the policy document im are providing does not conform to the expected format for the backup policy.
Im trying to use This template.
AWSTemplateFormatVersion: '2010-09-09'
Transform:
- 'AWS::LanguageExtensions'
Parameters:
pOrgBackupTargetOUs:
Description: A comma separated list of the AWS Organizations OUs to attach backup policies.
Type: CommaDelimitedList
pCentralBackupVaultArn:
Description: The **ARN** of a centralized AWS Backup Vault that will be the secondary store for all AWS Backups. The defined organization backup policy plans will "copy_to" this vault.
Type: String
pCrossAccountBackupRole:
Description: This is the IAM role name for the cross-account backup role that carries out the backup activities.
Type: String
pMemberAccountBackupVault:
AllowedPattern: ^[a-zA-Z0-9\-\_\.]{1,50}$
ConstraintDescription: The name of the member account Backup vaults. (Name is case sensitive).
Type: String
pTagKey:
Type: String
Description: This is the tag key to assign to resources.
Default: 'project'
pTagValue:
Type: String
Description: This is the tag value to assign to resources.
Default: 'aws-backup'
Resources:
rOrgDailyBackUpPolicy:
Type: AWS::Organizations::Policy
Properties:
Name: org-daily-backup-policy
Description: >-
BackupPolicy for Daily Backup as per the resource selection criteria
Type: BACKUP_POLICY
TargetIds: !Ref pOrgBackupTargetOUs
Content:
Fn::ToJsonString:
plans:
OrgBackupPlanDaily:
rules:
OrgDailyBackupRule:
schedule_expression:
"@@assign": cron(0 19 ? * * *)
start_backup_window_minutes:
"@@assign": '60'
complete_backup_window_minutes:
"@@assign": '1200'
lifecycle:
delete_after_days:
"@@assign": '14'
target_backup_vault_name:
"@@assign": !Ref pMemberAccountBackupVault
recovery_point_tags:
project:
tag_key:
"@@assign": !Ref pTagKey
tag_value:
"@@assign": !Ref pTagValue
copy_actions:
"<my-central-vault-ARN-hardcoded>":
target_backup_vault_arn:
"@@assign": !Ref pCentralBackupVaultArn
lifecycle:
delete_after_days:
"@@assign": '14'
backup_plan_tags:
project:
tag_key:
"@@assign": !Ref pTagKey
tag_value:
"@@assign": !Ref pTagValue
regions:
"@@append":
- eu-central-1
selections:
tags:
OrgDailyBackupSelection:
iam_role_arn:
"@@assign": !Sub 'arn:aws:iam::$account:role/${pCrossAccountBackupRole}'
tag_key:
"@@assign": 'backup'
tag_value:
"@@assign":
- daily
Explanation of code:
Overall, this CloudFormation template creates an AWS backup policy for resources within an AWS Organization, specifying the backup rules and the storage locations for the backup data.
- rOrgDailyBackUpPolicy resource of type AWS::Organizations::Policy that creates a backup policy within the specified target OUs.
- Name and Description specify the name and description of the backup policy. Type specifies the type of policy as BACKUP_POLICY.
- TargetIds specifies the AWS Organization OUs to which the policy will be attached.
- Content specifies the backup policy plan details using the intrinsic function Fn::ToJsonString, which converts the contents to a JSON-formatted string. This backup plan has the name OrgBackupPlanDaily and includes a set of rules that define when and how backups are taken. These rules include scheduling expressions, window duration for backups, and lifecycle details for backup data.
- backup_plan_tags and recovery_point_tags specify tags to apply to the backup plan and recovery points created by the plan, respectively.
- regions specifies the regions in which backups are taken.
- selections specifies the resource selection criteria for backups. In this case, it selects resources with the tag backup set to daily.
- iam_role_arn specifies the IAM role name for the cross-account backup role that carries out the backup activities.
- target_backup_vault_name and target_backup_vault_arn specify the name and ARN of the backup vaults where the backups will be stored. target_backup_vault_arn is set to the value of the pCentralBackupVaultArn parameter passed to the template.
- copy_actions specifies the backup vault where a copy of backups will be stored. This section includes the name of the backup vault, and the lifecycle details for the copied data. The target_backup_vault_arn value is hardcoded and not parameterized.
But I am getting an error The provided policy document does not meet the requirements of the specified policy type. While trying to create the backup policy.
