[PRM-600] Backup vault terraform | Add AdministratorRestriction IAM policy & update aws provider to v6 (#489)

Author: chrisbloe

backup-vault/teraform/README.md

@@ -1,33 +1,23 @@
-## Requirements
+# AWS Backup Vault Terraform Configuration
 
-| Name | Version |
-|------|---------|
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+To create or update the AWS config, Terraform must be run from a local machine, as there is currently no GitHub Action set up for this.
 
-## Providers
+The following commands should be used as a suggestion for the process:
 
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+```shell
+aws sso login --sso-session PRM
 
-## Modules
+export AWS_PROFILE=NDR-Pre-Prod-Backup-RW
+terraform init -backend-config=pre-prod.s3.tfbackend -upgrade -reconfigure
+terraform workspace list
+terraform workspace select pre-prod
+terraform plan
+terraform apply
 
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_backup_vault.backup_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
-| [aws_backup_vault_policy.backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
-| [aws_kms_alias.encryption_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
-| [aws_kms_key.encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_ssm_parameter.backup-source-account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
-
-## Inputs
-
-No inputs.
-
-## Outputs
-
-No outputs.
+export AWS_PROFILE=NDR-Prod-Backup-RW
+terraform init -backend-config=prod.s3.tfbackend -upgrade -reconfigure
+terraform workspace list
+terraform workspace select prod-backup
+terraform plan
+terraform apply
+```

backup-vault/teraform/backup-vault.tf

@@ -12,7 +12,6 @@ resource "aws_kms_alias" "encryption_key_alias" {
   target_key_id = aws_kms_key.encryption_key.id
 }
 
-
 resource "aws_backup_vault_policy" "backup_policy" {
   backup_vault_name = aws_backup_vault.backup_vault.name
 
@@ -21,10 +20,10 @@ resource "aws_backup_vault_policy" "backup_policy" {
       "Version" : "2012-10-17",
       "Statement" : [
         {
-          "Sid" : "Allow ${data.aws_ssm_parameter.backup-source-account.value} to copy into pre-prod_backup_vault",
+          "Sid" : "Allow ${data.aws_ssm_parameter.backup_source_account.value} to copy into pre-prod_backup_vault",
           "Effect" : "Allow",
           "Principal" : {
-            "AWS" : "arn:aws:iam::${data.aws_ssm_parameter.backup-source-account.value}:root"
+            "AWS" : "arn:aws:iam::${data.aws_ssm_parameter.backup_source_account.value}:root"
           },
           "Action" : "backup:CopyIntoBackupVault",
           "Resource" : "*"
@@ -34,7 +33,6 @@ resource "aws_backup_vault_policy" "backup_policy" {
   )
 }
 
-data "aws_ssm_parameter" "backup-source-account" {
+data "aws_ssm_parameter" "backup_source_account" {
   name = "backup-source-account"
 }
-

backup-vault/teraform/iam.tf

@@ -0,0 +1,25 @@
+resource "aws_iam_policy" "administrator_permission_restrictions" {
+  name = "AdministratorRestriction"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Deny",
+        Action = [
+          "s3:DeleteObject",
+          "s3:DeleteObjectVersion",
+          "s3:PutLifecycleConfiguration",
+          "s3:PutObject",
+          "s3:RestoreObject"
+        ],
+        Resource = [
+          "arn:aws:s3:::*/*.tfstate"
+        ]
+      }
+    ]
+  })
+  tags = {
+    Name      = "AdministratorRestriction"
+    Workspace = "core"
+  }
+}

backup-vault/teraform/main.tf

@@ -2,16 +2,18 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = "~> 6.0"
     }
   }
+
   backend "s3" {
     use_lockfile = true
     region       = "eu-west-2"
     key          = "ndr/terraform.tfstate"
     encrypt      = true
   }
 }
+
 provider "aws" {
   region = "eu-west-2"
 }

backup-vault/teraform/pre-prod.s3.tfbackend

@@ -1,5 +1,4 @@
 bucket          = "ndr-backup-terraform-state"
-dynamodb_table  = "ndr-backup-terraform-lock"
 region          = "eu-west-2"
 key             = "backup/terraform.tfstate"
 encrypt         = true

backup-vault/teraform/prod.s3.tfbackend

@@ -1,5 +1,4 @@
-bucket          = "ndr-backup-terraform-state"
-dynamodb_table  = "ndr-backup-terraform-lock"
+bucket          = "ndr-prod-backup-terraform-state"
 region          = "eu-west-2"
-key             = "backup/terraform.tfstate"
+key             = "ndr/terraform.tfstate"
 encrypt         = true