feature/PI-407-immutable_backups Enable source backup module without s3 or dynamo backups enabled

megan-bower4 · megan-bower4 · commit 0b5b6217f617 · 2025-03-14T13:50:34.000Z
diff --git a/infrastructure/terraform/modules/aws-backup-source/backup_plan.tf b/infrastructure/terraform/modules/aws-backup-source/backup_plan.tf
@@ -1,33 +1,3 @@
-resource "aws_backup_plan" "default" {
-  name = "${local.resource_name_prefix}-plan"
-
-  dynamic "rule" {
-    for_each = var.backup_plan_config.rules
-    content {
-      recovery_point_tags = {
-        backup_rule_name = rule.value.name
-      }
-      rule_name                = rule.value.name
-      target_vault_name        = aws_backup_vault.main.name
-      schedule                 = rule.value.schedule
-      enable_continuous_backup = rule.value.enable_continuous_backup != null ? rule.value.enable_continuous_backup : null
-      lifecycle {
-        delete_after       = rule.value.lifecycle.delete_after != null ? rule.value.lifecycle.delete_after : null
-        cold_storage_after = rule.value.lifecycle.cold_storage_after != null ? rule.value.lifecycle.cold_storage_after : null
-      }
-      dynamic "copy_action" {
-        for_each = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" && rule.value.copy_action != null ? rule.value.copy_action : {}
-        content {
-          lifecycle {
-            delete_after = copy_action.value
-          }
-          destination_vault_arn = var.backup_copy_vault_arn
-        }
-      }
-    }
-  }
-}
-
 # this backup plan shouldn't include a continous backup rule as it isn't supported for DynamoDB
 resource "aws_backup_plan" "dynamodb" {
   count = var.backup_plan_config_dynamodb.enable ? 1 : 0
@@ -59,18 +29,6 @@ resource "aws_backup_plan" "dynamodb" {
   }
 }
 
-resource "aws_backup_selection" "default" {
-  iam_role_arn = aws_iam_role.backup.arn
-  name         = "${local.resource_name_prefix}-selection"
-  plan_id      = aws_backup_plan.default.id
-
-  selection_tag {
-    key   = var.backup_plan_config.selection_tag
-    type  = "STRINGEQUALS"
-    value = "True"
-  }
-}
-
 resource "aws_backup_selection" "dynamodb" {
   count        = var.backup_plan_config_dynamodb.enable ? 1 : 0
   iam_role_arn = aws_iam_role.backup.arn
diff --git a/infrastructure/terraform/modules/aws-backup-source/iam.tf b/infrastructure/terraform/modules/aws-backup-source/iam.tf
@@ -26,40 +26,31 @@ resource "aws_iam_role_policy_attachment" "restore" {
   role       = aws_iam_role.backup.name
 }
 
-resource "aws_iam_role_policy_attachment" "s3_restore" {
-  policy_arn = "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore"
-  role       = aws_iam_role.backup.name
-}
 
-resource "aws_iam_role_policy_attachment" "s3_backup" {
-  policy_arn = "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup"
-  role       = aws_iam_role.backup.name
-}
-
-resource "aws_iam_role_policy_attachment" "backup_full_access" {
-  policy_arn = "arn:aws:iam::aws:policy/AWSBackupFullAccess"
-  role       = aws_iam_role.backup.name
-}
-
-
-resource "aws_iam_policy" "restore_testing_selection_permissions" {
-  name = "${local.resource_name_prefix}-source-account-backup-permissions"
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "backup:*",
-          "cloudformation:*"
-        ],
-        Resource = "*"
-      },
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "source_account_backup_permissions" {
-  policy_arn = aws_iam_policy.restore_testing_selection_permissions.arn
-  role       = aws_iam_role.backup.name
-}
+# resource "aws_iam_role_policy_attachment" "backup_full_access" {
+#   policy_arn = "arn:aws:iam::aws:policy/AWSBackupFullAccess"
+#   role       = aws_iam_role.backup.name
+# }
+
+
+# resource "aws_iam_policy" "restore_testing_selection_permissions" {
+#   name = "${local.resource_name_prefix}-source-account-backup-permissions"
+#   policy = jsonencode({
+#     Version = "2012-10-17",
+#     Statement = [
+#       {
+#         Effect = "Allow",
+#         Action = [
+#           "backup:*",
+#           "cloudformation:*"
+#         ],
+#         Resource = "*"
+#       },
+#     ]
+#   })
+# }
+
+# resource "aws_iam_role_policy_attachment" "source_account_backup_permissions" {
+#   policy_arn = aws_iam_policy.restore_testing_selection_permissions.arn
+#   role       = aws_iam_role.backup.name
+# }
diff --git a/infrastructure/terraform/per_account/dev/aws-backups.tf b/infrastructure/terraform/per_account/dev/aws-backups.tf
@@ -1,125 +1,108 @@
-# data "aws_secretsmanager_secret" "destination_vault_arn" {
-#   name = "destination_vault_arn"
-# }
-
-# data "aws_secretsmanager_secret_version" "destination_vault_arn" {
-#   secret_id = data.aws_secretsmanager_secret.destination_vault_arn.id
-# }
-
-# data "aws_secretsmanager_secret" "destination_account_id" {
-#   name = "destination_account_id"
-# }
-
-# data "aws_secretsmanager_secret_version" "destination_account_id" {
-#   secret_id = data.aws_secretsmanager_secret.destination_account_id.id
-# }
-
-# # First, we create an S3 bucket for compliance reports. You may already have a module for creating
-# # S3 buckets with more refined access rules, which you may prefer to use.
-
-# resource "aws_s3_bucket" "backup_reports" {
-#   bucket_prefix = "${local.project}-backup-reports"
-# }
-
-# # Now we have to configure access to the report bucket.
-
-# resource "aws_s3_bucket_ownership_controls" "backup_reports" {
-#   bucket = aws_s3_bucket.backup_reports.id
-#   rule {
-#     object_ownership = "BucketOwnerPreferred"
-#   }
-# }
-
-# resource "aws_s3_bucket_acl" "backup_reports" {
-#   depends_on = [aws_s3_bucket_ownership_controls.backup_reports]
-
-#   bucket = aws_s3_bucket.backup_reports.id
-#   acl    = "private"
-# }
-
-# # We need a key for the SNS topic that will be used for notifications from AWS Backup. This key
-# # will be used to encrypt the messages sent to the topic before they are sent to the subscribers,
-# # but isn't needed by the recipients of the messages.
-
-
-# # Now we can define the key itself
-# resource "aws_kms_key" "backup_notifications" {
-#   description             = "KMS key for AWS Backup notifications"
-#   deletion_window_in_days = 7
-#   enable_key_rotation     = true
-#   policy = jsonencode({
-#     Version = "2012-10-17"
-#     Statement = [
-#       {
-#         Effect = "Allow"
-#         Sid    = "Enable IAM User Permissions"
-#         Principal = {
-#           AWS = "arn:aws:iam::${var.assume_account}:root"
-#         }
-#         Action   = "kms:*"
-#         Resource = "*"
-#       },
-#       {
-#         Effect = "Allow"
-#         Principal = {
-#           Service = "sns.amazonaws.com"
-#         }
-#         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
-#         Resource = "*"
-#       },
-#     ]
-#   })
-# }
-
-# # Now we can deploy the source and destination modules, referencing the resources we've created above.
-
-# module "source" {
-#   source = "../../modules/aws-backup-source"
-
-#   backup_copy_vault_account_id = data.aws_secretsmanager_secret_version.destination_account_id.secret_string
-#   backup_copy_vault_arn        = data.aws_secretsmanager_secret_version.destination_vault_arn.secret_string
-#   environment_name             = var.environment
-#   bootstrap_kms_key_arn        = aws_kms_key.backup_notifications.arn
-#   project_name                 = local.project
-#   reports_bucket               = aws_s3_bucket.backup_reports.bucket
-#   terraform_role_arn           = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
-
-#   backup_plan_config = {
-#     "compliance_resource_types" : [
-#       "S3"
-#     ],
-#     "rules" : [
-#       {
-#         "copy_action" : {
-#           "delete_after" : 4
-#         },
-#         "lifecycle" : {
-#           "delete_after" : 2
-#         },
-#         "name" : "daily_kept_for_2_days",
-#         "schedule" : "cron(0 0 * * ? *)"
-#       }
-#     ],
-#     "selection_tag" : "NHSE-Enable-Backup"
-#   }
-
-#   backup_plan_config_dynamodb = {
-#     "enable" : true,
-#     "compliance_resource_types" : [
-#       "DynamoDB"
-#     ],
-#     "rules" : [
-#       {
-#         "copy_action" : {
-#           "delete_after" : 4
-#         },
-#         "lifecycle" : {
-#           "delete_after" : 2
-#         },
-#         "name" : "daily_kept_for_2_days",
-#         "schedule" : "cron(0 0 * * ? *)"
-#       }
-#     ],
-#     "selection_tag" : "NHSE-Enable-Backup"
-#   }
-# }
+data "aws_secretsmanager_secret" "destination_vault_arn" {
+  name = "destination_vault_arn"
+}
+
+data "aws_secretsmanager_secret_version" "destination_vault_arn" {
+  secret_id = data.aws_secretsmanager_secret.destination_vault_arn.id
+}
+
+data "aws_secretsmanager_secret" "destination_account_id" {
+  name = "destination_account_id"
+}
+
+data "aws_secretsmanager_secret_version" "destination_account_id" {
+  secret_id = data.aws_secretsmanager_secret.destination_account_id.id
+}
+
+# First, we create an S3 bucket for compliance reports. You may already have a module for creating
+# S3 buckets with more refined access rules, which you may prefer to use.
+
+resource "aws_s3_bucket" "backup_reports" {
+  bucket_prefix = "${local.project}-backup-reports"
+}
+
+# Now we have to configure access to the report bucket.
+
+resource "aws_s3_bucket_ownership_controls" "backup_reports" {
+  bucket = aws_s3_bucket.backup_reports.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "backup_reports" {
+  depends_on = [aws_s3_bucket_ownership_controls.backup_reports]
+
+  bucket = aws_s3_bucket.backup_reports.id
+  acl    = "private"
+}
+
+# We need a key for the SNS topic that will be used for notifications from AWS Backup. This key
+# will be used to encrypt the messages sent to the topic before they are sent to the subscribers,
+# but isn't needed by the recipients of the messages.
+
+
+# Now we can define the key itself
+resource "aws_kms_key" "backup_notifications" {
+  description             = "KMS key for AWS Backup notifications"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Sid    = "Enable IAM User Permissions"
+        Principal = {
+          AWS = "arn:aws:iam::${var.assume_account}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "sns.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+# Now we can deploy the source and destination modules, referencing the resources we've created above.
+
+module "source" {
+  source = "../../modules/aws-backup-source"
+
+  backup_copy_vault_account_id = data.aws_secretsmanager_secret_version.destination_account_id.secret_string
+  backup_copy_vault_arn        = data.aws_secretsmanager_secret_version.destination_vault_arn.secret_string
+  environment_name             = var.environment
+  bootstrap_kms_key_arn        = aws_kms_key.backup_notifications.arn
+  project_name                 = local.project
+  reports_bucket               = aws_s3_bucket.backup_reports.bucket
+  terraform_role_arn           = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+
+
+  # disable all backups for now - just deploy the vault
+  backup_plan_config = {
+    "compliance_resource_types" : [
+      "S3"
+    ],
+    "rules" : [
+    ],
+    "enable" : false,
+    "selection_tag" : "NHSE-Enable-Backup"
+  }
+
+  backup_plan_config_dynamodb = {
+    "compliance_resource_types" : [
+      "DynamoDB"
+    ],
+    "rules" : [
+    ],
+    "enable" : false,
+    "selection_tag" : "NHSE-Enable-Backup"
+  }
+}
