feature/PI-407-immutable_backups TEST - all backups permissions

Author: megan-bower4

infrastructure/terraform/modules/aws-backup-source/iam.tf

@@ -35,3 +35,26 @@ resource "aws_iam_role_policy_attachment" "s3_backup" {
   policy_arn = "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup"
   role       = aws_iam_role.backup.name
 }
+
+
+resource "aws_iam_policy" "restore_testing_selection_permissions" {
+  name = "${local.resource_name_prefix}-source-account-backup-permissions"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "backup:*",
+          "cloudformation:*"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "source_account_backup_permissions" {
+  policy_arn = aws_iam_policy.restore_testing_selection_permissions.arn
+  role       = aws_iam_role.backup.name
+}

infrastructure/terraform/per_account/dev/aws-backups.tf

@@ -102,15 +102,4 @@ module "source" {
     ],
     "selection_tag" : "NHSE-Enable-Backup"
   }
-  # # Note here that we need to explicitly disable DynamoDB backups in the source account.
-  # # The default config in the module enables backups for all resource types.
-  # backup_plan_config_dynamodb = {
-  #   "compliance_resource_types" : [
-  #     "DynamoDB"
-  #   ],
-  #   "rules" : [
-  #   ],
-  #   "enable" : false,
-  #   "selection_tag" : "NHSE-Enable-Backup"
-  # }
 }

infrastructure/terraform/per_account/dev/permissions.tf

@@ -36,7 +36,11 @@ resource "aws_iam_policy" "source_account_backup_permissions" {
           "backup:DeleteRestoreTestingPlan",
           "backup:GetRestoreTestingPlan",
           "backup:ListRestoreTestingPlans",
-          "backup:UpdateRestoreTestingPlan"
+          "backup:UpdateRestoreTestingPlan",
+          "backup:CreateRestoreTestingSelection",
+          "backup:DescribeRestoreTestingSelection",
+          "backup:UpdateRestoreTestingSelection",
+          "backup:DeleteRestoreTestingSelection",
         ],
         Resource = "*"
       },
@@ -59,6 +63,24 @@ resource "aws_iam_policy" "source_account_backup_permissions" {
           "kms:TagResource"
         ],
         Resource = "*"
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "secretsmanager:GetSecretValue"
+        ],
+        Resource = [
+          "arn:aws:secretsmanager:*:${var.assume_account}:secret:destination_vault_arn-*",
+          "arn:aws:secretsmanager:*:${var.assume_account}:secret:destination_account_id-*"
+        ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "backup:*",
+          "cloudformation:*"
+        ],
+        Resource = "*"
       }
     ]
   })

scripts/infrastructure/policies/deployment2-policy.json

@@ -169,9 +169,7 @@
         "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-apigee-credentials-*",
         "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-apigee-cpm-apikey-*",
         "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-apigee-app-key-*",
-        "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-etl-notify-slack-webhook-url-*",
-        "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:destination_vault_arn-*",
-        "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:destination_account_id-*"
+        "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-etl-notify-slack-webhook-url-*"
       ]
     },
     {