Backups for s3

Author: jusdino

backend/compact-connect/cdk.context.beta-example.json

@@ -42,6 +42,11 @@
             "schedule": "cron(0 6 * * ? *)",
             "delete_after_days": 365,
             "cold_storage_after_days": 30
+          },
+          "document_storage": {
+            "schedule": "cron(0 5 * * ? *)",
+            "delete_after_days": 365,
+            "cold_storage_after_days": 30
           }
         }
       }

backend/compact-connect/cdk.context.prod-example.json

@@ -42,6 +42,11 @@
             "schedule": "cron(0 * ? * * *)",
             "delete_after_days": 365,
             "cold_storage_after_days": 30
+          },
+          "document_storage": {
+            "schedule": "cron(0 5 * * ? *)",
+            "delete_after_days": 365,
+            "cold_storage_after_days": 30
           }
         }
       }

backend/compact-connect/cdk.context.sandbox-example.json

@@ -40,6 +40,11 @@
             "schedule": "cron(0 6 * * ? *)",
             "delete_after_days": 365,
             "cold_storage_after_days": 30
+          },
+          "document_storage": {
+            "schedule": "cron(0 5 * * ? *)",
+            "delete_after_days": 365,
+            "cold_storage_after_days": 30
           }
         }
       }

backend/compact-connect/cdk.context.test-example.json

@@ -43,6 +43,11 @@
             "schedule": "cron(0 6 * * ? *)",
             "delete_after_days": 365,
             "cold_storage_after_days": 30
+          },
+          "document_storage": {
+            "schedule": "cron(0 5 * * ? *)",
+            "delete_after_days": 365,
+            "cold_storage_after_days": 30
           }
         }
       }

backend/compact-connect/common_constructs/backup_plan.py

@@ -1,5 +1,4 @@
 from aws_cdk import Duration
-from aws_cdk.aws_events import Schedule
 from aws_cdk.aws_backup import (
     BackupPlan,
     BackupPlanCopyActionProps,
@@ -9,22 +8,27 @@
     BackupVault,
     IBackupVault,
 )
-from aws_cdk.aws_dynamodb import ITable
+from aws_cdk.aws_events import Schedule
 from aws_cdk.aws_iam import IRole
 from constructs import Construct
 
 
-class TableBackupPlan(Construct):
+class CCBackupPlan(Construct):
     """
-    Common construct for creating backup plans for DynamoDB tables with cross-account replication.
+    Common construct for creating backup plans for CompactConnect resources with cross-account replication.
+
+    This consolidated backup plan construct can be used for any AWS resource type that supports
+    AWS Backup (DynamoDB tables, S3 buckets, etc.) by accepting a list of backup resources
+    and a name prefix.
     """
 
     def __init__(
         self,
         scope: Construct,
         construct_id: str,
         *,
-        table: ITable,
+        backup_plan_name_prefix: str,
+        backup_resources: list[BackupResource],
         backup_vault: BackupVault,
         backup_service_role: IRole,
         cross_account_backup_vault: IBackupVault,
@@ -36,32 +40,32 @@ def __init__(
         # Create backup plan
         self.backup_plan = BackupPlan(
             self,
-            "BackupPlan",
-            backup_plan_name=f"{table.table_name}-BackupPlan",
+            'BackupPlan',
+            backup_plan_name=f'{backup_plan_name_prefix}-BackupPlan',
             backup_plan_rules=[
                 BackupPlanRule(
-                    rule_name=f"{table.table_name}-DailyBackup",
+                    rule_name=f'{backup_plan_name_prefix}-Backup',
                     backup_vault=backup_vault,
-                    schedule_expression=Schedule.expression(backup_policy["schedule"]),
-                    delete_after=Duration.days(backup_policy["delete_after_days"]),
-                    move_to_cold_storage_after=Duration.days(backup_policy["cold_storage_after_days"]),
+                    schedule_expression=Schedule.expression(backup_policy['schedule']),
+                    delete_after=Duration.days(backup_policy['delete_after_days']),
+                    move_to_cold_storage_after=Duration.days(backup_policy['cold_storage_after_days']),
                     copy_actions=[
                         BackupPlanCopyActionProps(
                             destination_backup_vault=cross_account_backup_vault,
-                            delete_after=Duration.days(backup_policy["delete_after_days"]),
-                            move_to_cold_storage_after=Duration.days(backup_policy["cold_storage_after_days"]),
+                            delete_after=Duration.days(backup_policy['delete_after_days']),
+                            move_to_cold_storage_after=Duration.days(backup_policy['cold_storage_after_days']),
                         )
                     ],
                 )
             ],
         )
 
-        # Create backup selection to include the table
+        # Create backup selection to include the resources
         self.backup_selection = BackupSelection(
             self,
-            "BackupSelection",
+            'BackupSelection',
             backup_plan=self.backup_plan,
-            resources=[BackupResource.from_dynamo_db_table(table)],
-            backup_selection_name=f"{table.table_name}-Selection",
+            resources=backup_resources,
+            backup_selection_name=f'{backup_plan_name_prefix}-Selection',
             role=backup_service_role,
-        ) 
+        )

backend/compact-connect/stacks/backup_infrastructure_stack.py

@@ -413,7 +413,7 @@ def _create_backup_event_rules(self) -> None:
         """Create EventBridge rules for real-time backup failure events."""
 
         # Backup job failure events
-        backup_job_failure_rule = Rule(
+        Rule(
             self,
             'BackupJobFailureRule',
             event_pattern=EventPattern(
@@ -427,7 +427,7 @@ def _create_backup_event_rules(self) -> None:
         )
 
         # Copy job failure events
-        copy_job_failure_rule = Rule(
+        Rule(
             self,
             'CopyJobFailureRule',
             event_pattern=EventPattern(
@@ -441,7 +441,7 @@ def _create_backup_event_rules(self) -> None:
         )
 
         # Recovery point partial/failed events
-        recovery_point_issues_rule = Rule(
+        Rule(
             self,
             'RecoveryPointIssuesRule',
             event_pattern=EventPattern(
@@ -458,7 +458,7 @@ def _create_operational_security_rules(self) -> None:
         """Create EventBridge rules for operational security monitoring."""
 
         # Manual backup deletion monitoring
-        manual_deletion_rule = Rule(
+        Rule(
             self,
             'ManualBackupDeletionRule',
             event_pattern=EventPattern(
@@ -473,7 +473,7 @@ def _create_operational_security_rules(self) -> None:
         )
 
         # Backup vault modifications
-        vault_modification_rule = Rule(
+        Rule(
             self,
             'BackupVaultModificationRule',
             event_pattern=EventPattern(
@@ -487,7 +487,7 @@ def _create_operational_security_rules(self) -> None:
         )
 
         # Backup plan modifications/deletions
-        backup_plan_changes_rule = Rule(
+        Rule(
             self,
             'BackupPlanChangesRule',
             event_pattern=EventPattern(
@@ -509,10 +509,13 @@ def _add_cdk_nag_suppressions(self) -> None:
             [
                 {
                     'id': 'HIPAA.Security-IAMNoInlinePolicy',
-                    'reason': 'CDK allows for granular permissions crafting that is attached to policies directly to each resource, '
-                    'by virtue of its Resource.grant_* methods. This approach results in an improvement in the principle '
-                    'of least privilege, because each resource has permissions specifically crafted for that resource '
-                    'and only allows exactly what it needs to do, rather than sharing more coarse managed policies.',
+                    'reason': (
+                        'CDK allows for granular permissions crafting that is attached to policies '
+                        'directly to each resource, by virtue of its Resource.grant_* methods. '
+                        'This approach results in an improvement in the principle of least privilege, '
+                        'because each resource has permissions specifically crafted for that resource '
+                        'and only allows exactly what it needs to do, rather than sharing more coarse managed policies.'
+                    ),
                 },
             ],
         )
@@ -524,8 +527,11 @@ def _add_cdk_nag_suppressions(self) -> None:
             [
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'reason': 'AWS Backup service requires these standard AWS managed policies for backup and restore operations. '
-                    'These are the minimal required permissions for backup service functionality.',
+                    'reason': (
+                        'AWS Backup service requires these standard AWS managed policies for backup '
+                        'and restore operations. These are the minimal required permissions for '
+                        'backup service functionality.'
+                    ),
                 },
             ],
         )
@@ -535,8 +541,11 @@ def _add_cdk_nag_suppressions(self) -> None:
             [
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'reason': 'AWS Backup service requires these standard AWS managed policies for backup and restore operations. '
-                    'SSN backup role uses the same base policies with additional customer-managed security restrictions.',
+                    'reason': (
+                        'AWS Backup service requires these standard AWS managed policies for backup '
+                        'and restore operations. SSN backup role uses the same base policies with '
+                        'additional customer-managed security restrictions.'
+                    ),
                 },
             ],
         )

backend/compact-connect/stacks/persistent_stack/__init__.py

@@ -10,7 +10,6 @@
 from cdk_nag import NagSuppressions
 from common_constructs.access_logs_bucket import AccessLogsBucket
 from common_constructs.alarm_topic import AlarmTopic
-from common_constructs.backup_plan import TableBackupPlan
 from common_constructs.data_migration import DataMigration
 from common_constructs.frontend_app_config_utility import PersistentStackFrontendAppConfigUtility
 from common_constructs.nodejs_function import NodejsFunction
@@ -359,6 +358,8 @@ def _add_data_resources(
             encryption_key=self.shared_encryption_key,
             provider_table=self.provider_table,
             removal_policy=removal_policy,
+            backup_infrastructure_stack=backup_infrastructure_stack,
+            environment_context=self.environment_context,
         )
 
     def _add_migrations(self):

backend/compact-connect/stacks/persistent_stack/compact_configuration_table.py

@@ -1,9 +1,12 @@
 from aws_cdk import RemovalPolicy
+from aws_cdk.aws_backup import BackupResource
 from aws_cdk.aws_dynamodb import Attribute, AttributeType, BillingMode, Table, TableEncryption
 from aws_cdk.aws_kms import IKey
-from common_constructs.backup_plan import TableBackupPlan
+from common_constructs.backup_plan import CCBackupPlan
 from constructs import Construct
 
+from stacks.backup_infrastructure_stack import BackupInfrastructureStack
+
 
 class CompactConfigurationTable(Table):
     """DynamoDB table to house compact configuration data"""
@@ -15,7 +18,7 @@ def __init__(
         *,
         encryption_key: IKey,
         removal_policy: RemovalPolicy,
-        backup_infrastructure_stack: 'BackupInfrastructureStack',
+        backup_infrastructure_stack: BackupInfrastructureStack,
         environment_context: dict,
         **kwargs,
     ):
@@ -33,10 +36,11 @@ def __init__(
         )
 
         # Set up backup plan
-        self.backup_plan = TableBackupPlan(
+        self.backup_plan = CCBackupPlan(
             self,
             'CompactConfigurationTableBackup',
-            table=self,
+            backup_plan_name_prefix=self.table_name,
+            backup_resources=[BackupResource.from_dynamo_db_table(self)],
             backup_vault=backup_infrastructure_stack.local_backup_vault,
             backup_service_role=backup_infrastructure_stack.backup_service_role,
             cross_account_backup_vault=backup_infrastructure_stack.cross_account_backup_vault,

backend/compact-connect/stacks/persistent_stack/data_event_table.py

@@ -3,6 +3,7 @@
 import os
 
 from aws_cdk import Duration, RemovalPolicy
+from aws_cdk.aws_backup import BackupResource
 from aws_cdk.aws_cloudwatch import Alarm, ComparisonOperator, Metric, Stats, TreatMissingData
 from aws_cdk.aws_cloudwatch_actions import SnsAction
 from aws_cdk.aws_dynamodb import Attribute, AttributeType, BillingMode, Table, TableEncryption
@@ -11,12 +12,13 @@
 from aws_cdk.aws_kms import IKey
 from aws_cdk.aws_sns import ITopic
 from cdk_nag import NagSuppressions
-from common_constructs.backup_plan import TableBackupPlan
+from common_constructs.backup_plan import CCBackupPlan
 from common_constructs.python_function import PythonFunction
 from common_constructs.queued_lambda_processor import QueuedLambdaProcessor
 from constructs import Construct
 
 from stacks import persistent_stack as ps
+from stacks.backup_infrastructure_stack import BackupInfrastructureStack
 
 
 class DataEventTable(Table):
@@ -132,10 +134,11 @@ def __init__(
         ).add_alarm_action(SnsAction(stack.alarm_topic))
 
         # Set up backup plan
-        self.backup_plan = TableBackupPlan(
+        self.backup_plan = CCBackupPlan(
             self,
             'DataEventTableBackup',
-            table=self,
+            backup_plan_name_prefix=self.table_name,
+            backup_resources=[BackupResource.from_dynamo_db_table(self)],
             backup_vault=backup_infrastructure_stack.local_backup_vault,
             backup_service_role=backup_infrastructure_stack.backup_service_role,
             cross_account_backup_vault=backup_infrastructure_stack.cross_account_backup_vault,

backend/compact-connect/stacks/persistent_stack/provider_table.py

@@ -1,7 +1,8 @@
 from aws_cdk import RemovalPolicy
+from aws_cdk.aws_backup import BackupResource
 from aws_cdk.aws_dynamodb import Attribute, AttributeType, BillingMode, ProjectionType, Table, TableEncryption
 from aws_cdk.aws_kms import IKey
-from common_constructs.backup_plan import TableBackupPlan
+from common_constructs.backup_plan import CCBackupPlan
 from constructs import Construct
 
 from stacks.backup_infrastructure_stack import BackupInfrastructureStack
@@ -73,10 +74,11 @@ def __init__(
             ],
         )
         # Set up backup plan
-        self.backup_plan = TableBackupPlan(
+        self.backup_plan = CCBackupPlan(
             self,
             'ProviderTableBackup',
-            table=self,
+            backup_plan_name_prefix=self.table_name,
+            backup_resources=[BackupResource.from_dynamo_db_table(self)],
             backup_vault=backup_infrastructure_stack.local_backup_vault,
             backup_service_role=backup_infrastructure_stack.backup_service_role,
             cross_account_backup_vault=backup_infrastructure_stack.cross_account_backup_vault,