NRL-853 WIP cloud backup setup

Author: katebobyn-nhs

terraform/account-wide-infrastructure/dev/aws-backups.tf

@@ -0,0 +1,136 @@
+provider "aws" {
+  alias  = "source"
+  region = "eu-west-2"
+}
+
+variable "destination_vault_arn" {
+  description = "ARN of the backup vault in the destination account"
+  type        = string
+  default     = ""
+}
+
+#data "aws_arn" "destination_vault_arn" {
+#  arn = var.destination_vault_arn
+#}
+
+data "aws_secretsmanager_secret" "backup-account-secret" {
+  name = "nhsd-nrlf--dev--test-backup-account-id"
+}
+data "aws_secretsmanager_secret_version" "destination_account_id" {
+  secret_id = data.aws_secretsmanager_secret.backup-account-secret.id
+}
+
+locals {
+  # Adjust these as required
+  project_name     = "dev-backups-poc"
+  environment_name = "dev"
+
+  source_account_id = data.aws_caller_identity.current.account_id
+  # destination_account_id = data.aws_arn.destination_vault_arn.account
+  destination_account_id = data.aws_secretsmanager_secret_version.destination_account_id.secret_string
+}
+
+# First, we create an S3 bucket for compliance reports. You may already have a module for creating
+# S3 buckets with more refined access rules, which you may prefer to use.
+
+resource "aws_s3_bucket" "backup_reports" {
+  bucket_prefix = "${local.project_name}-backup-reports"
+}
+
+# Now we have to configure access to the report bucket.
+
+resource "aws_s3_bucket_ownership_controls" "backup_reports" {
+  bucket = aws_s3_bucket.backup_reports.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "backup_reports" {
+  depends_on = [aws_s3_bucket_ownership_controls.backup_reports]
+
+  bucket = aws_s3_bucket.backup_reports.id
+  acl    = "private"
+}
+
+# We need a key for the SNS topic that will be used for notifications from AWS Backup. This key
+# will be used to encrypt the messages sent to the topic before they are sent to the subscribers,
+# but isn't needed by the recipients of the messages.
+
+# First we need some contextual data
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+# Now we can define the key itself
+resource "aws_kms_key" "backup_notifications" {
+  description             = "KMS key for AWS Backup notifications"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Sid    = "Enable IAM User Permissions"
+        Principal = {
+          AWS = "arn:aws:iam::${local.source_account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "sns.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+# Now we can deploy the source and destination modules, referencing the resources we've created above.
+
+module "source" {
+  source = "../modules/backup-source"
+
+  backup_copy_vault_account_id = local.destination_account_id
+  #  backup_copy_vault_arn              = data.aws_arn.destination_vault_arn.arn
+  environment_name      = local.environment_name
+  bootstrap_kms_key_arn = aws_kms_key.backup_notifications.arn
+  project_name          = local.project_name
+  reports_bucket        = aws_s3_bucket.backup_reports.bucket
+  #terraform_role_arn                = data.aws_caller_identity.current.arn
+  terraform_role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+
+  backup_plan_config = {
+    "compliance_resource_types" : [
+      "S3"
+    ],
+    "rules" : [
+      {
+        "copy_action" : {
+          "delete_after" : 4
+        },
+        "lifecycle" : {
+          "delete_after" : 2
+        },
+        "name" : "daily_kept_for_2_days",
+        "schedule" : "cron(0 0 * * ? *)"
+      }
+    ],
+    "selection_tag" : "NHSE-Enable-Backup"
+  }
+  # Note here that we need to explicitly disable DynamoDB backups in the source account.
+  # The default config in the module enables backups for all resource types.
+  backup_plan_config_dynamodb = {
+    "compliance_resource_types" : [
+      "DynamoDB"
+    ],
+    "rules" : [
+    ],
+    "enable" : false,
+    "selection_tag" : "NHSE-Enable-Backup"
+  }
+}

terraform/account-wide-infrastructure/dev/dynamodb__pointers-table.tf

@@ -1,6 +1,7 @@
 module "dev-pointers-table" {
-  source      = "../modules/pointers-table"
-  name_prefix = "nhsd-nrlf--dev"
+  source         = "../modules/pointers-table"
+  name_prefix    = "nhsd-nrlf--dev"
+  enable_backups = true
 }
 
 module "dev-sandbox-pointers-table" {

terraform/account-wide-infrastructure/dev/s3.tf

@@ -1,6 +1,7 @@
 module "dev-permissions-store-bucket" {
-  source      = "../modules/permissions-store-bucket"
-  name_prefix = "nhsd-nrlf--dev"
+  source         = "../modules/permissions-store-bucket"
+  name_prefix    = "nhsd-nrlf--dev"
+  enable_backups = true
 }
 
 module "dev-sandbox-permissions-store-bucket" {
@@ -12,6 +13,7 @@ module "dev-truststore-bucket" {
   source                  = "../modules/truststore-bucket"
   name_prefix             = "nhsd-nrlf--dev"
   server_certificate_file = "../../../truststore/server/dev.pem"
+  enable_backups          = true
 }
 
 module "dev-sandbox-truststore-bucket" {

terraform/account-wide-infrastructure/modules/backup-source/README.md

@@ -0,0 +1,149 @@
+resource "aws_backup_framework" "main" {
+  # must be underscores instead of dashes
+  name        = replace("${local.resource_name_prefix}-framework", "-", "_")
+  description = "${var.project_name} Backup Framework"
+
+  # Evaluates if recovery points are encrypted.
+  control {
+    name = "BACKUP_RECOVERY_POINT_ENCRYPTED"
+
+    scope {
+      tags = {
+        "environment_name" = var.environment_name
+      }
+    }
+  }
+
+  # Evaluates if backup vaults do not allow manual deletion of recovery points with the exception of certain IAM roles.
+  control {
+    name = "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED"
+
+    scope {
+      tags = {
+        "environment_name" = var.environment_name
+      }
+    }
+
+    input_parameter {
+      name  = "principalArnList"
+      value = var.terraform_role_arn
+    }
+  }
+
+  # Evaluates if recovery point retention period is at least 1 month.
+  control {
+    name = "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK"
+
+    scope {
+      tags = {
+        "environment_name" = var.environment_name
+      }
+    }
+
+    input_parameter {
+      name  = "requiredRetentionDays"
+      value = "35"
+    }
+  }
+
+  # Evaluates if backup plan creates backups at least every 1 day and retains them for at least 1 month before deleting them.
+  control {
+    name = "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK"
+
+    scope {
+      tags = {
+        "environment_name" = var.environment_name
+      }
+    }
+
+    input_parameter {
+      name  = "requiredFrequencyUnit"
+      value = "days"
+    }
+
+    input_parameter {
+      name  = "requiredRetentionDays"
+      value = "35"
+    }
+
+    input_parameter {
+      name  = "requiredFrequencyValue"
+      value = "1"
+    }
+  }
+
+  # Evaluates if resources are protected by a backup plan.
+  control {
+    name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
+
+    scope {
+      compliance_resource_types = var.backup_plan_config.compliance_resource_types
+      tags = {
+        (var.backup_plan_config.selection_tag) = "True"
+      }
+    }
+  }
+
+  # Evaluates if resources have at least one recovery point created within the past 1 day.
+  control {
+    name = "BACKUP_LAST_RECOVERY_POINT_CREATED"
+
+    input_parameter {
+      name  = "recoveryPointAgeUnit"
+      value = "days"
+    }
+
+    input_parameter {
+      name  = "recoveryPointAgeValue"
+      value = "1"
+    }
+
+    scope {
+      compliance_resource_types = var.backup_plan_config.compliance_resource_types
+      tags = {
+        (var.backup_plan_config.selection_tag) = "True"
+      }
+    }
+  }
+}
+
+resource "aws_backup_framework" "dynamodb" {
+  count = var.backup_plan_config_dynamodb.enable ? 1 : 0
+  # must be underscores instead of dashes
+  name        = replace("${local.resource_name_prefix}-dynamodb-framework", "-", "_")
+  description = "${var.project_name} DynamoDB Backup Framework"
+
+  # Evaluates if resources are protected by a backup plan.
+  control {
+    name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
+
+    scope {
+      compliance_resource_types = var.backup_plan_config_dynamodb.compliance_resource_types
+      tags = {
+        (var.backup_plan_config_dynamodb.selection_tag) = "True"
+      }
+    }
+  }
+
+  # Evaluates if resources have at least one recovery point created within the past 1 day.
+  control {
+    name = "BACKUP_LAST_RECOVERY_POINT_CREATED"
+
+    input_parameter {
+      name  = "recoveryPointAgeUnit"
+      value = "days"
+    }
+
+    input_parameter {
+      name  = "recoveryPointAgeValue"
+      value = "1"
+    }
+
+    scope {
+      compliance_resource_types = var.backup_plan_config_dynamodb.compliance_resource_types
+      tags = {
+        (var.backup_plan_config_dynamodb.selection_tag) = "True"
+      }
+    }
+  }
+}

terraform/account-wide-infrastructure/modules/backup-source/backup_framework.tf

@@ -0,0 +1,12 @@
+resource "aws_backup_vault_notifications" "backup_notification" {
+  count             = var.notifications_target_email_address != "" ? 1 : 0
+  backup_vault_name = aws_backup_vault.main.name
+  sns_topic_arn     = aws_sns_topic.backup[0].arn
+  backup_vault_events = [
+    "BACKUP_JOB_COMPLETED",
+    "RESTORE_JOB_COMPLETED",
+    "S3_BACKUP_OBJECT_FAILED",
+    "S3_RESTORE_OBJECT_FAILED",
+    "COPY_JOB_FAILED"
+  ]
+}