Changes to backups

Valswyn-NHS · Valswyn-NHS · commit e40edd39874f · 2025-03-25T10:30:06.000Z
diff --git a/terraform_aws_backup/aws-backup-source/modules/aws_config/kms.tf b/terraform_aws_backup/aws-backup-source/modules/aws_config/kms.tf
@@ -31,13 +31,4 @@ data "aws_iam_policy_document" "backup_key_policy" {
     actions   = ["kms:*"]
     resources = ["*"]
   }
-  statement {
-    sid = "AllowBackupUseOfKey"
-    principals {
-      type        = "Service"
-      identifiers = ["sns.amazonaws.com"]
-    }
-    actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
-    resources = ["*"]
-  }
 }
diff --git a/terraform_aws_backup/aws-backup-source/modules/aws_config/sns.tf b/terraform_aws_backup/aws-backup-source/modules/aws_config/sns.tf
@@ -58,6 +58,14 @@ resource "aws_kms_key" "sns_encrypt_key" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }

Original file line number	Diff line number	Diff line change
`@@ -31,13 +31,4 @@ data "aws_iam_policy_document" "backup_key_policy" {`
`31`	`31`	`actions = ["kms:*"]`
`32`	`32`	`resources = ["*"]`
`33`	`33`	`}`
`34`		`- statement {`
`35`		`- sid = "AllowBackupUseOfKey"`
`36`		`- principals {`
`37`		`- type = "Service"`
`38`		`- identifiers = ["sns.amazonaws.com"]`
`39`		`- }`
`40`		`- actions = ["kms:GenerateDataKey", "kms:Decrypt"]`
`41`		`- resources = ["*"]`
`42`		`- }`
`43`	`34`	`}`