feature/PI-407-immutable_backups Add dynamo backup plan config and remove restore plans

megan-bower4 · megan-bower4 · commit 6ee846d6ddcd · 2025-03-14T11:07:44.000Z
diff --git a/infrastructure/terraform/modules/aws-backup-source/backup_restore_testing.tf b/infrastructure/terraform/modules/aws-backup-source/backup_restore_testing.tf
@@ -1,26 +1,25 @@
-resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan" {
-  restore_testing_plan_name = "backup_restore_testing_plan"
-  schedule_expression       = var.restore_testing_plan_scheduled_expression
-  start_window_hours        = var.restore_testing_plan_start_window
-  recovery_point_selection = {
-    algorithm             = var.restore_testing_plan_algorithm
-    include_vaults        = [aws_backup_vault.main.arn]
-    recovery_point_types  = var.restore_testing_plan_recovery_point_types
-    selection_window_days = var.restore_testing_plan_selection_window_days
-  }
-}
+# resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan" {
+#   restore_testing_plan_name = "backup_restore_testing_plan"
+#   schedule_expression       = var.restore_testing_plan_scheduled_expression
+#   start_window_hours        = var.restore_testing_plan_start_window
+#   recovery_point_selection = {
+#     algorithm             = var.restore_testing_plan_algorithm
+#     include_vaults        = [aws_backup_vault.main.arn]
+#     recovery_point_types  = var.restore_testing_plan_recovery_point_types
+#     selection_window_days = var.restore_testing_plan_selection_window_days
+#   }
+# }
 
-resource "awscc_backup_restore_testing_selection" "backup_restore_testing_selection_dynamodb" {
-  count                          = var.backup_plan_config_dynamodb.enable ? 1 : 0
-  iam_role_arn                   = aws_iam_role.backup.arn
-  protected_resource_type        = "DynamoDB"
-  restore_testing_plan_name      = awscc_backup_restore_testing_plan.backup_restore_testing_plan.restore_testing_plan_name
-  restore_testing_selection_name = "backup_restore_testing_selection_dynamodb"
-  protected_resource_arns        = ["*"]
-  protected_resource_conditions = {
-    string_equals = [{
-      key   = "aws:ResourceTag/${var.backup_plan_config_dynamodb.selection_tag}"
-      value = "True"
-    }]
-  }
-}
+# resource "awscc_backup_restore_testing_selection" "backup_restore_testing_selection_dynamodb" {
+#   count                          = var.backup_plan_config_dynamodb.enable ? 1 : 0
+#   iam_role_arn                   = aws_iam_role.backup.arn
+#   protected_resource_type        = "DynamoDB"
+#   restore_testing_plan_name      = awscc_backup_restore_testing_plan.backup_restore_testing_plan.restore_testing_plan_name
+#   restore_testing_selection_name = "backup_restore_testing_selection_dynamodb"
+#   protected_resource_conditions = {
+#     string_equals = [{
+#       key   = "aws:ResourceTag/${var.backup_plan_config_dynamodb.selection_tag}"
+#       value = "True"
+#     }]
+#   }
+# }
diff --git a/infrastructure/terraform/modules/aws-backup-source/iam.tf b/infrastructure/terraform/modules/aws-backup-source/iam.tf
@@ -36,6 +36,11 @@ resource "aws_iam_role_policy_attachment" "s3_backup" {
   role       = aws_iam_role.backup.name
 }
 
+resource "aws_iam_role_policy_attachment" "backup_full_access" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSBackupFullAccess"
+  role       = aws_iam_role.backup.name
+}
+
 
 resource "aws_iam_policy" "restore_testing_selection_permissions" {
   name = "${local.resource_name_prefix}-source-account-backup-permissions"
@@ -49,7 +54,7 @@ resource "aws_iam_policy" "restore_testing_selection_permissions" {
           "cloudformation:*"
         ],
         Resource = "*"
-      }
+      },
     ]
   })
 }
diff --git a/infrastructure/terraform/per_account/dev/aws-backups.tf b/infrastructure/terraform/per_account/dev/aws-backups.tf
@@ -102,4 +102,24 @@ module "source" {
     ],
     "selection_tag" : "NHSE-Enable-Backup"
   }
+
+  backup_plan_config_dynamodb = {
+    "enable" : true,
+    "compliance_resource_types" : [
+      "DynamoDB"
+    ],
+    "rules" : [
+      {
+        "copy_action" : {
+          "delete_after" : 4
+        },
+        "lifecycle" : {
+          "delete_after" : 2
+        },
+        "name" : "daily_kept_for_2_days",
+        "schedule" : "cron(0 0 * * ? *)"
+      }
+    ],
+    "selection_tag" : "NHSE-Enable-Backup"
+  }
 }
diff --git a/infrastructure/terraform/per_account/dev/terraform.tf b/infrastructure/terraform/per_account/dev/terraform.tf
@@ -25,5 +25,9 @@ terraform {
       source  = "hashicorp/local"
       version = "~> 2.0"
     }
+    awscc = {
+      source  = "hashicorp/awscc"
+      version = "~> 1.32.0"
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,11 @@ resource "aws_iam_role_policy_attachment" "s3_backup" {`
`36`	`36`	`role = aws_iam_role.backup.name`
`37`	`37`	`}`
`38`	`38`
	`39`	`+resource "aws_iam_role_policy_attachment" "backup_full_access" {`
	`40`	`+ policy_arn = "arn:aws:iam::aws:policy/AWSBackupFullAccess"`
	`41`	`+ role = aws_iam_role.backup.name`
	`42`	`+}`
	`43`	`+`
`39`	`44`
`40`	`45`	`resource "aws_iam_policy" "restore_testing_selection_permissions" {`
`41`	`46`	`name = "${local.resource_name_prefix}-source-account-backup-permissions"`
`@@ -49,7 +54,7 @@ resource "aws_iam_policy" "restore_testing_selection_permissions" {`
`49`	`54`	`"cloudformation:*"`
`50`	`55`	`],`
`51`	`56`	`Resource = "*"`
`52`		`- }`
	`57`	`+ },`
`53`	`58`	`]`
`54`	`59`	`})`
`55`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,5 +25,9 @@ terraform {`
`25`	`25`	`source = "hashicorp/local"`
`26`	`26`	`version = "~> 2.0"`
`27`	`27`	`}`
	`28`	`+ awscc = {`
	`29`	`+ source = "hashicorp/awscc"`
	`30`	`+ version = "~> 1.32.0"`
	`31`	`+ }`
`28`	`32`	`}`
`29`	`33`	`}`