[NRL-1158] Allow AWS Backup to write to backup-reports bucket

mattdean3-nhs · mattdean3-nhs · commit 27b9404ee795 · 2025-08-21T10:19:18.000+01:00
diff --git a/terraform/account-wide-infrastructure/dev/aws-backup.tf b/terraform/account-wide-infrastructure/dev/aws-backup.tf
@@ -1,5 +1,4 @@
 
-# First, we create an S3 bucket for compliance reports.
 resource "aws_s3_bucket" "backup_reports" {
   bucket_prefix = "${local.prefix}-backup-reports"
 }
@@ -45,6 +44,22 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
           }
         }
       },
+      {
+        Sid    = "AllowBackupReportsWrite"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${local.account_id}:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"
+        }
+        Action = "s3:PutObject"
+        Resource = [
+          "${aws_s3_bucket.backup_reports.arn}/*",
+        ]
+        Condition = {
+          StringEquals = {
+            "s3:x-amz-acl" = "bucket-owner-full-control"
+          }
+        }
+      }
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/dev/data.tf b/terraform/account-wide-infrastructure/dev/data.tf
@@ -1,5 +1,7 @@
 data "aws_region" "current" {}
 
+data "aws_caller_identity" "current" {}
+
 data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }
diff --git a/terraform/account-wide-infrastructure/dev/locals.tf b/terraform/account-wide-infrastructure/dev/locals.tf
@@ -3,6 +3,7 @@ locals {
   project     = "nhsd-nrlf"
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
+  account_id  = data.aws_caller_identity.current.account_id
 
   notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`
`2`		`-# First, we create an S3 bucket for compliance reports.`
`3`	`2`	`resource "aws_s3_bucket" "backup_reports" {`
`4`	`3`	`bucket_prefix = "${local.prefix}-backup-reports"`
`5`	`4`	`}`
`@@ -45,6 +44,22 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {`
`45`	`44`	`}`
`46`	`45`	`}`
`47`	`46`	`},`
	`47`	`+ {`
	`48`	`+ Sid = "AllowBackupReportsWrite"`
	`49`	`+ Effect = "Allow"`
	`50`	`+ Principal = {`
	`51`	`+ AWS = "arn:aws:iam::${local.account_id}:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports"`
	`52`	`+ }`
	`53`	`+ Action = "s3:PutObject"`
	`54`	`+ Resource = [`
	`55`	`+ "${aws_s3_bucket.backup_reports.arn}/*",`
	`56`	`+ ]`
	`57`	`+ Condition = {`
	`58`	`+ StringEquals = {`
	`59`	`+ "s3:x-amz-acl" = "bucket-owner-full-control"`
	`60`	`+ }`
	`61`	`+ }`
	`62`	`+ }`
`48`	`63`	`]`
`49`	`64`	`})`
`50`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,7 @@`
`1`	`1`	`data "aws_region" "current" {}`
`2`	`2`
	`3`	`+data "aws_caller_identity" "current" {}`
	`4`	`+`
`3`	`5`	`data "aws_secretsmanager_secret_version" "identities_account_id" {`
`4`	`6`	`secret_id = aws_secretsmanager_secret.identities_account_id.name`
`5`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ locals {`
`3`	`3`	`project = "nhsd-nrlf"`
`4`	`4`	`environment = terraform.workspace`
`5`	`5`	`prefix = "${local.project}--${local.environment}"`
	`6`	`+ account_id = data.aws_caller_identity.current.account_id`
`6`	`7`
`7`	`8`	`notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))`
`8`	`9`	`}`