[NRL-853] Added backup destination vault arn as secret. Moved backup vars/data/locals into dev account-side infra files

Author: mattdean3-nhs

…t-wide-infrastructure/dev/aws-backups.tf …nt-wide-infrastructure/dev/aws-backup.tfterraform/account-wide-infrastructure/dev/aws-backups.tf renamed to terraform/account-wide-infrastructure/dev/aws-backup.tf terraform/account-wide-infrastructure/dev/aws-backups.tf renamed to terraform/account-wide-infrastructure/dev/aws-backup.tf

@@ -1,38 +1,7 @@
-provider "aws" {
-  alias  = "source"
-  region = "eu-west-2"
-}
-
-variable "destination_vault_arn" {
-  description = "ARN of the backup vault in the destination account"
-  type        = string
-  default     = ""
-}
-
-data "aws_arn" "destination_vault_arn" {
-  arn = var.destination_vault_arn
-}
-
-data "aws_secretsmanager_secret" "backup-account-secret" {
-  name = "nhsd-nrlf--dev--test-backup-account-id"
-}
-data "aws_secretsmanager_secret_version" "destination_account_id" {
-  secret_id = data.aws_secretsmanager_secret.backup-account-secret.id
-}
-
-locals {
-  # Adjust these as required
-  project_name     = "dev-backups-poc"
-  environment_name = "dev"
-
-  source_account_id = data.aws_caller_identity.current.account_id
-  # destination_account_id = data.aws_arn.destination_vault_arn.account
-  destination_account_id = data.aws_secretsmanager_secret_version.destination_account_id.secret_string
-}
 
 # First, we create an S3 bucket for compliance reports.
 resource "aws_s3_bucket" "backup_reports" {
-  bucket_prefix = "${local.project_name}-backup-reports"
+  bucket_prefix = "${local.prefix}-backup-reports"
 }
 
 resource "aws_s3_bucket_public_access_block" "backup_reports" {
@@ -115,7 +84,7 @@ resource "aws_kms_key" "backup_notifications" {
         Effect = "Allow"
         Sid    = "Enable IAM User Permissions"
         Principal = {
-          AWS = "arn:aws:iam::${local.source_account_id}:root"
+          AWS = "arn:aws:iam::${var.assume_account}:root"
         }
         Action   = "kms:*"
         Resource = "*"
@@ -137,21 +106,21 @@ resource "aws_kms_key" "backup_notifications" {
 module "source" {
   source = "../modules/backup-source"
 
-  backup_copy_vault_account_id = local.destination_account_id
-  backup_copy_vault_arn        = data.aws_arn.destination_vault_arn.arn
-  environment_name             = local.environment_name
+  backup_copy_vault_account_id = jsondecode(data.aws_secretsmanager_secret_version.backup_destination_parameters.secret_string)["account-id"]
+  backup_copy_vault_arn        = jsondecode(data.aws_secretsmanager_secret_version.backup_destination_parameters.secret_string)["vault-arn"]
+  environment_name             = local.environment
   bootstrap_kms_key_arn        = aws_kms_key.backup_notifications.arn
-  project_name                 = local.project_name
+  project_name                 = "${local.prefix}-"
   reports_bucket               = aws_s3_bucket.backup_reports.bucket
-  #terraform_role_arn                = data.aws_caller_identity.current.arn
-  terraform_role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+  terraform_role_arn           = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
 
   notification_target_email_addresses = local.notification_emails
 
   backup_plan_config = {
     "compliance_resource_types" : [
       "S3"
     ],
+    "enable" = true,
     "rules" : [
       {
         "copy_action" : {

terraform/account-wide-infrastructure/dev/data.tf

@@ -2,6 +2,10 @@ data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }
 
+data "aws_secretsmanager_secret_version" "backup_destination_parameters" {
+  secret_id = aws_secretsmanager_secret.backup_destination_parameters.name
+}
+
 data "aws_secretsmanager_secret" "emails" {
   name = "${local.prefix}-emails"
 }

terraform/account-wide-infrastructure/dev/secrets.tf

@@ -2,6 +2,11 @@ resource "aws_secretsmanager_secret" "identities_account_id" {
   name = "${local.prefix}--nhs-identities-account-id"
 }
 
+resource "aws_secretsmanager_secret" "backup_destination_parameters" {
+  name        = "${local.prefix}--backup-destination-parameters"
+  description = "Parameters used to configure the backup destination"
+}
+
 resource "aws_secretsmanager_secret" "notification_email_addresses" {
   name = "${local.prefix}-dev-notification-email-addresses"
 }

terraform/account-wide-infrastructure/modules/backup-source/backup_plan.tf

@@ -1,5 +1,6 @@
 resource "aws_backup_plan" "default" {
-  name = "${local.resource_name_prefix}-plan"
+  count = var.backup_plan_config.enable ? 1 : 0
+  name  = "${local.resource_name_prefix}-plan"
 
   dynamic "rule" {
     for_each = var.backup_plan_config.rules
@@ -16,7 +17,7 @@ resource "aws_backup_plan" "default" {
         cold_storage_after = rule.value.lifecycle.cold_storage_after != null ? rule.value.lifecycle.cold_storage_after : null
       }
       dynamic "copy_action" {
-        for_each = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" && rule.value.copy_action != null ? rule.value.copy_action : {}
+        for_each = rule.value.copy_action != null ? rule.value.copy_action : {}
         content {
           lifecycle {
             delete_after = copy_action.value
@@ -47,7 +48,7 @@ resource "aws_backup_plan" "dynamodb" {
         cold_storage_after = rule.value.lifecycle.cold_storage_after != null ? rule.value.lifecycle.cold_storage_after : null
       }
       dynamic "copy_action" {
-        for_each = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" && rule.value.copy_action != null ? rule.value.copy_action : {}
+        for_each = rule.value.copy_action != null ? rule.value.copy_action : {}
         content {
           lifecycle {
             delete_after = copy_action.value
@@ -60,9 +61,10 @@ resource "aws_backup_plan" "dynamodb" {
 }
 
 resource "aws_backup_selection" "default" {
+  count        = var.backup_plan_config.enable ? 1 : 0
   iam_role_arn = aws_iam_role.backup.arn
   name         = "${local.resource_name_prefix}-selection"
-  plan_id      = aws_backup_plan.default.id
+  plan_id      = aws_backup_plan.default[0].id
 
   selection_tag {
     key   = var.backup_plan_config.selection_tag

terraform/account-wide-infrastructure/modules/backup-source/backup_report_plan.tf

@@ -54,7 +54,7 @@ resource "aws_backup_report_plan" "resource_compliance" {
 }
 
 resource "aws_backup_report_plan" "copy_jobs" {
-  count       = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? 1 : 0
+  count       = var.backup_plan_config.enable || var.backup_plan_config_dynamodb.enable ? 1 : 0
   name        = "copy_jobs"
   description = "Report for showing whether copies ran successfully in the last 24 hours"
 

terraform/account-wide-infrastructure/modules/backup-source/backup_vault_policy.tf

@@ -30,7 +30,7 @@ data "aws_iam_policy_document" "vault_policy" {
     resources = ["*"]
   }
   dynamic "statement" {
-    for_each = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? [1] : []
+    for_each = var.backup_plan_config.enable || var.backup_plan_config_dynamodb.enable ? [1] : []
     content {
       sid    = "Allow account to copy into backup vault"
       effect = "Allow"

terraform/account-wide-infrastructure/modules/backup-source/variables.tf

@@ -74,6 +74,7 @@ variable "backup_copy_vault_account_id" {
 variable "backup_plan_config" {
   description = "Configuration for backup plans"
   type = object({
+    enable                    = bool
     selection_tag             = string
     compliance_resource_types = list(string)
     rules = list(object({