feat(backup): support continuous backup and point-in-time restores (#17602)

Adds support for [continuous backup and point-in-time restores](https://docs.aws.amazon.com/aws-backup/latest/devguide/point-in-time-recovery.html).

Implemented validations when continuous backup and point-in-time restores is enabled:
- `deleteAfter` between 1 and 35 days. "The minimum retention period is 1 day. The maximum retention period is 35 days." (see [docs](https://docs.aws.amazon.com/aws-backup/latest/devguide/point-in-time-recovery.html#point-in-time-recovery-working-with))
- `deleteAfter` must be specified. Mandatory in AWS console. CloudFormation error if not specified: `Lifecycle must be specified for backup rule enabled continuous backup`
- `moveToColdStorageAfter` is not supported. Field not available in AWS console. CloudFormation error if specified: `MoveToColdStorageAfterDays is unavailable`

Closes #15922.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: jumic

packages/@aws-cdk/aws-backup/README.md

@@ -63,6 +63,19 @@ plan.addRule(new backup.BackupPlanRule({
 }));
 ```
 
+Continuous backup and point-in-time restores (PITR) can be configured.
+Property `deleteAfter` defines the retention period for the backup. It is mandatory if PITR is enabled.
+If no value is specified, the retention period is set to 35 days which is the maximum retention period supported by PITR.
+Property `moveToColdStorageAfter` must not be specified because PITR does not support this option.
+This example defines an AWS Backup rule with PITR and a retention period set to 14 days:
+
+```ts fixture=with-plan
+plan.addRule(new backup.BackupPlanRule({
+  enableContinuousBackup: true,
+  deleteAfter: Duration.days(14),
+}));
+```
+
 Ready-made rules are also available:
 
 ```ts fixture=with-plan

packages/@aws-cdk/aws-backup/lib/plan.ts

@@ -187,6 +187,7 @@ export class BackupPlan extends Resource implements IBackupPlan {
       ruleName: rule.props.ruleName ?? `${this.node.id}Rule${this.rules.length}`,
       scheduleExpression: rule.props.scheduleExpression?.expressionString,
       startWindowMinutes: rule.props.startWindow?.toMinutes(),
+      enableContinuousBackup: rule.props.enableContinuousBackup,
       targetBackupVault: vault.backupVaultName,
     });
   }

packages/@aws-cdk/aws-backup/lib/rule.ts

@@ -58,6 +58,18 @@ export interface BackupPlanRuleProps {
    * common vault for the plan will be created
    */
   readonly backupVault?: IBackupVault;
+
+  /**
+   * Enables continuous backup and point-in-time restores (PITR).
+   *
+   * Property `deleteAfter` defines the retention period for the backup. It is mandatory if PITR is enabled.
+   * If no value is specified, the retention period is set to 35 days which is the maximum retention period supported by PITR.
+   *
+   * Property `moveToColdStorageAfter` must not be specified because PITR does not support this option.
+   *
+   * @default false
+   */
+  readonly enableContinuousBackup?: boolean;
 }
 
 /**
@@ -146,15 +158,37 @@ export class BackupPlanRule {
     });
   }
 
+  /**
+   * Properties of BackupPlanRule
+   */
+  public readonly props: BackupPlanRuleProps
+
   /** @param props Rule properties */
-  constructor(public readonly props: BackupPlanRuleProps) {
+  constructor(props: BackupPlanRuleProps) {
     if (props.deleteAfter && props.moveToColdStorageAfter &&
-        props.deleteAfter.toSeconds() < props.moveToColdStorageAfter.toSeconds()) {
+      props.deleteAfter.toDays() < props.moveToColdStorageAfter.toDays()) {
       throw new Error('`deleteAfter` must be greater than `moveToColdStorageAfter`');
     }
 
     if (props.scheduleExpression && !/^cron/.test(props.scheduleExpression.expressionString)) {
       throw new Error('`scheduleExpression` must be of type `cron`');
     }
+
+    const deleteAfter = (props.enableContinuousBackup && !props.deleteAfter) ? Duration.days(35) : props.deleteAfter;
+
+    if (props.enableContinuousBackup && props.moveToColdStorageAfter) {
+      throw new Error('`moveToColdStorageAfter` must not be specified if `enableContinuousBackup` is enabled');
+    }
+
+    if (props.enableContinuousBackup && props.deleteAfter &&
+      (props.deleteAfter?.toDays() < 1 || props.deleteAfter?.toDays() > 35)) {
+      throw new Error(`'deleteAfter' must be between 1 and 35 days if 'enableContinuousBackup' is enabled, but got ${props.deleteAfter.toHumanString()}`);
+    }
+
+    this.props = {
+      ...props,
+      deleteAfter,
+    };
+
   }
 }

packages/@aws-cdk/aws-backup/test/plan.test.ts

@@ -70,6 +70,81 @@ test('create a plan and add rules', () => {
   });
 });
 
+test('create a plan with continuous backup option', () => {
+  // GIVEN
+  const vault = new BackupVault(stack, 'Vault');
+
+  // WHEN
+  new BackupPlan(stack, 'Plan', {
+    backupVault: vault,
+    backupPlanRules: [
+      new BackupPlanRule({
+        enableContinuousBackup: true,
+      }),
+    ],
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Backup::BackupPlan', {
+    BackupPlan: {
+      BackupPlanName: 'Plan',
+      BackupPlanRule: [
+        {
+          EnableContinuousBackup: true,
+          Lifecycle: {
+            DeleteAfterDays: 35,
+          },
+          RuleName: 'PlanRule0',
+          TargetBackupVault: {
+            'Fn::GetAtt': [
+              'Vault23237E5B',
+              'BackupVaultName',
+            ],
+          },
+        },
+      ],
+    },
+  });
+});
+
+test('create a plan with continuous backup option and specify deleteAfter', () => {
+  // GIVEN
+  const vault = new BackupVault(stack, 'Vault');
+
+  // WHEN
+  new BackupPlan(stack, 'Plan', {
+    backupVault: vault,
+    backupPlanRules: [
+      new BackupPlanRule({
+        enableContinuousBackup: true,
+        deleteAfter: Duration.days(1),
+      }),
+    ],
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Backup::BackupPlan', {
+    BackupPlan: {
+      BackupPlanName: 'Plan',
+      BackupPlanRule: [
+        {
+          EnableContinuousBackup: true,
+          Lifecycle: {
+            DeleteAfterDays: 1,
+          },
+          RuleName: 'PlanRule0',
+          TargetBackupVault: {
+            'Fn::GetAtt': [
+              'Vault23237E5B',
+              'BackupVaultName',
+            ],
+          },
+        },
+      ],
+    },
+  });
+});
+
 test('create a plan and add rules - add BackupPlan.AdvancedBackupSettings.BackupOptions', () => {
   const vault = new BackupVault(stack, 'Vault');
   const otherVault = new BackupVault(stack, 'OtherVault');
@@ -234,3 +309,25 @@ test('synth fails when plan has no rules', () => {
 
   expect(() => app.synth()).toThrow(/A backup plan must have at least 1 rule/);
 });
+
+test('throws when moveToColdStorageAfter is used with enableContinuousBackup', () => {
+  expect(() => new BackupPlanRule({
+    enableContinuousBackup: true,
+    deleteAfter: Duration.days(30),
+    moveToColdStorageAfter: Duration.days(10),
+  })).toThrow(/`moveToColdStorageAfter` must not be specified if `enableContinuousBackup` is enabled/);
+});
+
+test('throws when deleteAfter is less than 1 in combination with enableContinuousBackup', () => {
+  expect(() => new BackupPlanRule({
+    enableContinuousBackup: true,
+    deleteAfter: Duration.days(0),
+  })).toThrow(/'deleteAfter' must be between 1 and 35 days if 'enableContinuousBackup' is enabled, but got 0 days/);
+});
+
+test('throws when deleteAfter is greater than 35 in combination with enableContinuousBackup', () => {
+  expect(() => new BackupPlanRule({
+    enableContinuousBackup: true,
+    deleteAfter: Duration.days(36),
+  })).toThrow(/'deleteAfter' must be between 1 and 35 days if 'enableContinuousBackup' is enabled, but got 36 days/);
+});