Merge pull request #968 from NHSDigital/feature/kabo5-NRL-853-tiered-backups

mattdean3-nhs · web-flow · commit 0dbda494a461 · 2025-08-19T11:50:31.000+01:00
NRL-853 set up DynamoDB tiered backup plan
diff --git a/terraform/account-wide-infrastructure/dev/aws-backup.tf b/terraform/account-wide-infrastructure/dev/aws-backup.tf
@@ -109,12 +109,12 @@ module "source" {
     "compliance_resource_types" : [
       "S3"
     ],
-    "enable" = true,
+    "enable" : true,
     "rules" : [
       {
-        "copy_action" : {
-          "delete_after" : 4
-        },
+        "copy_action" : [{
+          "delete_after" : 4,
+        }],
         "lifecycle" : {
           "delete_after" : 2
         },
@@ -132,14 +132,39 @@ module "source" {
     "enable" : true,
     "rules" : [
       {
-        "copy_action" : {
-          "delete_after" : 4
-        },
+        "name" : "daily",
+        "schedule" : "cron(0 0 * * ? *)",
+        "copy_action" : [{
+          "delete_after" : 4,
+        }],
+
         "lifecycle" : {
           "delete_after" : 2
-        },
-        "name" : "daily_kept_for_2_days",
-        "schedule" : "cron(0 0 * * ? *)"
+        }
+      },
+      {
+        "name" : "monthly"
+        "schedule" : "cron(30 0 ? * 4#1)" # first Thursday each month from 00:30
+        "copy_action" : [{
+          "cold_storage_after" : 3,
+          "delete_after" : 100 # ensures there will always be min 3
+        }],
+        "lifecycle" : {
+          "delete_after" : 2
+        }
+
+      },
+      {
+        "name" : "weekly"               # overlaps with monthly
+        "schedule" : "cron(30 0 ? * 4)" # every Thursday from 00:30 to precede releases
+        "copy_action" : [{
+          "cold_storage_after" : 14 # ensures 2 warm including one from previous release
+          "delete_after" : 105
+        }],
+        "lifecycle" : {
+          "delete_after" : 2
+        }
+
       }
     ],
     "selection_tag" : "NHSE-Enable-DDB-Backup"
diff --git a/terraform/account-wide-infrastructure/modules/backup-source/backup_plan.tf b/terraform/account-wide-infrastructure/modules/backup-source/backup_plan.tf
@@ -11,16 +11,16 @@ resource "aws_backup_plan" "default" {
       rule_name                = rule.value.name
       target_vault_name        = aws_backup_vault.main.name
       schedule                 = rule.value.schedule
-      enable_continuous_backup = rule.value.enable_continuous_backup != null ? rule.value.enable_continuous_backup : null
+      enable_continuous_backup = rule.value.enable_continuous_backup
       lifecycle {
-        delete_after       = rule.value.lifecycle.delete_after != null ? rule.value.lifecycle.delete_after : null
-        cold_storage_after = rule.value.lifecycle.cold_storage_after != null ? rule.value.lifecycle.cold_storage_after : null
+        delete_after       = rule.value.lifecycle.delete_after
+        cold_storage_after = rule.value.lifecycle.cold_storage_after
       }
       dynamic "copy_action" {
-        for_each = rule.value.copy_action != null ? rule.value.copy_action : {}
+        for_each = rule.value.copy_action
         content {
           lifecycle {
-            delete_after = copy_action.value
+            delete_after = copy_action.value.delete_after
           }
           destination_vault_arn = var.backup_copy_vault_arn
         }
@@ -44,14 +44,15 @@ resource "aws_backup_plan" "dynamodb" {
       target_vault_name = aws_backup_vault.main.name
       schedule          = rule.value.schedule
       lifecycle {
-        delete_after       = rule.value.lifecycle.delete_after != null ? rule.value.lifecycle.delete_after : null
-        cold_storage_after = rule.value.lifecycle.cold_storage_after != null ? rule.value.lifecycle.cold_storage_after : null
+        delete_after       = rule.value.lifecycle.delete_after
+        cold_storage_after = rule.value.lifecycle.cold_storage_after
       }
       dynamic "copy_action" {
-        for_each = rule.value.copy_action != null ? rule.value.copy_action : {}
+        for_each = rule.value.copy_action
         content {
           lifecycle {
-            delete_after = copy_action.value
+            delete_after       = copy_action.value.delete_after
+            cold_storage_after = copy_action.value.cold_storage_after
           }
           destination_vault_arn = var.backup_copy_vault_arn
         }
diff --git a/terraform/account-wide-infrastructure/modules/backup-source/variables.tf b/terraform/account-wide-infrastructure/modules/backup-source/variables.tf
@@ -86,9 +86,10 @@ variable "backup_plan_config" {
         delete_after       = optional(number)
         cold_storage_after = optional(number)
       })
-      copy_action = optional(object({
-        delete_after = optional(number)
-      }))
+      copy_action = optional(list(object({
+        delete_after       = optional(number)
+        cold_storage_after = optional(number)
+      })))
     }))
   })
 }
@@ -106,9 +107,10 @@ variable "backup_plan_config_dynamodb" {
         delete_after       = number
         cold_storage_after = optional(number)
       })
-      copy_action = optional(object({
-        delete_after = optional(number)
-      }))
+      copy_action = optional(list(object({
+        delete_after       = optional(number)
+        cold_storage_after = optional(number)
+      })))
     })))
   })
 
