Merge pull request #41 from NHSDigital/CCM-7890_ExpandBackupModule

CCM-7890 expand backup module

Author: aidenvaines-cgi

.github/actions/tfsec/action.yaml

@@ -6,12 +6,11 @@ runs:
     - name: "TFSec Scan - Components"
       shell: bash
       run: |
-        for component in $(find infrastructure/terraform/components -mindepth 1 -type d); do
-          scripts/terraform/tfsec.sh $component
-        done
-    - name: "TFSec Scan - Modules"
-      shell: bash
-      run: |
-        for module in $(find infrastructure/terraform/modules -mindepth 1 -type d); do
-          scripts/terraform/tfsec.sh $module
-        done
+        modules_exit_code=0
+
+        ./scripts/terraform/tfsec.sh ./infrastructure/modules || modules_exit_code=$?
+
+        if [ $modules_exit_code -ne 0 ]; then
+          echo "One or more TFSec scans failed."
+          exit 1
+        fi

infrastructure/modules/aws-backup-source/README.md

@@ -14,7 +14,7 @@ See [terraform-aws-backup](https://github.com/NHSDigital/terraform-aws-backup.gi
 | <a name="input_backup_copy_vault_arn"></a> [backup\_copy\_vault\_arn](#input\_backup\_copy\_vault\_arn) | The ARN of the destination backup vault for cross-account backup copies. | `string` | `""` | no |
 | <a name="input_backup_plan_config"></a> [backup\_plan\_config](#input\_backup\_plan\_config) | Configuration for backup plans | <pre>object({<br>    selection_tag             = string<br>    compliance_resource_types = list(string)<br>    rules = list(object({<br>      name                     = string<br>      schedule                 = string<br>      enable_continuous_backup = optional(bool)<br>      lifecycle = object({<br>        delete_after       = optional(number)<br>        cold_storage_after = optional(number)<br>      })<br>      copy_action = optional(object({<br>        delete_after = optional(number)<br>      }))<br>    }))<br>  })</pre> | <pre>{<br>  "compliance_resource_types": [<br>    "S3"<br>  ],<br>  "rules": [<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "daily_kept_5_weeks",<br>      "schedule": "cron(0 0 * * ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 90<br>      },<br>      "name": "weekly_kept_3_months",<br>      "schedule": "cron(0 1 ? * SUN *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "cold_storage_after": 30,<br>        "delete_after": 2555<br>      },<br>      "name": "monthly_kept_7_years",<br>      "schedule": "cron(0 2 1  * ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "enable_continuous_backup": true,<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "point_in_time_recovery",<br>      "schedule": "cron(0 5 * * ? *)"<br>    }<br>  ],<br>  "selection_tag": "BackupLocal"<br>}</pre> | no |
 | <a name="input_backup_plan_config_dynamodb"></a> [backup\_plan\_config\_dynamodb](#input\_backup\_plan\_config\_dynamodb) | Configuration for backup plans with dynamodb | <pre>object({<br>    enable                    = bool<br>    selection_tag             = string<br>    compliance_resource_types = list(string)<br>    rules = optional(list(object({<br>      name                     = string<br>      schedule                 = string<br>      enable_continuous_backup = optional(bool)<br>      lifecycle = object({<br>        delete_after       = number<br>        cold_storage_after = optional(number)<br>      })<br>      copy_action = optional(object({<br>        delete_after = optional(number)<br>      }))<br>    })))<br>  })</pre> | <pre>{<br>  "compliance_resource_types": [<br>    "DynamoDB"<br>  ],<br>  "enable": true,<br>  "rules": [<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "dynamodb_daily_kept_5_weeks",<br>      "schedule": "cron(0 0 * * ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 90<br>      },<br>      "name": "dynamodb_weekly_kept_3_months",<br>      "schedule": "cron(0 1 ? * SUN *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "cold_storage_after": 30,<br>        "delete_after": 2555<br>      },<br>      "name": "dynamodb_monthly_kept_7_years",<br>      "schedule": "cron(0 2 1  * ? *)"<br>    }<br>  ],<br>  "selection_tag": "BackupDynamoDB"<br>}</pre> | no |
-| <a name="input_bootstrap_kms_key_arn"></a> [bootstrap\_kms\_key\_arn](#input\_bootstrap\_kms\_key\_arn) | The ARN of the bootstrap KMS key used for encryption at rest of the SNS topic. | `string` | n/a | yes |
+| <a name="input_notification_kms_key"></a> [bootstrap\_kms\_key\_arn](#input\_bootstrap\_kms\_key\_arn) | The ARN of the bootstrap KMS key used for encryption at rest of the SNS topic. | `string` | n/a | yes |
 | <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | The name of the environment where AWS Backup is configured. | `string` | n/a | yes |
 | <a name="input_notifications_target_email_address"></a> [notifications\_target\_email\_address](#input\_notifications\_target\_email\_address) | The email address to which backup notifications will be sent via SNS. | `string` | `""` | no |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the project this relates to. | `string` | n/a | yes |
@@ -24,7 +24,7 @@ See [terraform-aws-backup](https://github.com/NHSDigital/terraform-aws-backup.gi
 | <a name="input_restore_testing_plan_scheduled_expression"></a> [restore\_testing\_plan\_scheduled\_expression](#input\_restore\_testing\_plan\_scheduled\_expression) | Scheduled Expression of Recovery Selection Point | `string` | `"cron(0 1 ? * SUN *)"` | no |
 | <a name="input_restore_testing_plan_selection_window_days"></a> [restore\_testing\_plan\_selection\_window\_days](#input\_restore\_testing\_plan\_selection\_window\_days) | Selection window days | `number` | `7` | no |
 | <a name="input_restore_testing_plan_start_window"></a> [restore\_testing\_plan\_start\_window](#input\_restore\_testing\_plan\_start\_window) | Start window from the scheduled time during which the test should start | `number` | `1` | no |
-| <a name="input_terraform_role_arn"></a> [terraform\_role\_arn](#input\_terraform\_role\_arn) | ARN of Terraform role used to deploy to account | `string` | n/a | yes |
+| <a name="input_management_ci_role_arn"></a> [terraform\_role\_arn](#input\_terraform\_role\_arn) | ARN of Terraform role used to deploy to account | `string` | n/a | yes |
 <!-- vale on -->
 
 ## Example
@@ -34,9 +34,9 @@ module "test_aws_backup" {
   source = "./modules/aws-backup"
 
   environment_name      = "environment_name"
-  bootstrap_kms_key_arn = kms_key[0].arn
+  notification_kms_key = kms_key[0].arn
   project_name          = "testproject"
   reports_bucket        = "compliance-reports"
-  terraform_role_arn    = data.aws_iam_role.terraform_role.arn
+  management_ci_role_arn    = data.aws_iam_role.terraform_role.arn
 }
 ```

…es/aws-backup-source/backup_framework.tf …ckup-source/backup_framework_dynamodb.tfinfrastructure/modules/aws-backup-source/backup_framework.tf renamed to infrastructure/modules/aws-backup-source/backup_framework_dynamodb.tf infrastructure/modules/aws-backup-source/backup_framework.tf renamed to infrastructure/modules/aws-backup-source/backup_framework_dynamodb.tf

@@ -1,15 +1,17 @@
-resource "aws_backup_framework" "main" {
+resource "aws_backup_framework" "dynamodb" {
+  count = var.backup_plan_config_dynamodb.enable ? 1 : 0
+
   # must be underscores instead of dashes
-  name        = replace("${local.resource_name_prefix}-framework", "-", "_")
-  description = "${var.project_name} Backup Framework"
+  name        = replace("${local.resource_name_prefix}-dynamodb-framework", "-", "_")
+  description = "${var.project_name} DynamoDB Backup Framework"
 
   # Evaluates if recovery points are encrypted.
   control {
     name = "BACKUP_RECOVERY_POINT_ENCRYPTED"
 
     scope {
       tags = {
-        "environment_name" = var.environment_name
+        Environment = var.environment_name
       }
     }
   }
@@ -20,13 +22,13 @@ resource "aws_backup_framework" "main" {
 
     scope {
       tags = {
-        "environment_name" = var.environment_name
+        Environment = var.environment_name
       }
     }
 
     input_parameter {
       name  = "principalArnList"
-      value = var.terraform_role_arn
+      value = var.management_ci_role_arn
     }
   }
 
@@ -36,7 +38,7 @@ resource "aws_backup_framework" "main" {
 
     scope {
       tags = {
-        "environment_name" = var.environment_name
+        Environment = var.environment_name
       }
     }
 
@@ -52,7 +54,7 @@ resource "aws_backup_framework" "main" {
 
     scope {
       tags = {
-        "environment_name" = var.environment_name
+        Environment = var.environment_name
       }
     }
 
@@ -72,47 +74,6 @@ resource "aws_backup_framework" "main" {
     }
   }
 
-  # Evaluates if resources are protected by a backup plan.
-  control {
-    name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
-
-    scope {
-      compliance_resource_types = var.backup_plan_config.compliance_resource_types
-      tags = {
-        (var.backup_plan_config.selection_tag) = "True"
-      }
-    }
-  }
-
-  # Evaluates if resources have at least one recovery point created within the past 1 day.
-  control {
-    name = "BACKUP_LAST_RECOVERY_POINT_CREATED"
-
-    input_parameter {
-      name  = "recoveryPointAgeUnit"
-      value = "days"
-    }
-
-    input_parameter {
-      name  = "recoveryPointAgeValue"
-      value = "1"
-    }
-
-    scope {
-      compliance_resource_types = var.backup_plan_config.compliance_resource_types
-      tags = {
-        (var.backup_plan_config.selection_tag) = "True"
-      }
-    }
-  }
-}
-
-resource "aws_backup_framework" "dynamodb" {
-  count = var.backup_plan_config_dynamodb.enable ? 1 : 0
-  # must be underscores instead of dashes
-  name        = replace("${local.resource_name_prefix}-dynamodb-framework", "-", "_")
-  description = "${var.project_name} DynamoDB Backup Framework"
-
   # Evaluates if resources are protected by a backup plan.
   control {
     name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN"

infrastructure/modules/aws-backup-source/backup_framework_s3.tf

@@ -0,0 +1,110 @@
+resource "aws_backup_framework" "s3" {
+  count = var.backup_plan_config_s3.enable ? 1 : 0
+
+  # must be underscores instead of dashes
+  name        = replace("${local.resource_name_prefix}-framework", "-", "_")
+  description = "${var.project_name} Backup Framework"
+
+  # Evaluates if recovery points are encrypted.
+  control {
+    name = "BACKUP_RECOVERY_POINT_ENCRYPTED"
+
+    scope {
+      tags = {
+        Environment = var.environment_name
+      }
+    }
+  }
+
+  # Evaluates if backup vaults do not allow manual deletion of recovery points with the exception of certain IAM roles.
+  control {
+    name = "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED"
+
+    scope {
+      tags = {
+        Environment = var.environment_name
+      }
+    }
+
+    input_parameter {
+      name  = "principalArnList"
+      value = var.management_ci_role_arn
+    }
+  }
+
+  # Evaluates if recovery point retention period is at least 1 month.
+  control {
+    name = "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK"
+
+    scope {
+      tags = {
+        Environment = var.environment_name
+      }
+    }
+
+    input_parameter {
+      name  = "requiredRetentionDays"
+      value = "35"
+    }
+  }
+
+  # Evaluates if backup plan creates backups at least every 1 day and retains them for at least 1 month before deleting them.
+  control {
+    name = "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK"
+
+    scope {
+      tags = {
+        Environment = var.environment_name
+      }
+    }
+
+    input_parameter {
+      name  = "requiredFrequencyUnit"
+      value = "days"
+    }
+
+    input_parameter {
+      name  = "requiredRetentionDays"
+      value = "35"
+    }
+
+    input_parameter {
+      name  = "requiredFrequencyValue"
+      value = "1"
+    }
+  }
+
+  # Evaluates if resources are protected by a backup plan.
+  control {
+    name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
+
+    scope {
+      compliance_resource_types = var.backup_plan_config_s3.compliance_resource_types
+      tags = {
+        (var.backup_plan_config_s3.selection_tag) = "True"
+      }
+    }
+  }
+
+  # Evaluates if resources have at least one recovery point created within the past 1 day.
+  control {
+    name = "BACKUP_LAST_RECOVERY_POINT_CREATED"
+
+    input_parameter {
+      name  = "recoveryPointAgeUnit"
+      value = "days"
+    }
+
+    input_parameter {
+      name  = "recoveryPointAgeValue"
+      value = "1"
+    }
+
+    scope {
+      compliance_resource_types = var.backup_plan_config_s3.compliance_resource_types
+      tags = {
+        (var.backup_plan_config_s3.selection_tag) = "True"
+      }
+    }
+  }
+}

infrastructure/modules/aws-backup-source/backup_plan.tf

@@ -0,0 +1,31 @@
+# this backup plan shouldn't include a continous backup rule as it isn't supported for DynamoDB
+resource "aws_backup_plan" "dynamodb" {
+  count = var.backup_plan_config_dynamodb.enable ? 1 : 0
+
+  name  = "${local.resource_name_prefix}-dynamodb-plan"
+
+  dynamic "rule" {
+    for_each = var.backup_plan_config_dynamodb.rules
+    content {
+      recovery_point_tags = {
+        backup_rule_name = rule.value.name
+      }
+      rule_name         = rule.value.name
+      target_vault_name = aws_backup_vault.main.name
+      schedule          = rule.value.schedule
+      lifecycle {
+        delete_after       = rule.value.lifecycle.delete_after != null ? rule.value.lifecycle.delete_after : null
+        cold_storage_after = rule.value.lifecycle.cold_storage_after != null ? rule.value.lifecycle.cold_storage_after : null
+      }
+      dynamic "copy_action" {
+        for_each = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" && rule.value.copy_action != null ? rule.value.copy_action : {}
+        content {
+          lifecycle {
+            delete_after = copy_action.value
+          }
+          destination_vault_arn = var.backup_copy_vault_arn
+        }
+      }
+    }
+  }
+}