Integration
Clumio Terraform Provider
Manage Clumio policies, protection groups, AWS account connections, and access controls declaratively from Terraform. The starting point for wiring Clumio into your infrastructure-as-code workflow.
quickstart
The fast path
The smallest config that bootstraps a Clumio tenant against your cloud: provider declarations, configured providers, the connection record, and the cloud-side IAM module. Set CLUMIO_API_TOKEN and CLUMIO_API_BASE_URL, run terraform apply, and the account is ready to take policy bindings. The example below uses AWS; the GCP shape is similar, with the gcp-template module and matching GCP connection resource in place of the AWS pair.
terraform {
required_providers {
clumio = {
source = "clumio-code/clumio"
}
aws = {
source = "hashicorp/aws"
}
}
}provider "clumio" {
clumio_api_token = "<clumio_api_token>"
clumio_api_base_url = "<clumio_api_base_url>"
}
provider "aws" {
region = "us-west-2"
}data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
resource "clumio_aws_connection" "connection" {
account_native_id = data.aws_caller_identity.current.account_id
aws_region = data.aws_region.current.region
description = "My Clumio Connection"
}module "clumio_aws" {
source = "clumio-code/aws-template/clumio"
clumio_token = clumio_aws_connection.connection.token
clumio_aws_account_id = clumio_aws_connection.connection.clumio_aws_account_id
role_external_id = clumio_aws_connection.connection.role_external_id
aws_account_id = clumio_aws_connection.connection.account_native_id
aws_region = clumio_aws_connection.connection.aws_region
is_s3_enabled = true
is_dynamodb_enabled = true
is_rds_enabled = true
is_ebs_enabled = true
}Documentation
Where to read
Curated entry points into the canonical docs — the source repo, the Registry tutorial, and two of the patterns teams reach for once they’re past the first apply.
Repo
Browse the code
The provider’s Apache 2.0 source — resource implementations, issues, release notes, and examples. Useful when you want to see what an attribute maps to before relying on it.
Guide
Getting Started
The official Registry tutorial — worked HCL examples from required_providers through first apply, with argument-level docs for every resource referenced along the way.
Pattern
Connecting Multiple Accounts
Onboarding many AWS accounts at once: provider aliases, for_each over an account map, and a shared bootstrap module that scales the IAM trust pattern without copy-pasting per account.
Module
Using the BYOK Module
Wire up a customer-managed KMS key with clumio-code/byok-template/clumio so Clumio encrypts your backups with a key you own and rotate — the bring-your-own-key pattern declared in code.
Modules
Companion modules
The provider is paired with three published Terraform modules that handle the cloud-side wiring Clumio needs in your environment.
clumio-code/aws-template/clumio
Provisions the AWS-side IAM trust role, per-service asset policies, and bootstrap wiring referenced by clumio_aws_connection.
clumio-code/gcp-template/clumio
The GCP counterpart — service account, IAM bindings, and project-level grants for connecting and protecting a Google Cloud project, including GCS.
clumio-code/byok-template/clumio
Sets up a customer-managed encryption key and the role grants Clumio needs to use it — the bring-your-own-key pattern declared in code.
Common questions
Frequently asked questions
Questions from platform and DevOps teams wiring Clumio into an existing Terraform workflow.
Does the Clumio Terraform provider work with Terraform Cloud and Terraform Enterprise?
Yes. The provider is a standard Registry provider and works with any Terraform runner — local, Terraform Cloud, or Terraform Enterprise. Set CLUMIO_API_TOKEN and CLUMIO_API_BASE_URL as workspace environment variables.
Will a Clumio restore break my Terraform state?
You should not have any issues if you use Backtrack. Clumio Backtrack is designed to restore S3 objects and DynamoDB items in-place — into the original bucket or table — so the resource Terraform knows about is never replaced. A traditional restore creates a new resource that Terraform doesn’t track, which causes drift. Backtrack avoids this entirely.
Can I use for_each to protect multiple AWS accounts in one plan?
Yes. Use for_each over a map of account IDs to create one clumio_aws_connection resource and one clumio_aws module call per account. Each iteration gets its own provider alias pointing to the target account.
How do I add Clumio to an existing Terraform workspace without disrupting running infrastructure?
Add the Clumio provider and clumio_aws_connection resource to your existing configuration, then run terraform plan to review before applying. The bootstrap module only creates new IAM resources in your account — it does not modify existing ones. Use terraform import if you need to bring any Clumio-created resources into state.
What IAM permissions does the Clumio AWS module create?
The aws-template module creates a least-privilege IAM role with the permissions Clumio needs to discover and protect your workloads. The exact policy varies by the protect_ flags you set (e.g., is_s3_enabled, is_dynamodb_enabled). You can review the full policy in the module source on GitHub before applying, and scope it further using the permissions_boundary_arn input.
Does Clumio support the permissions_boundary_arn input for the AWS module?
permissions_boundary_arn input for the AWS module?
Yes. Pass your boundary policy ARN as permissions_boundary_arn on the aws-template module call. Clumio attaches it to the IAM role the module creates, so all permissions stay within your boundary. This is the recommended approach for organizations with SCPs or IAM permission boundaries enforced across accounts.
Further reading
From the field
Two recent posts from the Clumio team that go deeper than a getting-started guide — one a full backup-as-code example end to end, the other on what changes when restore has to coexist with Terraform state.
Featured blog
Automating AWS Data Protection with Terraform and Clumio
Why backup belongs in your IaC pipeline alongside the rest of the AWS stack — wiring up AWS account connections, policies, and tag-based protection rules from Terraform, and the operational gains that follow (version control, PR review, reproducible dev/staging/prod, drift you can re-apply away).
Featured blog
Restoring Data While Preserving Terraform State: In-Place Recovery with Clumio Backtrack
The companion piece: defining protection as code is only half the story. A traditional restore creates a new bucket or table Terraform doesn’t know about; Backtrack restores S3 objects and DynamoDB items into the original resource so the declared infrastructure stays intact through an incident.