This document provides guidance on using AWS Backup data sources with this Terraform module.
AWS Backup data sources allow you to query existing backup resources created by AWS Backup. These data sources are useful for:
- Referencing backup configurations managed outside this module
- Querying information about existing backup selections
- Building integrations with external backup infrastructure
- Compliance and auditing workflows
The aws_backup_selection data source allows you to query details about an existing backup selection.
# Query a backup selection
data "aws_backup_selection" "example" {
plan_id = "your-plan-id"
selection_id = "your-selection-id"
}
# Access selection attributes
output "selection_name" {
value = data.aws_backup_selection.example.name
}
output "selection_iam_role" {
value = data.aws_backup_selection.example.iam_role_arn
}
output "selection_resources" {
value = data.aws_backup_selection.example.resources
}| Attribute | Type | Description |
|---|---|---|
name |
string | Display name of the backup selection |
iam_role_arn |
string | IAM role ARN used for backup operations |
resources |
list(string) | Array of resource ARNs or patterns included in the selection |
To query backup selections created by this module, use the plan IDs from the module outputs:
module "backup" {
source = "lgallard/backup/aws"
plans = {
production = {
name = "production-backup-plan"
# ... plan configuration
}
}
}
# Query a selection from the module's backup plan
data "aws_backup_selection" "my_selection" {
plan_id = module.backup.plans["production"].id
selection_id = "selection-id-from-aws"
}Important: The selection_id parameter is required but not directly available as a Terraform output due to AWS API limitations. You must retrieve selection IDs using one of these methods:
- Navigate to AWS Backup → Backup plans
- Select your backup plan
- Go to "Resource assignments" tab
- Copy the Selection ID from the list
# List all selections for a backup plan
aws backup list-backup-selections \
--backup-plan-id <plan-id>
# Get specific selection details
aws backup get-backup-selection \
--backup-plan-id <plan-id> \
--selection-id <selection-id>-
Use data sources for queries only: Don't use data sources to manage backup selections - use the module's resource blocks instead.
-
Cache selection IDs: Store selection IDs in Terraform variables or AWS Systems Manager Parameter Store for easier reference.
-
Validate before use: Verify that selections exist before referencing them in other resources.
-
Document dependencies: Clearly document which resources depend on data source queries.
-
Use tags for discovery: Tag backup plans and selections consistently to enable easier querying.
Error Message:
Error: reading Backup Selection (plan-abc123:sel-xyz789): ResourceNotFoundException:
Backup selection 'sel-xyz789' not found
Causes:
- The selection ID is incorrect or doesn't exist
- The selection was deleted
- The selection belongs to a different backup plan
- Typo in the selection ID
Solutions:
-
Verify the selection exists:
aws backup get-backup-selection \ --backup-plan-id <plan-id> \ --selection-id <selection-id>
-
List all selections for the backup plan:
aws backup list-backup-selections \ --backup-plan-id <plan-id> \ --query 'BackupSelectionsList[*].[SelectionId,SelectionName]' \ --output table
-
Check if you're using the correct AWS region:
# Verify region matches your Terraform configuration aws backup list-backup-plans --region us-east-1
Error Message:
Error: reading Backup Selection: InvalidParameterValueException:
Backup plan not found: plan-abc123
Causes:
- The plan ID is incorrect
- The backup plan was deleted
- Wrong AWS region or account
- Plan ID from different environment
Solutions:
-
Verify the plan exists:
aws backup get-backup-plan --backup-plan-id <plan-id>
-
List all backup plans in the current region:
aws backup list-backup-plans \ --query 'BackupPlansList[*].[BackupPlanId,BackupPlanName]' \ --output table -
Check if the plan is in a different region:
# List plans in all regions for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do echo "Checking $region..." aws backup list-backup-plans --region $region --query 'BackupPlansList[*].[BackupPlanId,BackupPlanName]' --output text done
Error Message:
Error: reading Backup Selection: AccessDeniedException:
User: arn:aws:iam::123456789012:user/terraform is not authorized to perform:
backup:GetBackupSelection on resource: arn:aws:backup:us-east-1:123456789012:backup-plan:plan-abc123
Causes:
- Missing IAM permissions
- Incorrect IAM policy attached
- Resource-based policy denying access
- Service Control Policy (SCP) restrictions
Solutions:
-
Add required IAM permissions to your user/role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "backup:GetBackupSelection", "backup:ListBackupSelections", "backup:GetBackupPlan", "backup:ListBackupPlans" ], "Resource": "*" } ] } -
For least-privilege access, scope to specific resources:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "backup:GetBackupSelection", "backup:ListBackupSelections" ], "Resource": [ "arn:aws:backup:*:123456789012:backup-plan:*" ] } ] } -
Verify current IAM permissions:
# Check if you have the required permissions aws backup list-backup-plans aws backup list-backup-selections --backup-plan-id <plan-id>
-
If using AWS Organizations, check for SCP restrictions:
aws organizations list-policies-for-target \ --target-id <account-id> \ --filter SERVICE_CONTROL_POLICY
Error Message:
Error: Invalid value for "selection_id": string required
Causes:
- Selection ID is null or empty
- Variable not properly defined
- Missing required parameter
Solutions:
-
Ensure the selection_id is properly set:
data "aws_backup_selection" "example" { plan_id = var.plan_id selection_id = var.selection_id != "" ? var.selection_id : "sel-default" }
-
Add validation to variables:
variable "selection_id" { type = string description = "Backup selection ID" validation { condition = can(regex("^sel-[a-z0-9]+$", var.selection_id)) error_message = "Selection ID must start with 'sel-' followed by alphanumeric characters." } }
Error Message:
Error: reading Backup Selection: TooManyRequestsException:
Rate exceeded
Causes:
- Too many API calls in a short period
- AWS Backup API rate limits exceeded
- Multiple Terraform runs simultaneously
Solutions:
-
Add retry logic in Terraform provider configuration:
provider "aws" { region = var.region retry_mode = "adaptive" max_retries = 10 }
-
Use
depends_onto sequence data source queries:data "aws_backup_selection" "selection1" { plan_id = var.plan_id selection_id = var.selection_id_1 } data "aws_backup_selection" "selection2" { plan_id = var.plan_id selection_id = var.selection_id_2 depends_on = [data.aws_backup_selection.selection1] }
-
Reduce concurrent operations by running terraform with
-parallelism:terraform apply -parallelism=1
If you encounter other issues:
- Check AWS Backup service status: https://status.aws.amazon.com/
- Review Terraform logs: Set
TF_LOG=DEBUGfor detailed output - Consult AWS Backup quotas: https://docs.aws.amazon.com/aws-backup/latest/devguide/service-quotas.html
- Open an issue: Report bugs or request features at https://github.com/lgallard/terraform-aws-backup/issues
For comprehensive examples of using AWS Backup data sources, see: