Merge pull request #1089 from NHSDigital/bugfix/safo6-NRL-1582-backup-notification-fix

sandyforresternhs · web-flow · commit 5838ec036307 · 2025-11-07T08:53:13.000Z
NRL-1582 Update KMS policy with backup perms
diff --git a/terraform/account-wide-infrastructure/dev/aws-backup.tf b/terraform/account-wide-infrastructure/dev/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/prod/aws-backup.tf b/terraform/account-wide-infrastructure/prod/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/test/aws-backup.tf b/terraform/account-wide-infrastructure/test/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
