CCM-7890 Update backup template resources, there is no S3 backup needed yet

aidenvaines-cgi · aidenvaines-cgi · commit 7f5d1e6698e6 · 2025-01-27T16:44:53.000Z
diff --git a/infrastructure/terraform/components/app/module_nhse_backup_vault.tf b/infrastructure/terraform/components/app/module_nhse_backup_vault.tf
@@ -1,5 +1,6 @@
 module "nhse_backup_vault" {
-  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/aws-backup-source?ref=v1.0.6"
+  # source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/aws-backup-source?ref=v1.0.6"
+  source = "/Users/aiden.vaines/Clients/NHS/notify/nhs-notify-shared-modules/infrastructure/modules/aws-backup-source"
   count = var.destination_vault_arn != null ? 1:0
 
   project_name     = local.csi
@@ -10,49 +11,28 @@ module "nhse_backup_vault" {
 
   reports_bucket                     = local.acct.s3_buckets["backup_reports"]["bucket"]
   notifications_target_email_address = var.backup_report_recipient
+  notification_kms_key               = module.kms.key_id
 
-  bootstrap_kms_key_arn = module.kms.key_id
-  terraform_role_arn    = local.bootstrap.iam_github_deploy_role["arn"]
+  management_ci_role_arn = local.bootstrap.iam_github_deploy_role["arn"]
 
-  backup_plan_config = {
-                        "compliance_resource_types": [
-                          "S3"
-                        ],
-                        "rules": [
-                          {
-                            "copy_action": {
-                              "delete_after": var.retention_period
-                            },
-                            "lifecycle": {
-                              "delete_after": var.retention_period
-                            },
-                            "name": "${local.csi}-backup-rule",
-                            "schedule": var.backup_schedule_cron
-                          }
-                        ],
-                        "selection_tag": "NHSE-Enable-Backup"
-                      }
-
-  # Note here that we need to explicitly disable DynamoDB backups in the source account.
-  # The default config in the module enables backups for all resource types.
   backup_plan_config_dynamodb = {
                                   "compliance_resource_types": [
                                     "DynamoDB"
                                   ],
                                   "rules": [
                                     {
+                                      "name": "${local.csi}-backup-rule",
+                                      "schedule": var.backup_schedule_cron,
                                       "copy_action": {
                                         "delete_after": var.retention_period
                                       },
                                       "lifecycle": {
                                         "delete_after": var.retention_period
-                                      },
-                                      "name": "${local.csi}-backup-rule",
-                                      "schedule": var.backup_schedule_cron
+                                      }
                                     }
                                   ],
                                   "enable": true,
-                                  "selection_tag": "NHSE-Enable-Backup"
+                                  "selection_tag": "NHSE-Enable-Dynamo-Backup"
                                 }
 }
 
diff --git a/infrastructure/terraform/modules/backend-api/dynamodb_table_templates.tf b/infrastructure/terraform/modules/backend-api/dynamodb_table_templates.tf
@@ -30,6 +30,6 @@ resource "aws_dynamodb_table" "templates" {
     }
 
     tags = {
-      "NHSE-Enable-Backup" = var.enable_backup ? "True": "False"
+      "NHSE-Enable-Dynamo-Backup" = var.enable_backup ? "True": "False"
     }
 }
diff --git a/scripts/terraform/terraform.mk b/scripts/terraform/terraform.mk
@@ -61,7 +61,7 @@ terraform-sec: # TFSEC check against Terraform files - optional: terraform_dir|d
 		--exclude-downloaded-modules \
 		--tfvars-file infrastructure/terraform/etc/global.tfvars \
 		--tfvars-file infrastructure/terraform/etc/env_eu-west-2_main.tfvars \
-		--config-file scripts/config/tfsec.yml
+		--config-file scripts/config/tfsec.yaml
 
 # ==============================================================================
 # Module tests and examples - please DO NOT edit this section!
diff --git a/scripts/terraform/tfsec.sh b/scripts/terraform/tfsec.sh
@@ -39,7 +39,7 @@ function run-tfsec-natively() {
   tfsec \
     --force-all-dirs \
     --exclude-downloaded-modules \
-    --config-file scripts/config/tfsec.yml \
+    --config-file scripts/config/tfsec.yaml \
     --format text \
     "$dir_to_scan"
 

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,6 @@ resource "aws_dynamodb_table" "templates" {`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`tags = {`
`33`		`- "NHSE-Enable-Backup" = var.enable_backup ? "True": "False"`
	`33`	`+ "NHSE-Enable-Dynamo-Backup" = var.enable_backup ? "True": "False"`
`34`	`34`	`}`
`35`	`35`	`}`