release

Author: jstrunk

.gitignore

@@ -0,0 +1,16 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+package-lock.json
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+# Parcel build directories
+.cache
+.build
+
+cdk.json
+cdk.context.json

.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

CHANGELOG.md

@@ -0,0 +1,15 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+This project follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) format for changes and adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+
+
+## [Unreleased]
+
+## [1.0.0] - 2022-05-31
+
+### Added
+
+* Initial release

CODE_OF_CONDUCT.md

@@ -0,0 +1,4 @@
+## Code of Conduct
+This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
+For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
+opensource-codeofconduct@amazon.com with any additional questions or comments.

CONTRIBUTING.md

@@ -0,0 +1,59 @@
+# Contributing Guidelines
+
+Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional
+documentation, we greatly value feedback and contributions from our community.
+
+Please read through this document before submitting any issues or pull requests to ensure we have all the necessary
+information to effectively respond to your bug report or contribution.
+
+
+## Reporting Bugs/Feature Requests
+
+We welcome you to use the GitHub issue tracker to report bugs or suggest features.
+
+When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already
+reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
+
+* A reproducible test case or series of steps
+* The version of our code being used
+* Any modifications you've made relevant to the bug
+* Anything unusual about your environment or deployment
+
+
+## Contributing via Pull Requests
+Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
+
+1. You are working against the latest source on the *main* branch.
+2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
+3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
+
+To send us a pull request, please:
+
+1. Fork the repository.
+2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
+3. Ensure local tests pass.
+4. Commit to your fork using clear commit messages.
+5. Send us a pull request, answering any default questions in the pull request interface.
+6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
+
+GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
+[creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
+
+
+## Finding contributions to work on
+Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
+
+
+## Code of Conduct
+This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
+For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
+opensource-codeofconduct@amazon.com with any additional questions or comments.
+
+
+## Security issue notifications
+If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
+
+
+## Licensing
+
+See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.

LICENSE

@@ -0,0 +1,15 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

NOTICE.txt

@@ -0,0 +1,11 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+**********************
+THIRD PARTY COMPONENTS
+**********************
+This software includes third party software subject to the following copyrights:
+
+AWS SDK under the Apache License Version 2.0
+aws-cdk under Apache Software License
+constructs under Apache Software License
+cdk-nag under Apache Software License

README.es.md

@@ -0,0 +1,87 @@
+# AWS Backup Actions Framework
+
+AWS Backup Actions es un framework para automatizar acciones gatilladas por events de AWS Backup
+
+Esta solución incluye implementaciones de muestra para exportar volumenes AWS EBS a archivos comprimidos para archivarlos a largo plazo en Amazon S3 y exportar backups de Amazon DynamoDB y snapshots de Amazon RDS con [motores y versiones][1] y [versiones de Aurora][2] que soportan exportar snapshots a S3 en el formato Parquet para archivos consultables a largo plazo. Puede implementar otros casos de uso como exportar dumps nativos de snapshots de RDS según el ejemplo de EBS.
+
+NOTA: Esta aplicación creará roles y políticas de IAM.
+
+## ¿Cómo funciona?
+Cualquier snapshot creada en el AWS Backup Vault designado activará un proceso para restaurar el backup, copiar los datos a
+S3 y eliminar el recurso restaurado. La solución elimina el backup solo en caso de éxito para que la retención de AWS Backup pueda seguir preservando los datos en caso de fallo.
+
+La solución utiliza AWS Step Functions para orquestar los procesos. AWS Lambda y AWS Batch con instancias Amazon EC2 Spot realizan el
+procesos de restauración y backup.
+
+### EBS
+1. Restaura la snapshot a un volumen GP2 en una AZ determinada. Espera a que esté disponible.
+2. Inicia un Batch Job en la misma AZ.
+3. El Batch Job conecta el volumen de EBS a la instancia del contenedor de una manera que permite que el contenedor que se ejecuta como root acceda y monte el dispositivo de bloque.
+4. Los archivos se archivan y comprimen mediante tar y se transmiten a S3 por streaming.
+5. Si por alguna razón el sistema de archivos en el volumen de EBS no se puede montar, el dispositivo de bloque se copia con dd, se comprime con gzip y se transmite a S3 por streaming.
+6. El volumen restaurado se elimina después de éxito o cualquier error.
+
+### DynamoDB y motores y versiones soportados de RDS 
+1. Llama al API para exportar el snapshot a S3 en el formato comprimido Parquet.
+2. Monitorea la tarea hasta éxito o fallo.
+
+### Como implementar soporte para otros motores de RDS
+1. Restaura la snapshot a una AZ dada en un tipo de instancia de bajo costo con volúmenes GP2 o Aurora con una contraseña root aleatoria.
+2. Almacena la contraseña cifrada en SSM Parameter Store.
+3. Inicia un Batch Job en la misma AZ.
+4. El Batch Job se conecta a la base de datos y ejecuta el comando dump del motor, comprime con gzip y transmite a S3 por streaming.
+5. La instancia restaurada se elimina después de éxito o cualquier error.
+
+## Costos
+Aparte del almacenamiento en S3 y VPC Interface Endpoints, esta solución solo genera costos mientras procesa una snapshot.
+
+Suponiendo que la fuente de datos original era de 100GB, el costo por exportación excluyendo almacenamiento y VPC Interface Endpoints sigue:
+EBS: ~$0.65
+RDS: ~$1.05
+DynamoDB: ~$10.05
+
+Los siete VPC Interface Endpoints son el costo más alto de esta solución en unos $151 mensuales. El tráfico a internet es sólo para llamadas API a EC2, ECR, y Batch. El tráfico de S3 y DynamoDB utilizan los VPC Gateway Endpoints. Nada en la solución escucha el tráfico entrante. Podría usar un VPC NAT Gateway por unos $33 por mes, pero el tráfico de egreso no es controlado. A su propio riesgo, esta solución puede funcionar sin un NAT Gateway o VPC Interface Endpoints, pero las instancias EC2 administradas por AWS Batch requerirán acceso directo a Internet y direcciones IP públicas. El Security Group puede impedir el acceso entrante desde Internet, y no se abren puertos para el tráfico entrante.
+
+## Instrucciones de despliegue
+```
+cp cdk.json.template cdk.json
+``` 
+
+Edite cdk.json para especificar su cuenta, región, BackupVault y etiquetas. La etiqueta de seguridad es opcional para
+restringir los roles de IAM creados eliminar recursos que no fueron creados por esta aplicación.
+
+```
+npm install
+cd functions/sanpshotMetadata
+npm install
+cd ../..
+npm run build
+```
+
+Configure su entorno con AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY y posiblemente AWS_SESSION_TOKEN para poder
+implementar en su cuenta.
+
+```
+cdk synth
+cdk deploy
+```
+
+### S3 Server Access Logs (Opcional)
+Puede habilitar S3 Server Access Logs por especificar un bucket y prefijo en `cdk.json`. El bucket para los access logs debe se configurado para [permitir acceso desde el Amazon S3 Log Delivery Group][3]
+
+### S3 Lifecycle Rules (Opcional)
+Para unos caso de uso como archivar a largo plazo, los objetos solo deberían ser eliminados con Lifecycle Rules. Considere restringir opseraciones de delete con MFA Delete en la pólitica del bucket.
+
+Puede configurar las Lifecycle Rules en el `cdk.json` bajo la clave `lifecycleRules`. Por ejemplo:
+
+```
+"lifecycleRules: {
+    "glacier": 10,
+    "deepArchive": 101,
+    "expiration": 2190
+}
+```
+
+[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ExportSnapshot.html
+[2]: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_ExportSnapshot.html
+[3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html#grant-log-delivery-permissions-general

README.md

@@ -0,0 +1,87 @@
+# AWS Backup Actions Framework
+
+AWS Backup Actions is a framework for automating actions triggered by AWS Backup events. 
+
+This solution includes example implementations to export AWS EBS snapshots to compressed archives for long term archiving in Amazon S3 and exporting Amazon DynamoDB backups and Amazon RDS snapshots for supported [engines and versions][1] and [Aurora versions][2] to S3 in the Parquet format for queryable long term archiving. You can implement other use cases such as exporting engine native dumps from RDS snapshots by following the EBS example.
+
+NOTE: This application will create IAM roles and policies.
+
+## How does it work?
+Any snapshot created in the designated AWS Backup Vault will trigger a process to restore the backup, copy the data to
+S3, and delete the restored resource. The solution deletes the snapshot only on success so the AWS Backup retention can be used as a failsafe.
+
+The solution uses AWS Step Functions to orchestrate the processes. AWS Lambda and AWS Batch with EC2 Spot Instances perform the
+restore and backup processes.
+
+### EBS
+1. Restore the snapshot to a GP3 volume in a given AZ. Wait for it to become available.
+2. Start a Batch job in the same AZ.
+3. The Batch job attaches the EBS volume to the container instance in a way that allows the container running as root to access and mount the block device.
+4. The files are archived and compressed using tar and streamed to S3.
+5. If for any reason the filesystem on the EBS volume can't be mounted, the block device is copied with dd, compressed with gzip, and streamed to S3.
+6. The restored volume is deleted after success or any failure.
+
+### DynamoDB and supported RDS engines and versions
+1. Call the API to export the snapshot in S3 in compressed Parquet format.
+2. Monitor for success.
+
+### How to implement support for other RDS engines
+1. Restore the snapshot to a given AZ on a low cost instance type with GP2 volumes or Aurora with a random root password.
+2. Store the password encrypted in SSM Parameter Store.
+3. Start a Batch job in the same AZ.
+4. The Batch job connects to the DB and runs the engine's dump command, compresses with gzip, and stream to S3.
+5. The restored instance is terminated after success or any failure.
+
+## Costs
+Apart from the storage in S3 and the VPC Interface Endpoints, this solution only costs money while it is processing a snapshot.
+
+Assuming the original data source was 100GB, the cost per export excluding storage and VPC Interface Endpoints follows:
+EBS: ~$0.65
+RDS: ~$1.05
+DynamoDB: ~$10.05
+
+The seven VPC Interface Endpoints are the highest cost of this solution at about $151 per month. The traffic outside the VPC is only for API calls to EC2, ECR, and Batch. S3 and DynamoDB traffic use VPC Gateway endpoints. Nothing in the solution listens for inbound traffic. A VPC NAT Gateway could be used for about $33 per month, but egress is not controlled. At your own risk, this solution can work without a NAT Gateway or VPC Interface Endpoints, but the EC2 instances managed by AWS Batch will require direct access to the Internet and public IP addresses. The Security Group can prevent inbound access from the Internet, and no ports get opened for inbound traffic.
+
+## Deployment instructions
+```
+cp cdk.json.template cdk.json
+```
+
+Edit cdk.json to specify your account, region, backupVault, and tags. The Security Tag is optional to restrict the created IAM Roles
+from deleting resources that weren't created by this application.
+
+```
+npm install
+cd functions/sanpshotMetadata
+npm install
+cd ../..
+npm run build
+```
+
+Set up your environment with AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and possibly AWS_SESSION_TOKEN to be able to
+deploy in your account.
+
+```
+cdk synth
+cdk deploy
+```
+
+### S3 Server Access Logs (Optional)
+You can enable S3 Server Access Logs by specifying a bucket and prefix in `cdk.json`. The access logs bucket must be configured to [allow access from the Amazon S3 Log Delivery Group][3].
+
+### S3 Lifecycle Rules (Optional)
+For some use cases such as long term archiving, objects should only be deleted using Lifecycle Rules. Consider restricting deletes with MFA delete in the bucket policy.
+
+You can configure the Lifecycle Rules in the `cdk.json` under the `lifecycleRules` key. For example:
+
+```
+"lifecycleRules: {
+    "glacier": 10,
+    "deepArchive": 101,
+    "expiration": 2190
+}
+```
+
+[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ExportSnapshot.html
+[2]: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_ExportSnapshot.html
+[3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html#grant-log-delivery-permissions-general

bin/aws-backup-actions.ts

@@ -0,0 +1,39 @@
+#!/usr/bin/env node
+
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-0
+
+import "source-map-support/register";
+import * as cdk from "aws-cdk-lib";
+import { AwsBackupActionsStack } from "../lib/aws-backup-actions-stack";
+import { AwsSolutionsChecks, NagSuppressions } from "cdk-nag";
+
+const app = new cdk.App();
+const stack = new AwsBackupActionsStack(app, "AwsBackupActionsStack", {
+  env: {
+    account: app.node.tryGetContext("account"),
+    region: app.node.tryGetContext("region"),
+  },
+});
+cdk.Aspects.of(app).add(
+  new AwsSolutionsChecks({
+    verbose: true,
+  })
+);
+
+NagSuppressions.addStackSuppressions(
+  stack,
+  [
+    {
+      id: "AwsSolutions-IAM5",
+      reason: "Allow to Lambdas write to Cloudwatch Log Group under prefix",
+      appliesTo: [
+        {
+          regex:
+            "/^Resource::arn:<AWS::Partition>:logs:(.*):log-group:/aws/lambda/\\*/g",
+        },
+      ],
+    },
+  ],
+  true
+);