feature/PI-407-immutable_backups Enable backups on source account to the vault

Author: megan-bower4

infrastructure/terraform/per_account/backups/aws-backups.tf

@@ -1,5 +1,3 @@
-data "aws_caller_identity" "current" {}
-
 data "aws_secretsmanager_secret" "source_account_id" {
   name = "backups-source-account-id"
 }
@@ -8,9 +6,6 @@ data "aws_secretsmanager_secret_version" "source_account_id" {
   secret_id = data.aws_secretsmanager_secret.source_account_id.id
 }
 
-output "account_id" {
-  value = data.aws_caller_identity.current.account_id
-}
 
 # We need a key for the backup vaults. This key will be used to encrypt the backups themselves.
 # We need one per vault (on the assumption that each vault will be in a different account).
@@ -24,7 +19,7 @@ module "destination" {
   source = "../../modules/aws-backup-destination"
 
   source_account_name     = "test" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name - change to dev/prod
-  account_id              = data.aws_caller_identity.current.account_id
+  account_id              = var.assume_account
   source_account_id       = data.aws_secretsmanager_secret_version.source_account_id.secret_string
   kms_key                 = aws_kms_key.destination_backup_key.arn
   enable_vault_protection = false

infrastructure/terraform/per_account/dev/aws-backups.tf

@@ -0,0 +1,116 @@
+data "aws_secretsmanager_secret" "destination_vault_arn" {
+  name = "destination_vault_arn"
+}
+
+data "aws_secretsmanager_secret_version" "destination_vault_arn" {
+  secret_id = data.aws_secretsmanager_secret.destination_vault_arn.id
+}
+
+data "aws_secretsmanager_secret" "destination_account_id" {
+  name = "destination_account_id"
+}
+
+data "aws_secretsmanager_secret_version" "destination_account_id" {
+  secret_id = data.aws_secretsmanager_secret.destination_account_id.id
+}
+
+# First, we create an S3 bucket for compliance reports. You may already have a module for creating
+# S3 buckets with more refined access rules, which you may prefer to use.
+
+resource "aws_s3_bucket" "backup_reports" {
+  bucket_prefix = "${local.project}-backup-reports"
+}
+
+# Now we have to configure access to the report bucket.
+
+resource "aws_s3_bucket_ownership_controls" "backup_reports" {
+  bucket = aws_s3_bucket.backup_reports.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "backup_reports" {
+  depends_on = [aws_s3_bucket_ownership_controls.backup_reports]
+
+  bucket = aws_s3_bucket.backup_reports.id
+  acl    = "private"
+}
+
+# We need a key for the SNS topic that will be used for notifications from AWS Backup. This key
+# will be used to encrypt the messages sent to the topic before they are sent to the subscribers,
+# but isn't needed by the recipients of the messages.
+
+
+# Now we can define the key itself
+resource "aws_kms_key" "backup_notifications" {
+  description             = "KMS key for AWS Backup notifications"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Sid    = "Enable IAM User Permissions"
+        Principal = {
+          AWS = "arn:aws:iam::${var.assume_account}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "sns.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+# Now we can deploy the source and destination modules, referencing the resources we've created above.
+
+module "source" {
+  source = "../../modules/aws-backup-source"
+
+  backup_copy_vault_account_id = data.aws_secretsmanager_secret_version.destination_account_id.secret_string
+  backup_copy_vault_arn        = data.aws_secretsmanager_secret_version.destination_vault_arn.secret_string
+  environment_name             = var.environment
+  bootstrap_kms_key_arn        = aws_kms_key.backup_notifications.arn
+  project_name                 = local.project
+  reports_bucket               = aws_s3_bucket.backup_reports.bucket
+  terraform_role_arn           = data.aws_caller_identity.current.arn
+
+  backup_plan_config = {
+    "compliance_resource_types" : [
+      "S3"
+    ],
+    "rules" : [
+      {
+        "copy_action" : {
+          "delete_after" : 4
+        },
+        "lifecycle" : {
+          "delete_after" : 2
+        },
+        "name" : "daily_kept_for_2_days",
+        "schedule" : "cron(0 0 * * ? *)"
+      }
+    ],
+    "selection_tag" : "NHSE-Enable-Backup"
+  }
+  # # Note here that we need to explicitly disable DynamoDB backups in the source account.
+  # # The default config in the module enables backups for all resource types.
+  # backup_plan_config_dynamodb = {
+  #   "compliance_resource_types" : [
+  #     "DynamoDB"
+  #   ],
+  #   "rules" : [
+  #   ],
+  #   "enable" : false,
+  #   "selection_tag" : "NHSE-Enable-Backup"
+  # }
+}

infrastructure/terraform/per_workspace/modules/api_storage/dynamodb.tf

@@ -16,7 +16,8 @@ module "dynamodb_table" {
   point_in_time_recovery_enabled = true
 
   tags = {
-    Name = var.name
+    Name                 = var.name
+    "NHSE-Enable-Backup" = "True" # will this work? Only needed for 1 environment? only tag in one account
   }
 
 }