diff --git a/modules/aws-backup/README.md b/modules/aws-backup/README.md
index f8ec1798e..3e122df73 100644
--- a/modules/aws-backup/README.md
+++ b/modules/aws-backup/README.md
@@ -211,6 +211,7 @@ The module is organized with the following directory and file structure:
| [copy\_action\_default\_values](#input\_copy\_action\_default\_values) | Default values for the copy action configuration in backup plan rules. If not provided, the copy action will not be created. | object({
destination_account_id = string
destination_region = string
delete_after = number
}) | {
"delete_after": 14,
"destination_account_id": null,
"destination_region": null
} | no |
| [enable\_cross\_account\_backup](#input\_enable\_cross\_account\_backup) | Enable cross-account backup in AWS Backup global settings. If set to true, the module will manage the global settings resource to enable cross-account backup. If set to false, you can configure it separately if needed. | `bool` | `false` | no |
| [lambda\_memory](#input\_lambda\_memory) | Lambda memory in MB | `number` | `128` | no |
+| [lambda\_region](#input\_lambda\_region) | Region where the Lambda function for automatic replication will be deployed. If not provided, it will be deployed in the same region as the backup vault. | `string` | `null` | no |
| [lambda\_timeout](#input\_lambda\_timeout) | Lambda timeout in seconds | `number` | `600` | no |
| [source\_account\_id](#input\_source\_account\_id) | Account id that copies backups into this vault | `string` | `null` | no |
| [tags](#input\_tags) | Default tags to apply to all resources. | `map(string)` | `{}` | no |
diff --git a/modules/aws-backup/eventbridge.tf b/modules/aws-backup/eventbridge.tf
index ee290fd2b..79e76fcf6 100644
--- a/modules/aws-backup/eventbridge.tf
+++ b/modules/aws-backup/eventbridge.tf
@@ -5,7 +5,7 @@ resource "aws_cloudwatch_event_rule" "rds_backup_job_completed" {
count = local.has_cross_account_copy ? 1 : 0
name = "backup-job-completed"
description = "Capture AWS backup point state change"
-
+ region = var.lambda_region
event_pattern = jsonencode({
"source" : ["aws.backup"],
"detail-type" : ["Recovery Point State Change"],
@@ -19,14 +19,16 @@ resource "aws_cloudwatch_event_rule" "rds_backup_job_completed" {
}
resource "aws_cloudwatch_event_target" "invoke_lambda" {
- count = local.has_cross_account_copy ? 1 : 0
- rule = aws_cloudwatch_event_rule.rds_backup_job_completed[0].name
- arn = module.lambda_automatic_replication[0].lambda_function_arn
+ count = local.has_cross_account_copy ? 1 : 0
+ region = var.lambda_region
+ rule = aws_cloudwatch_event_rule.rds_backup_job_completed[0].name
+ arn = module.lambda_automatic_replication[0].lambda_function_arn
# Optional: configure retry policy or input transformer if needed
}
resource "aws_lambda_permission" "allow_eventbridge" {
count = local.has_cross_account_copy ? 1 : 0
+ region = var.lambda_region
statement_id = "AllowExecutionFromEventBridge"
action = "lambda:InvokeFunction"
function_name = module.lambda_automatic_replication[0].lambda_function_name
diff --git a/modules/aws-backup/lambda.tf b/modules/aws-backup/lambda.tf
index b8e0d508c..4e1babafc 100644
--- a/modules/aws-backup/lambda.tf
+++ b/modules/aws-backup/lambda.tf
@@ -42,7 +42,7 @@ module "lambda_automatic_replication" {
function_name = "backups-automatic-replication"
handler = "handler.lambda_handler"
runtime = "python3.14"
- region = "eu-west-1"
+ region = var.lambda_region
source_path = ["${path.module}/src/common"]
timeout = var.lambda_timeout
diff --git a/modules/aws-backup/variables.tf b/modules/aws-backup/variables.tf
index b80a0417a..028a3b419 100644
--- a/modules/aws-backup/variables.tf
+++ b/modules/aws-backup/variables.tf
@@ -116,4 +116,11 @@ variable "lambda_memory" {
description = "Lambda memory in MB"
type = number
default = 128
+}
+
+variable "lambda_region" {
+ description = "Region where the Lambda function for automatic replication will be deployed. If not provided, it will be deployed in the same region as the backup vault."
+ type = string
+ default = null
+
}
\ No newline at end of file