azure-devops-repository-archiver 1.1.0

Archive Azure DevOps git repositories to AWS S3

Azure DevOps Git Repository Archiver

Allows to backup regularly git repositories hosted in Azure DevOps to an S3 Bucket. In the S3 bucket the backups are placed in a "directory" structure like

|
|--- organization 1
|       |
|       |--- project 1
|       |      |
|       |      |--- repository 1
|       |      |
|       |      |--- repository 2
|       |      |  ...
|       |
|       |--- project 2
|       |
|       |--- ...
|
|
|--- organization 2
| ...

Features

The S3 bucket is configured as below

• enabled versioning of objects

• enabled encryption using an S3 managed Key

• disallowing public access

• A lifecycle configuration for the archived repositories. They transistion through different storage classes

  • Infrequent Access after 30 days
  • Glacier after 90 days
  • Deep Archive 180 days
  • Expiry after 365 days

• configurable notifications to SNS about uploaded/ expired objects

The CodeBuild projects are configured as below

• Logging to CloudWatch

  • Configurable retention period. Default is one month.
  • Encryption using customer-managed KMS key

Prerequisites

The connection to the Azure DevOps organization requires a personal access token. The PAT needs to have "Code read" permission and stored in a SecretsManager secret

aws secretsmanager create-secret --name repository_archiver --description "Secret for the repository archiver" --secret-string "{\"pat\":\"<your_pat>\"}"

How to use

Example (Typescript)

• Add the library to your dependencies, e.g to the package.json file

  "dependencies": {
    [...],
    "azure-devops-repository-archiver": "0.0.23",
  },
  

• Per BackupConfiguration a secret containing the Azure DevOps PAT needs to be specified. It can e.g. be imported

  const secret = Secret.fromSecretAttributes(this, 'azure-devops-pat', {
    secretCompleteArn:
      'arn:aws:secretsmanager:eu-central-1:<aws_account_id>:secret:<secret_name>',
  });
  

• When creating the construct the required BackupConfigurations can be passed as below. The grouping is per organization and project.

   const backupConfigurations: BackupConfiguration[] = [
    {
      organizationName: 'MyOrganization',
      projectName: 'project-1',
      repositoryNames: [
        'repository-1-a',
        'repository-1-b',
      ],
      secretArn: secret.secretArn,
    },
    {
      organizationName: 'MyOrganization',
      projectName: 'project-2',
      repositoryNames: [
        'repository-2-a',
        'repository-2-b',
      ],
      secretArn: secret.secretArn,
    },
  ]
  

• The archiver properties and the archiver can then be created as

  const archiverProps: ArchiverProperties = {
    retention: RetentionDays.ONE_WEEK,
    backupConfigurations: backupConfigurations,
  };
  new Archiver(this, 'archiver', archiverProps);
  

Links

• projen
• cdk
• AWS CodeBuild Specification