Modify the backup vault access policies that contain restrictive clauses to prevent their deletion

gsoria · gsoria · commit 2d96dc7eaa09 · 2023-11-09T16:49:46.000-08:00
This commit fixes the following error when trying to delete backup vault access policies for vaults (`aws/efs/automatic-backup-vault`)
automatically created when EFS backup is enabled.

```
time="2023-10-05T15:37:07Z" level=error msg="AccessDeniedException: User: arn:aws:sts::X:assumed-role/XRole/SAAssumedRoleSession is not authorized to perform: backup:DeleteBackupVaultAccessPolicy on resource: arn:aws:backup:us-east-1:X:backup-vault:aws/efs/automatic-backup-vault with an explicit deny in a resource-based policy
```

The module before attempting to delete the backup vault access policy, sets a permissive policy
to ensure the `backup:DeleteBackupVaultAccessPolicy` is allowed.

The operation to put a policy to allow `backup:DeleteBackupVaultAccessPolicy` was silently failing due to an
error:

```
The specified policy cannot be added to the vault due to cross-account sharing restrictions.
Amend the policy or the vault's settings, then retry request
```

This commit updates the policy, to use the default as a template, but excluding delete actions.

Signed-off-by: Gabriela S. Soria &lt;gsoria@oreilly.com&gt;
diff --git a/resources/backup-vaults-access-policies.go b/resources/backup-vaults-access-policies.go
@@ -58,7 +58,7 @@ func ListBackupVaultAccessPolicies(sess *session.Session) ([]Resource, error) {
 }
 
 func (b *BackupVaultAccessPolicy) Remove() error {
-	// Set the policy to a policy that allows deletion before removal.
+	// Set a policy that allows deletion before removal.
 	//
 	// This is required to delete the policy for the automagically created vaults
 	// such as "aws/efs/automatic-backup-vault" from EFS automatic backups
@@ -87,21 +87,31 @@ func (b *BackupVaultAccessPolicy) Remove() error {
 	//     ]
 	// }
 	//
-	// While deletion is Denied, you can update the policy with one that
-	// doesn't deny and then delete at will.
+	// Update the default policy to remove the Deny on Delete* actions
+	// and then delete the policy.
+	//
+	// Why not putting a policy that allows `backup:DeleteBackupVaultAccessPolicy` in the first place?
+	// Because that throws an error:
+	// ' The specified policy cannot be added to the vault due to cross-account sharing restrictions.
+	// Amend the policy or the vault's settings, then retry request'
+	//
 	allowDeletionPolicy := `{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": "backup:DeleteBackupVaultAccessPolicy",
-            "Resource": "*"
-        }
-    ]
-}`
+		"Version": "2012-10-17",
+		"Statement": [
+			{
+				"Effect": "Deny",
+				"Principal": {
+					"AWS": "*"
+				},
+				"Action": [
+					"backup:StartCopyJob",
+					"backup:StartRestoreJob",
+					"backup:UpdateRecoveryPointLifecycle"
+				],
+				"Resource": "*"
+			}
+		]
+	}`
 	// Ignore error from if we can't put permissive backup vault policy in for some reason, that's OK.
 	_, _ = b.svc.PutBackupVaultAccessPolicy(&backup.PutBackupVaultAccessPolicyInput{
 		BackupVaultName: &b.backupVaultName,
