Initial commit

Author: Nate Przybyszewski

.gitignore

@@ -0,0 +1,2 @@
+*.psd1
+dist/

LICENSE

@@ -0,0 +1,7 @@
+Copyright 2018 Nathan Przybyszewski
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,85 @@
+# PowerShell AWS S3 Simple Backup
+This is a PowerShell module for performing simple backups to S3.  Also included is a Lambda function for managing the uploaded backups.  The Lambda function will age-out old backups while still retaining certain backups (ex. first backup of each year, of each quarter, of each month, etc) for a specified amount of time.  Lambda function also posts to CloudWatch for each newly uploaded backup so that an alarm can be created to alert if backups stop.
+
+# End-host Configuration
+1. Download script from Github and install as desired.  In this example we'll
+   keep it simple by saving the entire directory to C:\backups.
+2. Copy backup_settings.template.txt file, rename it, and edit it as desired.
+3. Create backup script.  Script can be executed as a Windows Scheduled Task.  Depending what you're attempting to backup, you may need to add additional commands to your script.  For example, if you're backing up a MySQL database, you'll want to use mysqldump to export the database before backing up the resulting file to S3.
+
+```
+Import-Module C:\backups\powershell-aws-simple-s3-backup\AwsSimpleS3Backup.psd1
+
+# First argument is the backup name.
+# Second argument is the location to backup files from
+# Third argument is the settings file that will be used to determine backup behavior
+Backup-FilesToS3 "documents" "C:\Users\Administrator\My Documents\*" "C:\backups\powershell-aws-simple-s3-backup\backup_settings.txt"
+```
+
+# Lambda Installation
+1. Upload script from tools/lambda directory to your AWS account's Lambda console as a Python 3.x script.
+2. See Lambda Example IAM Role Policy below for an example policy that you can use for this script.
+3. Set up Lambda to call this function upon S3 "ObjectCreated" events from your S3 bucket.
+4. If desired, configure CloudWatch alarms to alert you if backups stop arriving.  You will need to wait until after the first execution before the metric appears.  Backups must occur at least once per day for this to be effective.
+5. Currently, S3 Lifecycle Policies must be configured manually for pruning to work.  The Lambda script will tag each archive with the "keep-days" tag and a value indicating the number of days that the archive should be retained.  For each possible retention period, you must create the desired lifecycle policies.  You can create policies to delete the objects, or for longer-lived objects transition them to Glacier then eventually delete them.  For example:
+* keep-days=7: Expire current version of object after 7 days from object creation
+* keep-days=356: Transition to Amazon Clacier after 15 days from object creation, expire current version of object after 365 days from object creation.
+
+# Lambda Configuration
+Edit the following variables in the Lambda script to suit your requirements.
+
+archive_bucket: Name of the S3 bucket that you are uploading backups to
+
+metric_namespace: Namespace to use when posting to CloudWatch.  Can usually just be left at the default unless you prefer something else.
+
+tier_mapping: should be modified with your desired retention periods.  The __default mapping applies to all uploaded backups unless overridden by another.  The number associated with each interval indicates how many days the first backup of each interval will be retained.  For example, imagine a backup is uploaded once per week on the following days: Jan 1, Jan 8, Jan 15, Jan 22, Jan 29, Feb 5, Feb 12.  The Jan 1 backup will be retained for 3650 days because it is the first backup of the year.  The Feb 5 backup will be retained for 365 days because it is the first backup of the month of February.  The other backups in this example will be retained only 15 days.
+
+```
+[3650, 730, 365, 90, 30, 15]
+  |     |    |   |   |   |
+  |     |    |   |   |   |- Others
+  |     |    |   |   |- Daily
+  |     |    |   |- Weekly
+  |     |    |- Monthly
+  |     |- Quarterly
+  |- Yearly
+```
+
+# Lambda Example IAM Role Policy
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1507002786000",
+            "Effect": "Allow",
+            "Action": [
+                "s3:DeleteObject",
+                "s3:PutObjectTagging",
+                "s3:GetObjectTagging",
+                "s3:PutObject",
+                "s3:CopyObject",
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::my.archive.bucket",
+                "arn:aws:s3:::my.archive.bucket/*"
+            ]
+        },
+        {
+            "Sid": "Stmt1507097378000",
+            "Effect": "Allow",
+            "Action": [
+                "cloudwatch:PutMetricData"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+```
+
+# Credits
+Powershell and Python script originally authored by Nathan Przybyszewski
+[powershell-script-module-boilerplate](https://github.com/jpoehls/powershell-script-module-boilerplate) used as a template

backup_settings.template.txt

@@ -0,0 +1,34 @@
+# Backup settings for AWS-S3-Backup.ps1
+# Author: Nathan Przybyszewski <github.com/shibz>
+# Date: 2018-03-11
+#
+# Copy the backup_settings.template.txt file to a new file and rename
+# it to "backup_settings.txt".  It must sit in the same directory as
+# your AWS-S3-Backup.ps1 file.  Configure the values below as desired.
+
+# Local Backup Directory.  Subdirectories will be created for each backup
+# using the "name" specified with the Backup-Files command.
+LocalBackupDir=C:\Backups
+
+# Number of days to retain local backups
+LocalBackupRetention=30
+
+# Name of the event log source to use.  The log source will need to be
+# initiated using the following cmdlet (executed as an administrator)
+# New-EventLog –LogName Application –Source "YourBackupSourceName"
+LogSource=S3Backup
+
+# Password used to encrypt archives
+EncryptionPassword=some encryption password here
+
+# S3 Configuration
+S3Bucket=your.s3.bucket.name
+S3Region=us-east-1
+AccessKey=AKI12345678901234567
+SecretKey=put your secret key here
+
+# Enable/disable upload to S3.  If disabled, local backups will continue.
+CloudUpload=true
+
+# Post extra debug logs
+Debug=False

src/AwsSimpleS3Backup.psm1

@@ -0,0 +1,138 @@
+function Backup-FilesToS3 {
+    <#
+    .SYNOPSIS
+        Creates backups, uploads them to AWS S3, and retains some locally
+
+    .DESCRIPTION
+        This powershell module is designed to make creation of backups simple
+        and easy and to allow for easy uploading of those backups to S3 for
+        long-term archival and disaster recovery.
+        
+        Author: Nathan Przybyszewski <github.com/shibz>
+        License: MIT License
+        
+        Before using this script, you need to create your backup_settings.txt
+        file using the included template. You also should run the following
+        command as administrator to set up logging:
+        
+        New-EventLog -LogName Application -Source "YourBackupSourceName"
+        
+        Replace YourBackupSourceName with the actual setting you configured
+        in backup_settings.txt
+    
+    .PARAMETER name
+        Name for the backups.  Date/time will be appended.
+    
+    .PARAMETER source
+        Location to backup.
+    
+    .PARAMETER cfgFile
+        Configuration file that will be used to deremine where to backup to.
+    
+    .EXAMPLE
+        Backup files locally and to S3 as specified by configuration file.
+        
+        Backup-FilesToS3 "documents" "C:\Users\Administrator\My Documents\*" "C:\backups\backup_settings.txt"
+    #>
+    Param(
+        [Parameter(Mandatory=$true)][string]$name,
+        [Parameter(Mandatory=$true)][string]$source,
+        [Parameter(Mandatory=$true)][string]$cfgFile
+    )
+
+    # Ensure 7-zip is installed and the necessary backup settings file exists
+    if (-not (test-path "$env:ProgramFiles\7-Zip\7z.exe")) {throw "$env:ProgramFiles\7-Zip\7z.exe needed"}
+    if (-not (test-path "$cfgFile")) {throw "$cfgFile was not found.  Copy backup_settings.template.txt and configure as desired.  Location of your configuration must be passed to cmdlet as a parameter."}
+
+    # Fetch backup config file content and populate $backupSettings with values
+    Get-Content "$cfgFile" | foreach-object -begin {$backupSettings=@{}} -process { $k = [regex]::split($_,'='); if(($k[0].CompareTo("") -ne 0) -and ($k[0].StartsWith("[") -ne $True) -and ($k[0].StartsWith("#") -ne $True)) { $backupSettings.Add($k[0], $k[1]) } }
+
+    # Set the logging-related variables
+    $script:logSource = $backupSettings.LogSource
+    $script:debug = $backupSettings.Debug
+
+    # Set the AWS credentials
+    Set-AWSCredential -AccessKey "$($backupSettings.AccessKey)" -SecretKey "$($backupSettings.SecretKey)"
+    Set-DefaultAWSRegion -Region "$($backupSettings.S3Region)"
+
+    $now = Get-Date
+    $timestamp = Get-Date -Date $now -format yyyy-MM-dd_H-mm-ss
+    $backupDir = "$($backupSettings.LocalBackupDir)\$name"
+    $backupName = "$backupDir\$name`_$timestamp.bak.7z"
+    $cloudUpload = $backupSettings.CloudUpload -like "true"
+    Write-BackupLog "Beginning backup for $name to $backupName.`r`nWill attempt to save:`r`n$source" 110
+
+    if ($source -is [array]) {
+        $szoutput = Zip-Files "$backupName" @source
+    } else {
+        $szoutput = Zip-Files "$backupName" $source
+    }
+    Write-BackupDebug "7Zip completed.  Output was:`r`n$szoutput" 120
+
+    if ($cloudUpload) {
+        $uploadlog = Upload-Backup $backupName $backupSettings.S3Bucket "$name.7z" $now
+    } else {
+        $uploadlog = "Backup was not uploaded to S3"
+    }
+
+    $backupMax = $now.AddDays([int]$backupSettings.LocalBackupRetention * -1)
+    $oldfiles = Get-ChildItem $backupdir -recurse -include "$backupname_*.bak.7z" | Where-Object { $_.CreationTime -le $backupMax }
+    if ($oldfiles) {
+        $measurement = $oldfiles | Measure-Object -property length -sum
+        $pruneCount = $measurement.Count
+        $pruneSize = [math]::Round($measurement.Sum / 1KB)
+        $prunelog = "Pruning old archives.`r`nWill attempt to prune $pruneCount files totalling $pruneSize KB:`r`n$oldfiles`r`n$uploadlog"
+        Write-BackupDebug $prunelog 140
+        Remove-Item $oldfiles
+    } else {
+        $prunelog = "No files found for pruning"
+    }
+
+    Write-BackupLog "Backup for $name to $backupName is complete!`r`nBackup target was: $source`r`n`r`n7Zip output was:`r`n$szoutput`r`n$prunelog`r`n$backuplog" 150
+}
+
+# Create an encrypted 7-zip archive
+function Zip-Files {
+    "$env:ProgramFiles\7-Zip\7z.exe" a -mx7 -mhe -mmt -p"$($backupSettings.EncryptionPassword)" $args
+}
+
+# Write to event log, only if debug mode is enabled
+function Write-BackupDebug($message, $id) {
+    if ($script:debug) {
+        Write-EventLog -LogName Application -Source $script:logSource -EventId "$id" -Message "$message"
+        echo $message
+    }
+}
+
+# Write informational message to event log
+function Write-BackupLog($message, $id) {
+    Write-EventLog -LogName Application -Source $script:logSource -EventId "$id" -Message "$message"
+    echo $message
+}
+
+# Write error message to event log
+function Write-BackupError($message, $id) {
+    Write-EventLog -LogName Application -Source $script:logSource -EventId "$id" -Message "$message" -EntryType Error
+    echo $message
+}
+
+# Upload the given file to S3
+function Upload-Backup($file, $bucket, $key, $date) {
+    $prefixDate = Get-Date -Date $date -format yyyy-MM-dd/HH-mm-ss
+    $archiveKey = "$prefixDate`_$key"
+    $backupLog = ""
+
+    Write-BackupDebug "Attempting to upload $file to s3://$bucket/$archiveKey" 135
+    try {
+        Write-S3Object -BucketName $bucket -File $file -Key $archiveKey
+        $backupLog = "Uploaded $file to s3://$bucket/$archiveKey"
+    } catch {
+        $errormsg = $_.Exception.Message
+        Write-BackupError "Error uploading to S3!  Error was:`r`n$errormsg" 235
+    }
+    Write-BackupDebug $backupLog 130
+
+    return $backupLog
+}
+
+Export-ModuleMember -Function Backup-FilesToS3