Help CenterClumio Terraform ProviderClumio Python SDKClumio GO SDK
User Guide
BlogChangelogLogin

Clumio Terraform Provider: Troubleshooting & Pro Tips

Suggest Edits

This article offers practical tips for efficiently using the Clumio Terraform provider and troubleshooting common challenges when integrating Clumio with Terraform.

Reestablishing the Clumio connection resource

If the Clumio stack and its associated directory or environment were destroyed, but the connection resource remained intact, you will encounter the following error message upon re-deployment due to the persistent nature of the connection resource.

  • Error Message: 
    │ Error: Unable to create
│
│   with clumio_aws_connection.connection,
│   on main.tf line 32, in resource "clumio_aws_connection" "connection":
│   32: resource "clumio_aws_connection" "connection" {
│
│ {"errors":[{"error_code":320,"error_message":"Registration <ACCOUNT_NUMBER>/<ACCOUNT_REGION> already exists."}]}

To resolve this, you must first import the connection resource into the Terraform state before applying any changes

  • Importing the connection resource first and apply
  • terraform import clumio_aws_connection.connection <AWS_ACCOUNT_NUMBER>_<AWS_ACCOUNT_REGION>
terraform apply

BYOK key format

When passing in the key format for BYOK, ensure that the key ID is passed in when defining the clumio_byok module as the input and not the full ARN of the key.

  • existing_cmk_id   = mrk-<ID>

DynamoDB AWS resource stream configuration

Clumio utilizes DynamoDB streams for backup operations, and If you are managing your tables in Terraform you will need to ensure that streams is enabled. Do note that both [Old And New Image] and [New Image] view types are acceptable for backups, while [New Image] is preferred. Refer to the example below on how to configure streams for your DynamoDB AWS resource.

  • resource "aws_dynamodb_table" "example" {
...
    stream_enabled              = true
    stream_view_type            = "NEW_AND_OLD_IMAGES"
...
}

S3 AWS backup configuration

Inventory configuration

Clumio leverages S3 inventory to perform backup operations. If you are managing your buckets in Terraform you will need to ensure that the inventory file. Refer to the following configuration requirements below and reach out to Clumio support for the account specific details when configuring the inventory file.

  • Inventory configuration name: [reach out to support for the configuration name]
    • Inventory scope: Include all versions
      • Report details: select destination bucket to "A different account"
      • Account ID: [reach out to support for the account ID]
      • Destination: [reach out to support for the destination]
      • Frequency: Daily
      • Output format: CSV
      • Status: Enable
    • Inventory report encryption:
      • Server-side encryption: Specify an encryption key
      • Encryption key type: Amazon S3 managed keys(SSE-S3)
      • Additional metadata fields:check EVERYTHING except for the Additional checksums function

Event Bridge for continuous backup

For continuous backups, Clumio utilizes AWS EventBridge for processing backups. Below is a snippet from our provider page on how to set bucket properties and enable continuous backups.

  • resource "clumio_s3_bucket_properties" "enable_cb" {
  bucket_id            = "clumio_assigned_bucket_id"
  event_bridge_enabled = true
}

# Below example shows how to get the bucket_id from the clumio_s3_bucket data source and use
# it in the clumio_s3_bucket_properties resource

data "clumio_s3_bucket" "bucket" {
  bucket_names = ["test-bucket"]
}

resource "clumio_s3_bucket_properties" "enable_cb" {
  bucket_id            = element(tolist(data.clumio_s3_bucket.bucket.s3_buckets), 0).id
  event_bridge_enabled = true
}

Managing resources under an organizational unit

Creating an organizational unit

When introducing an organizational unit in Clumio, all resources expected to be under the desired organizational unit must be associated with the assigned provider by referring to its alias. Directly below is an example of defining an organizational unit in Clumio.

  • resource "clumio_organizational_unit" "example-prod" {
  name        = "example-prod"
  description = "Production"
  parent_id   = var.global_organization_unit_uuid
}

Once the organizational unit resource has been created, you will need to instantiate a separate provider where the alias will then be assigned. Note that the alias parameter that is assigned here will be referenced later when specifying the provider in later sections.

  • provider "clumio" {
  alias                              = "example-prod"
  clumio_api_token                   = data.aws_secretsmanager_secret_version.clumio_api_token.secret_string
  clumio_api_base_url                = var.clumio_api_base_url
  clumio_organizational_unit_context = clumio_organizational_unit.example-prod.id
}

Associating an account registration to an organizational unit

In the following example, notice that the [clumio_aws_connection] resource is referencing the organizational unit by specifying the provider [clumio.example-prod] and the [clumio_protect_example_prod_us_east_1] module is also doing the same in the provider section. This will ensure that the account registration will be connected under the desired organizational unit.

  • resource "clumio_aws_connection" "example_prod_us_east_1" {
  account_native_id = var.example_prod_account_id
  aws_region        = "us-east-1"
  description       = "example-prod us-east-1 connection"
  provider          = clumio.example-prod
}

module "clumio_protect_example_prod_us_east_1" {
  providers = {
    clumio = clumio.example-prod
    aws    = aws.example-prod-us-east-1
  }
  source                = "clumio-code/aws-template/clumio"
  data_plane_account_id = clumio_aws_connection.example_prod_us_east_1.data_plane_account_id
  clumio_token          = clumio_aws_connection.example_prod_us_east_1.token
  role_external_id      = clumio_aws_connection.example_prod_us_east_1.role_external_id
  aws_account_id        = clumio_aws_connection.example_prod_us_east_1.account_native_id
  aws_region            = clumio_aws_connection.example_prod_us_east_1.aws_region
  clumio_aws_account_id = clumio_aws_connection.example_prod_us_east_1.clumio_aws_account_id

  is_ebs_enabled       = true
  is_rds_enabled       = true
  is_ec2_mssql_enabled = true
  is_dynamodb_enabled  = true
  is_s3_enabled        = true
}

Associating other resources to an organizational unit

To ensure that the resource is associated with an organizational unit, the provider parameter needs to be defined appended by the alias of the desired provider as previously demonstrated with the connection and module. Below is an example of a protection group resource that will be associated with the "example-prod" organizational unit.

  • resource "clumio_protection_group_bucket" "s3_standard_tier" {
    provider = clumio.example-prod
    ...
  }

Clumio Terraform provider - https://registry.terraform.io/providers/clumio-code/clumio/latest/docs/guides/getting_started

Contact support@clumio.com with any questions or concerns.

Updated 9 days ago