPlan", + "version": "0.0.0" + } + }, + "SelectionWithAutoGeneratedPolicy": { + "id": "SelectionWithAutoGeneratedPolicy", + "path": "cdk-backup-selection/FirstPlan/SelectionWithAutoGeneratedPolicy", + "children": { + "Role": { + "id": "Role", + "path": "cdk-backup-selection/FirstPlan/SelectionWithAutoGeneratedPolicy/Role", + "children": { + "ImportRole": { + "id": "ImportRole", + "path": "cdk-backup-selection/FirstPlan/SelectionWithAutoGeneratedPolicy/Role/ImportRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "cdk-backup-selection/FirstPlan/SelectionWithAutoGeneratedPolicy/Role/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "backup.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "cdk-backup-selection/FirstPlan/SelectionWithAutoGeneratedPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Backup::BackupSelection", + "aws:cdk:cloudformation:props": { + "backupPlanId": { + "Fn::GetAtt": [ + "FirstPlanF748325D", + "BackupPlanId" + ] + }, + "backupSelection": { + "iamRoleArn": { + "Fn::GetAtt": [ + "FirstPlanSelectionWithAutoGeneratedPolicyRoleFBE2AAC4", + "Arn" + ] + }, + "selectionName": "SelectionWithAutoGeneratedPolicy", + "resources": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":dynamodb:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":table/", + { + "Ref": "TableCD117FA1" + } + ] + ] + } + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.CfnBackupSelection", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.BackupSelection", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.BackupPlan", + "version": "0.0.0" + } + }, + "SecondPlan": { + "id": "SecondPlan", + "path": "cdk-backup-selection/SecondPlan", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-backup-selection/SecondPlan/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Backup::BackupPlan", + "aws:cdk:cloudformation:props": { + "backupPlan": { + "backupPlanName": "SecondPlan", + "backupPlanRule": [ + { + "lifecycle": { + "deleteAfterDays": 35 + }, + "ruleName": "Daily", + "scheduleExpression": "cron(0 5 * * ? *)", + "targetBackupVault": { + "Fn::GetAtt": [ + "SecondVaultFAFC72CB", + "BackupVaultName" + ] + } + }, + { + "lifecycle": { + "deleteAfterDays": 90 + }, + "ruleName": "Weekly", + "scheduleExpression": "cron(0 5 ? * SAT *)", + "targetBackupVault": { + "Fn::GetAtt": [ + "SecondVaultFAFC72CB", + "BackupVaultName" + ] + } + }, + { + "lifecycle": { + "deleteAfterDays": 1825, + "moveToColdStorageAfterDays": 90 + }, + "ruleName": "Monthly5Year", + "scheduleExpression": "cron(0 5 1 * ? *)", + "targetBackupVault": { + "Fn::GetAtt": [ + "SecondVaultFAFC72CB", + "BackupVaultName" + ] + } + } + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.CfnBackupPlan", + "version": "0.0.0" + } + }, + "SelectionWithoutAutoGeneratedPolicy": { + "id": "SelectionWithoutAutoGeneratedPolicy", + "path": "cdk-backup-selection/SecondPlan/SelectionWithoutAutoGeneratedPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "cdk-backup-selection/SecondPlan/SelectionWithoutAutoGeneratedPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Backup::BackupSelection", + "aws:cdk:cloudformation:props": { + "backupPlanId": { + "Fn::GetAtt": [ + "SecondPlanED732D55", + "BackupPlanId" + ] + }, + "backupSelection": { + "iamRoleArn": { + "Fn::GetAtt": [ + "BackupRoleF43CFD90", + "Arn" + ] + }, + "selectionName": "SelectionWithoutAutoGeneratedPolicy", + "resources": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":dynamodb:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":table/", + { + "Ref": "TableCD117FA1" + } + ] + ] + } + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.CfnBackupSelection", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.BackupSelection", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_backup.BackupPlan", + "version": "0.0.0" + } + }, + "BackupRole": { + "id": "BackupRole", + "path": "cdk-backup-selection/BackupRole", + "children": { + "ImportBackupRole": { + "id": "ImportBackupRole", + "path": "cdk-backup-selection/BackupRole/ImportBackupRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "cdk-backup-selection/BackupRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "backup.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "cdk-backup-selection/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "cdk-backup-selection/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "BackupSelectionTest": { + "id": "BackupSelectionTest", + "path": "BackupSelectionTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "BackupSelectionTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "BackupSelectionTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "BackupSelectionTest/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "BackupSelectionTest/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "BackupSelectionTest/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.ts new file mode 100644 index 0000000000000..5f9b45c042a71 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-backup/test/integ.backup-selection.ts @@ -0,0 +1,64 @@ +import { App, Duration, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib'; +import { Construct } from 'constructs'; +import * as backup from 'aws-cdk-lib/aws-backup'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { AttributeType, Table } from 'aws-cdk-lib/aws-dynamodb'; +import { ManagedPolicy, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam'; + +class TestStack extends Stack { + constructor(scope: Construct, id: string, props?: StackProps) { + super(scope, id, props); + + new Table(this, 'Table', { + partitionKey: { + name: 'id', + type: AttributeType.STRING, + }, + removalPolicy: RemovalPolicy.DESTROY, + }); + + const firstVault = new backup.BackupVault(this, 'FirstVault', { + removalPolicy: RemovalPolicy.DESTROY, + lockConfiguration: { + minRetention: Duration.days(5), + }, + }); + + const secondVault = new backup.BackupVault(this, 'SecondVault', { + removalPolicy: RemovalPolicy.DESTROY, + lockConfiguration: { + minRetention: Duration.days(5), + }, + }); + + const firstPlan = backup.BackupPlan.dailyWeeklyMonthly5YearRetention(this, 'FirstPlan', firstVault); + const secondPlan = backup.BackupPlan.dailyWeeklyMonthly5YearRetention(this, 'SecondPlan', secondVault); + + firstPlan.addSelection('SelectionWithAutoGeneratedPolicy', { + resources: [ + backup.BackupResource.fromConstruct(this), + ], + allowRestores: true, + }); + + const role = new Role(this, 'BackupRole', { + assumedBy: new ServicePrincipal('backup.amazonaws.com'), + }); + role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AWSBackupServiceRolePolicyForS3Backup')); + role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AWSBackupServiceRolePolicyForS3Restore')); + secondPlan.addSelection('SelectionWithoutAutoGeneratedPolicy', { + resources: [ + backup.BackupResource.fromConstruct(this), + ], + role, + disableDefaultBackupPolicy: true, + }); + } +} + +const app = new App(); +const stack = new TestStack(app, 'cdk-backup-selection'); + +new IntegTest(app, 'BackupSelectionTest', { + testCases: [stack], +}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-backup/README.md b/packages/aws-cdk-lib/aws-backup/README.md index 27b2fcc3667f1..120e4ee274a5a 100644 --- a/packages/aws-cdk-lib/aws-backup/README.md +++ b/packages/aws-cdk-lib/aws-backup/README.md @@ -59,6 +59,28 @@ plan.addSelection('Selection', { If not specified, a new IAM role with a managed policy for backup will be created for the selection. The `BackupSelection` implements `IGrantable`. +To disable the plan from assigning the default `AWSBackupServiceRolePolicyForBackup` backup policy use the `disableDefaultBackupPolicy` property. + +This is useful if you want to avoid granting unnecessary permissions to the role. + +```ts +declare const plan: backup.BackupPlan; + +const role = new iam.Role(this, 'BackupRole', { + assumedBy: new iam.ServicePrincipal('backup.amazonaws.com'), +}); +// Assign S3-specific backup policy +role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AWSBackupServiceRolePolicyForS3Backup')); + +plan.addSelection('Selection', { + resources: [ + backup.BackupResource.fromTag('stage', 'prod'), + ], + role, + disableDefaultBackupPolicy: true, +}); +``` + To add rules to a plan, use `addRule()`: ```ts diff --git a/packages/aws-cdk-lib/aws-backup/lib/selection.ts b/packages/aws-cdk-lib/aws-backup/lib/selection.ts index 3f051c2c447e5..9b1b8f5adfd73 100644 --- a/packages/aws-cdk-lib/aws-backup/lib/selection.ts +++ b/packages/aws-cdk-lib/aws-backup/lib/selection.ts @@ -26,12 +26,23 @@ export interface BackupSelectionOptions { /** * The role that AWS Backup uses to authenticate when backuping or restoring * the resources. The `AWSBackupServiceRolePolicyForBackup` managed policy - * will be attached to this role. + * will be attached to this role unless `disableDefaultBackupPolicy` + * is set to `true`. * * @default - a new role will be created */ readonly role?: iam.IRole; + /** + * Whether to disable automatically assigning default backup permissions to the role + * that AWS Backup uses. + * If `false`, the `AWSBackupServiceRolePolicyForBackup` managed policy will be + * attached to the role. + * + * @default false + */ + readonly disableDefaultBackupPolicy?: boolean; + /** * Whether to automatically give restores permissions to the role that AWS * Backup uses. If `true`, the `AWSBackupServiceRolePolicyForRestores` managed @@ -85,7 +96,9 @@ export class BackupSelection extends Resource implements iam.IGrantable { const role = props.role || new iam.Role(this, 'Role', { assumedBy: new iam.ServicePrincipal('backup.amazonaws.com'), }); - role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSBackupServiceRolePolicyForBackup')); + if (!props.disableDefaultBackupPolicy) { + role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSBackupServiceRolePolicyForBackup')); + } if (props.allowRestores) { role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSBackupServiceRolePolicyForRestores')); } diff --git a/packages/aws-cdk-lib/aws-backup/test/selection.test.ts b/packages/aws-cdk-lib/aws-backup/test/selection.test.ts index fd97c4b8ca482..3f0599bed2ed6 100644 --- a/packages/aws-cdk-lib/aws-backup/test/selection.test.ts +++ b/packages/aws-cdk-lib/aws-backup/test/selection.test.ts @@ -1,5 +1,5 @@ import { Construct } from 'constructs'; -import { Template } from '../../assertions'; +import { Match, Template } from '../../assertions'; import * as dynamodb from '../../aws-dynamodb'; import * as ec2 from '../../aws-ec2'; import * as efs from '../../aws-efs'; @@ -79,6 +79,22 @@ test('create a selection', () => { }); }); +test('no policy is attached if disableDefaultBackupPolicy is true', () => { + // WHEN + new BackupSelection(stack, 'Selection', { + backupPlan: plan, + resources: [ + BackupResource.fromArn('arn1'), + ], + disableDefaultBackupPolicy: true, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { + ManagedPolicyArns: Match.absent(), + }); +}); + test('allow restores', () => { // WHEN new BackupSelection(stack, 'Selection', {