Backup and Recovery

Recovery - General Concepts

AWS Documentation

This reference covers the general concepts of AWS and specific steps required to restore resource types from a vault. It is suggested being familiar with this guide before attempting any recovery operation, especially with the section for the resource type being recovered.

Key Points to Note

1. The engineer undertaking the recovery should use the AdministratorAccess role to perform the recovery operation to ensure they have the necessary permissions to restore resources. As it stands, the ModernisationPlatformEngineer role does not have these permissions.

2. Agree with the Product Team engineer(s) which resources are to be recovered, the recovery points to be used as the source and whether the recovery will be overwriting existing resources, for example EFS or EBS. This communication is vital to ensure that the correct resources are recovered and that the correct parameters are used.

3. It is strongly suggested to use the console for restoring one or two resources.

4. Each resource type will require its own specific parameters to be set. For example, an EBS volume or snapshot will require the volume ID the volume type, the availability zone to be added. It is suggested that these are provided by the product team or, failing that, obtained from the terraform source. As such it will be difficult to undertake a mass recovery of different resource types from multiple recovery points without scripting.

5. The recovery proceess will require a role to be provided. It is suggested that the DEFAULT role is used as this will have all of the necessary permissions required. Using the AWSBackup role will not work.

6. Recovery Points will generally have one resource associated with them. There are exceptions, such as resources backed up to multiple regions.

7. CLI documentation for recovery can be found here. Each resource type will have its own metadata requirements.

Backup & Restore Of Member StateFile

Overview

This runbook provides detailed instructions for backing up a replicated Terraform statefile from the eu-west-1 region and restoring it to a new folder in the eu-west-2 region. The statefile is stored in an S3 bucket with DynamoDB for state locking.

---

Step 1: Create a New Folder for Testing in S3

1. Log into AWS Management Console:

   • Access the Modernisation Platform Account and navigate to the S3 service.

2. Navigate to the S3 Bucket:

   • Go to the modernisation-platform-terraform-state bucket located in the eu-west-2 region.

3. Create a New Folder for Testing:

   • Create a new folder within this bucket specifically for testing. This ensures the production state file remains isolated, preventing accidental overwrites.

---

Step 2: Copy the Backup State File for Testing

1. Locate and Copy the Backup State File:

   • In the S3 bucket located in the eu-west-1 region, find the backup state file.

2. Set the Destination:

   • Use the “Copy” function for the state file.
   • Under “Destination type,” select “General purpose bucket.”
   • Use the “Browse S3” feature to navigate to the destination bucket and folder created in the previous step.

3. Specify Destination Path:

   • Ensure the destination path is correctly set, such as s3://modernisation-platform-terraform-state/environments/accounts/cooker/cooker-development/test-restore/.

Note: This method is applicable for objects encrypted with SSE-S3 (Amazon S3 managed keys). It is not suitable for objects encrypted with AWS KMS keys (SSE-KMS) or customer-provided encryption keys (SSE-C) due to additional restrictions.

---

Step 3: Verify the Copied State File in eu-west-2

1. Confirm State File Availability:
   • Navigate to the modernisation-platform-terraform-state bucket in the eu-west-2 region.
   • Verify that the copied state file exists in the specified test folder.

---

Step 4: Configure Terraform Backend for Testing

1. Update Terraform Configuration:
   • Modify Terraform configuration file (e.g., backend.tf) to point the backend key to the new test path where the copied state file resides.

---

Step 5: Initialise and Test the Configuration

1. Reinitialise the Terraform Backend:

   • Run terraform init -reconfigure to reinitialize the backend with the new test configuration. This step ensures that Terraform recognises the state file at the new location.

2. Verify the Setup:

   • Execute terraform plan to confirm that the state file is correctly recognised and that no changes will be applied unintentionally.

---

EC2 Backup and Restore

1. Set Up and Launch an EC2 Instance

• Create an EC2 instance with a “Test” file.

2. Set Up AWS Backup

• You can set up AWS Backup manually through the AWS Management Console or automate the process using Terraform. The setup involves creating a Backup Vault, an IAM role with necessary policies, and defining a backup plan.

Create Backup Vault

IAM Role and Policy Setup (create a new one or use default)

1. Create IAM Role for AWS Backup:

   • Create a new role with AWS Backup service as the trusted entity.
   • Attach the AWSBackupServiceRolePolicyForBackup managed policy.

2. Create and Attach IAM Policy:

   • Create a custom IAM policy with permissions for EC2 and backup operations.
   • Attach this policy to the IAM role created for AWS Backup.

3. Backup Plan Setup

Create a Backup Plan: - In the AWS Backup Console, go to “Backup plans” and click “Create backup plan.” - Choose a predefined plan or create a custom one. - Set backup frequency (e.g., daily) and retention period (e.g., 7 days).

4. Create On-Demand Backup

• Select protected resources and create on-demand backup.
• Select EC2 as the resource type that you want to back up.
• Choose the Instance ID of the EC2 resource that you want to protect.

5. Restore EC2 Instance

• Go to the AWS Backup console
• Click on “Backup vaults” and select your vault.
• Select the recovery point ARN and choose Restore.
• This will bring you to a Restore backup screen that will have the configurations for the EC2 instance using the backed-up AMI.
• Follow the prompts to complete the restoration.
• Check for your restored backup job under Restore jobs in the the AWS Backup console.

6. Verify the restored instance

• Connect to the restored EC2 instance using SSH or AWS Systems Manager (SSM).
• Navigate to the location of the test file.

- Verify that the test file exists and contains the expected content.

References

• AWS Backup Documentation

• AWS Restore CLI Reference

• EC2 Backup And Restore

This page was last reviewed on 17 February 2025. It needs to be reviewed again on 17 August 2025 by the page owner #modernisation-platform .

This page was set to be reviewed before 17 August 2025 by the page owner #modernisation-platform. This might mean the content is out of date.