feature/PI-407-immutable_backups Remove backups moduleee

megan-bower4 · megan-bower4 · commit 9775b26818bb · 2025-03-14T11:44:48.000Z
diff --git a/infrastructure/terraform/per_account/dev/aws-backups.tf b/infrastructure/terraform/per_account/dev/aws-backups.tf
@@ -1,125 +1,125 @@
-data "aws_secretsmanager_secret" "destination_vault_arn" {
-  name = "destination_vault_arn"
-}
-
-data "aws_secretsmanager_secret_version" "destination_vault_arn" {
-  secret_id = data.aws_secretsmanager_secret.destination_vault_arn.id
-}
-
-data "aws_secretsmanager_secret" "destination_account_id" {
-  name = "destination_account_id"
-}
-
-data "aws_secretsmanager_secret_version" "destination_account_id" {
-  secret_id = data.aws_secretsmanager_secret.destination_account_id.id
-}
-
-# First, we create an S3 bucket for compliance reports. You may already have a module for creating
-# S3 buckets with more refined access rules, which you may prefer to use.
-
-resource "aws_s3_bucket" "backup_reports" {
-  bucket_prefix = "${local.project}-backup-reports"
-}
-
-# Now we have to configure access to the report bucket.
-
-resource "aws_s3_bucket_ownership_controls" "backup_reports" {
-  bucket = aws_s3_bucket.backup_reports.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-resource "aws_s3_bucket_acl" "backup_reports" {
-  depends_on = [aws_s3_bucket_ownership_controls.backup_reports]
-
-  bucket = aws_s3_bucket.backup_reports.id
-  acl    = "private"
-}
-
-# We need a key for the SNS topic that will be used for notifications from AWS Backup. This key
-# will be used to encrypt the messages sent to the topic before they are sent to the subscribers,
-# but isn't needed by the recipients of the messages.
-
-
-# Now we can define the key itself
-resource "aws_kms_key" "backup_notifications" {
-  description             = "KMS key for AWS Backup notifications"
-  deletion_window_in_days = 7
-  enable_key_rotation     = true
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Sid    = "Enable IAM User Permissions"
-        Principal = {
-          AWS = "arn:aws:iam::${var.assume_account}:root"
-        }
-        Action   = "kms:*"
-        Resource = "*"
-      },
-      {
-        Effect = "Allow"
-        Principal = {
-          Service = "sns.amazonaws.com"
-        }
-        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
-        Resource = "*"
-      },
-    ]
-  })
-}
-
-# Now we can deploy the source and destination modules, referencing the resources we've created above.
-
-module "source" {
-  source = "../../modules/aws-backup-source"
-
-  backup_copy_vault_account_id = data.aws_secretsmanager_secret_version.destination_account_id.secret_string
-  backup_copy_vault_arn        = data.aws_secretsmanager_secret_version.destination_vault_arn.secret_string
-  environment_name             = var.environment
-  bootstrap_kms_key_arn        = aws_kms_key.backup_notifications.arn
-  project_name                 = local.project
-  reports_bucket               = aws_s3_bucket.backup_reports.bucket
-  terraform_role_arn           = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
-
-  backup_plan_config = {
-    "compliance_resource_types" : [
-      "S3"
-    ],
-    "rules" : [
-      {
-        "copy_action" : {
-          "delete_after" : 4
-        },
-        "lifecycle" : {
-          "delete_after" : 2
-        },
-        "name" : "daily_kept_for_2_days",
-        "schedule" : "cron(0 0 * * ? *)"
-      }
-    ],
-    "selection_tag" : "NHSE-Enable-Backup"
-  }
-
-  backup_plan_config_dynamodb = {
-    "enable" : true,
-    "compliance_resource_types" : [
-      "DynamoDB"
-    ],
-    "rules" : [
-      {
-        "copy_action" : {
-          "delete_after" : 4
-        },
-        "lifecycle" : {
-          "delete_after" : 2
-        },
-        "name" : "daily_kept_for_2_days",
-        "schedule" : "cron(0 0 * * ? *)"
-      }
-    ],
-    "selection_tag" : "NHSE-Enable-Backup"
-  }
-}
+# data "aws_secretsmanager_secret" "destination_vault_arn" {
+#   name = "destination_vault_arn"
+# }
+
+# data "aws_secretsmanager_secret_version" "destination_vault_arn" {
+#   secret_id = data.aws_secretsmanager_secret.destination_vault_arn.id
+# }
+
+# data "aws_secretsmanager_secret" "destination_account_id" {
+#   name = "destination_account_id"
+# }
+
+# data "aws_secretsmanager_secret_version" "destination_account_id" {
+#   secret_id = data.aws_secretsmanager_secret.destination_account_id.id
+# }
+
+# # First, we create an S3 bucket for compliance reports. You may already have a module for creating
+# # S3 buckets with more refined access rules, which you may prefer to use.
+
+# resource "aws_s3_bucket" "backup_reports" {
+#   bucket_prefix = "${local.project}-backup-reports"
+# }
+
+# # Now we have to configure access to the report bucket.
+
+# resource "aws_s3_bucket_ownership_controls" "backup_reports" {
+#   bucket = aws_s3_bucket.backup_reports.id
+#   rule {
+#     object_ownership = "BucketOwnerPreferred"
+#   }
+# }
+
+# resource "aws_s3_bucket_acl" "backup_reports" {
+#   depends_on = [aws_s3_bucket_ownership_controls.backup_reports]
+
+#   bucket = aws_s3_bucket.backup_reports.id
+#   acl    = "private"
+# }
+
+# # We need a key for the SNS topic that will be used for notifications from AWS Backup. This key
+# # will be used to encrypt the messages sent to the topic before they are sent to the subscribers,
+# # but isn't needed by the recipients of the messages.
+
+
+# # Now we can define the key itself
+# resource "aws_kms_key" "backup_notifications" {
+#   description             = "KMS key for AWS Backup notifications"
+#   deletion_window_in_days = 7
+#   enable_key_rotation     = true
+#   policy = jsonencode({
+#     Version = "2012-10-17"
+#     Statement = [
+#       {
+#         Effect = "Allow"
+#         Sid    = "Enable IAM User Permissions"
+#         Principal = {
+#           AWS = "arn:aws:iam::${var.assume_account}:root"
+#         }
+#         Action   = "kms:*"
+#         Resource = "*"
+#       },
+#       {
+#         Effect = "Allow"
+#         Principal = {
+#           Service = "sns.amazonaws.com"
+#         }
+#         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+#         Resource = "*"
+#       },
+#     ]
+#   })
+# }
+
+# # Now we can deploy the source and destination modules, referencing the resources we've created above.
+
+# module "source" {
+#   source = "../../modules/aws-backup-source"
+
+#   backup_copy_vault_account_id = data.aws_secretsmanager_secret_version.destination_account_id.secret_string
+#   backup_copy_vault_arn        = data.aws_secretsmanager_secret_version.destination_vault_arn.secret_string
+#   environment_name             = var.environment
+#   bootstrap_kms_key_arn        = aws_kms_key.backup_notifications.arn
+#   project_name                 = local.project
+#   reports_bucket               = aws_s3_bucket.backup_reports.bucket
+#   terraform_role_arn           = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+
+#   backup_plan_config = {
+#     "compliance_resource_types" : [
+#       "S3"
+#     ],
+#     "rules" : [
+#       {
+#         "copy_action" : {
+#           "delete_after" : 4
+#         },
+#         "lifecycle" : {
+#           "delete_after" : 2
+#         },
+#         "name" : "daily_kept_for_2_days",
+#         "schedule" : "cron(0 0 * * ? *)"
+#       }
+#     ],
+#     "selection_tag" : "NHSE-Enable-Backup"
+#   }
+
+#   backup_plan_config_dynamodb = {
+#     "enable" : true,
+#     "compliance_resource_types" : [
+#       "DynamoDB"
+#     ],
+#     "rules" : [
+#       {
+#         "copy_action" : {
+#           "delete_after" : 4
+#         },
+#         "lifecycle" : {
+#           "delete_after" : 2
+#         },
+#         "name" : "daily_kept_for_2_days",
+#         "schedule" : "cron(0 0 * * ? *)"
+#       }
+#     ],
+#     "selection_tag" : "NHSE-Enable-Backup"
+#   }
+# }
