feature/PI-407-immutable_backups Add backups account iac and test backup in dev

Author: megan-bower4

.github/workflows/_deploy.yml

@@ -167,7 +167,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
-      - if: ${{ env.ACCOUNT != 'mgmt'}}
+      - if: ${{ env.ACCOUNT != 'mgmt' && env.ACCOUNT != 'backups' }}
         uses: ./.github/actions/make/
         with:
           command: test--smoke WORKSPACE="${{ env.WORKSPACE }}" ACCOUNT="${{ env.ACCOUNT }}"

.github/workflows/_deploy_backups.yml

@@ -0,0 +1,162 @@
+on:
+  workflow_call:
+    inputs:
+      account:
+        description: The AWS account being deployed
+        type: string
+        required: true
+      workspace:
+        description: The Terraform workspace being deployed
+        type: string
+        required: true
+      scope:
+        description: The Terraform scope being deployed
+        type: string
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+  actions: write
+
+env:
+  ACCOUNT: ${{ inputs.account }}
+  WORKSPACE: ${{ inputs.workspace }}
+  CACHE_NAME: ${{ inputs.workspace }}-${{ inputs.account }}-${{ inputs.scope }}
+  SCOPE: ${{ inputs.scope }}
+  CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
+
+jobs:
+  parse-secrets:
+    runs-on: [self-hosted, ci]
+    steps:
+      - id: parse-secrets
+        run: |
+          echo "::add-mask::${{ secrets.CI_ROLE_NAME }}"
+
+  get-branch-from-workflow-file:
+    runs-on: [self-hosted, ci]
+    needs: [parse-secrets]
+    outputs:
+      branch_name: ${{ steps.get_branch.outputs.branch_name }}
+    steps:
+      - id: get_branch
+        run: |
+          workflow_ref=${{ github.workflow_ref }}
+          branch_name=${workflow_ref#*refs/heads/}
+          branch_name=${branch_name#*refs/tags/}
+          echo "branch_name=${branch_name}" >> $GITHUB_OUTPUT
+
+  build:
+    runs-on: [self-hosted, ci]
+    needs: get-branch-from-workflow-file
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - if: ${{ env.SCOPE == 'per_workspace'}}
+        uses: ./.github/actions/make/
+        with:
+          command: build
+          save-to-cache: "true"
+          restore-from-cache: "false"
+          cache-suffix: ${{ env.CACHE_NAME }}
+      - if: ${{ env.SCOPE != 'per_workspace'}}
+        uses: ./.github/actions/make/
+        with:
+          command: poetry--update
+          save-to-cache: "true"
+          restore-from-cache: "false"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  terraform--init:
+    needs: [get-branch-from-workflow-file, build]
+    runs-on: [self-hosted, ci]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - uses: ./.github/actions/terraform/
+        with:
+          command: init
+          account: ${{ env.ACCOUNT }}
+          workspace: ${{ env.WORKSPACE }}
+          scope: ${{ env.SCOPE }}
+          restore-from-cache: "true"
+          save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  terraform--plan:
+    needs: [get-branch-from-workflow-file, terraform--init]
+    runs-on: [self-hosted, ci]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - uses: ./.github/actions/terraform/
+        with:
+          command: plan
+          account: ${{ env.ACCOUNT }}
+          workspace: ${{ env.WORKSPACE }}
+          scope: ${{ env.SCOPE }}
+          restore-from-cache: "true"
+          save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  terraform--apply:
+    needs: [get-branch-from-workflow-file, terraform--plan]
+    environment: ${{ inputs.account }}
+    runs-on: [self-hosted, ci]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - uses: ./.github/actions/terraform/
+        with:
+          command: apply
+          account: ${{ env.ACCOUNT }}
+          workspace: ${{ env.WORKSPACE }}
+          scope: ${{ env.SCOPE }}
+          restore-from-cache: "true"
+          save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  set-success:
+    name: Set Success
+    needs: [test--smoke, apigee--deploy]
+    runs-on: [self-hosted, ci]
+    steps:
+      - name: Set success env var
+        run: echo "success"
+    outputs:
+      success: "succeeded"
+
+  message-slack:
+    name: Notify slack of deployment
+    needs: [get-branch-from-workflow-file, set-success]
+    if: always()
+    runs-on: [self-hosted, ci]
+
+    steps:
+      - name: Catch failed steps
+        id: catch-failed-step
+        uses: ./.github/actions/catch-failed-step
+      - name: Send job result to slack
+        id: slack
+        uses: slackapi/[email protected]
+        with:
+          webhook-type: webhook-trigger
+          payload: |
+            {
+              "action_url": "${{ format('{0}/{1}/actions/runs/{2}/attempts/{3}', github.server_url, github.repository, github.run_id, github.run_attempt) }}",
+              "attempt": ${{ github.run_attempt }},
+              "account": "${{ env.ACCOUNT }}",
+              "workspace": "${{ env.WORKSPACE }}",
+              "caller": "${{ github.triggering_actor }}",
+              "scope": "${{ env.SCOPE }}",
+              "branch": "${{ needs.get-branch-from-workflow-file.outputs.branch_name }}",
+              "result":  "${{ needs.set-success.outputs.success && needs.set-success.outputs.success || 'failed' }}",
+              "result_detail": "${{ needs.set-success.outputs.success && 'None' || steps.catch-failed-step.outputs.failed-step-name }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }}

.github/workflows/deploy-backups-account-wide-resources.yml

@@ -0,0 +1,19 @@
+name: "Deploy: Account Wide - Backups"
+
+on:
+  workflow_dispatch:
+    inputs:
+      account:
+        description: Account to deploy
+        required: true
+        default: backups
+jobs:
+  deploy:
+    uses: ./.github/workflows/_deploy_backups.yml
+    with:
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}"
+    secrets: inherit # pragma: allowlist secret
+
+run-name: Deploying account wide to nonprod workspace - ${{ inputs.account }}

.github/workflows/deploy-parameters-backups.yml

@@ -0,0 +1,20 @@
+name: "Deploy: Parameters - Backups"
+
+on:
+  workflow_dispatch:
+    inputs:
+      account:
+        description: Account to deploy
+        required: true
+        default: backups
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/_deploy_backups.yml
+    with:
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}/parameters"
+    secrets: inherit # pragma: allowlist secret
+
+run-name: Deploying parameters to nonprod workspace - ${{ inputs.account }}

infrastructure/terraform/etc/backups.tfvars

@@ -0,0 +1,2 @@
+account_name = "backups"
+environment  = "backups"

infrastructure/terraform/modules/aws-backup-destination/README.md

@@ -0,0 +1,31 @@
+# AWS Backup Module
+
+The AWS Backup Module helps automates the setup of AWS Backup resources in a destination account. It streamlines the process of creating, managing, and standardising backup configurations.
+
+## Inputs
+
+| Name                                                                                                                     | Description                                                                                                                                                                                         | Type     | Default        | Required |
+| ------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------------- | :------: |
+| <a name="input_account_id"></a> [account_id](#input_account_id)                                                          | The id of the account that the vault will be in                                                                                                                                                     | `string` | n/a            |   yes    |
+| <a name="input_changeable_for_days"></a> [changeable_for_days](#input_changeable_for_days)                               | How long you want the vault lock to be changeable for, only applies to compliance mode. This value is expressed in days no less than 3 and no greater than 36,500; otherwise, an error will return. | `number` | `14`           |    no    |
+| <a name="input_enable_vault_protection"></a> [enable_vault_protection](#input_enable_vault_protection)                   | Flag which controls if the vault lock is enabled                                                                                                                                                    | `bool`   | `false`        |    no    |
+| <a name="input_kms_key"></a> [kms_key](#input_kms_key)                                                                   | The KMS key used to secure the vault                                                                                                                                                                | `string` | n/a            |   yes    |
+| <a name="input_region"></a> [region](#input_region)                                                                      | The region we should be operating in                                                                                                                                                                | `string` | `"eu-west-2"`  |    no    |
+| <a name="input_source_account_id"></a> [source_account_id](#input_source_account_id)                                     | The id of the account that backups will come from                                                                                                                                                   | `string` | n/a            |   yes    |
+| <a name="input_source_account_name"></a> [source_account_name](#input_source_account_name)                               | The name of the account that backups will come from                                                                                                                                                 | `string` | n/a            |   yes    |
+| <a name="input_vault_lock_max_retention_days"></a> [vault_lock_max_retention_days](#input_vault_lock_max_retention_days) | The maximum retention period that the vault retains its recovery points                                                                                                                             | `number` | `365`          |    no    |
+| <a name="input_vault_lock_min_retention_days"></a> [vault_lock_min_retention_days](#input_vault_lock_min_retention_days) | The minimum retention period that the vault retains its recovery points                                                                                                                             | `number` | `365`          |    no    |
+| <a name="input_vault_lock_type"></a> [vault_lock_type](#input_vault_lock_type)                                           | The type of lock that the vault should be, will default to governance                                                                                                                               | `string` | `"governance"` |    no    |
+
+## Example
+
+```terraform
+module "test_backup_vault" {
+  source                  = "./modules/aws_backup"
+  source_account_name     = "test"
+  account_id              = local.aws_accounts_ids["backup"]
+  source_account_id       = local.aws_accounts_ids["test"]
+  kms_key                 = aws_kms_key.backup_key.arn
+  enable_vault_protection = true
+}
+```

infrastructure/terraform/modules/aws-backup-destination/backup.tf

@@ -0,0 +1,8 @@
+resource "aws_backup_vault" "vault" {
+  name        = "${var.source_account_name}-backup-vault"
+  kms_key_arn = var.kms_key
+}
+
+output "vault_arn" {
+  value = aws_backup_vault.vault.arn
+}

infrastructure/terraform/modules/aws-backup-destination/backup_vault_lock.tf

@@ -0,0 +1,7 @@
+resource "aws_backup_vault_lock_configuration" "vault_lock" {
+  count               = var.enable_vault_protection ? 1 : 0
+  backup_vault_name   = aws_backup_vault.vault.name
+  changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null
+  max_retention_days  = var.vault_lock_max_retention_days
+  min_retention_days  = var.vault_lock_min_retention_days
+}

infrastructure/terraform/modules/aws-backup-destination/backup_vault_policy.tf

@@ -0,0 +1,68 @@
+resource "aws_backup_vault_policy" "vault_policy" {
+  backup_vault_name = aws_backup_vault.vault.name
+  policy            = data.aws_iam_policy_document.vault_policy.json
+}
+
+data "aws_iam_policy_document" "vault_policy" {
+
+  statement {
+    sid    = "AllowCopyToVault"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+    }
+
+    actions = [
+      "backup:CopyIntoBackupVault"
+    ]
+    resources = ["*"]
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_vault_protection ? [1] : []
+    content {
+      sid    = "DenyBackupVaultAccess"
+      effect = "Deny"
+
+      principals {
+        type        = "AWS"
+        identifiers = ["*"]
+      }
+      actions = [
+        "backup:DeleteRecoveryPoint",
+        "backup:PutBackupVaultAccessPolicy",
+        "backup:UpdateRecoveryPointLifecycle",
+        "backup:DeleteBackupVault",
+        "backup:StartRestoreJob",
+        "backup:DeleteBackupVaultLockConfiguration",
+      ]
+      resources = ["*"]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.enable_vault_protection ? [1] : []
+    content {
+      sid    = "DenyBackupCopyExceptToSourceAccount"
+      effect = "Deny"
+
+      principals {
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${var.account_id}:root"]
+      }
+      actions = [
+        "backup:CopyFromBackupVault"
+      ]
+      resources = ["*"]
+      condition {
+        test     = "StringNotEquals"
+        variable = "backup:CopyTargets"
+        values = [
+          "arn:aws:backup:${var.region}:${var.source_account_id}:backup-vault:${var.region}-${var.source_account_id}-backup-vault"
+        ]
+      }
+    }
+  }
+}