Merge pull request #88 from NHSDigital/CCM-10039_addingBackupTagResourcePerm

aidenvaines-cgi · web-flow · commit 7220cd429924 · 2025-06-11T17:20:39.000+01:00
CCM-10039 addingBackupTagResourcePerm
diff --git a/infrastructure/modules/aws-backup-source/README.md b/infrastructure/modules/aws-backup-source/README.md
@@ -62,7 +62,7 @@ No requirements.
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | Default tag map for application to all taggable resources in the module | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the environment where AWS Backup is configured. | `string` | n/a | yes |
 | <a name="input_management_ci_role_arn"></a> [management\_ci\_role\_arn](#input\_management\_ci\_role\_arn) | ARN of Terraform role used to deploy to account | `string` | n/a | yes |
-| <a name="input_name"></a> [name](#input\_name) | The variable encapsulating the name of this bucket | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The variable encapsulating the name of this bucket | `string` | `"backup"` | no |
 | <a name="input_notification_kms_key"></a> [notification\_kms\_key](#input\_notification\_kms\_key) | The ARN of the bootstrap KMS key used for encryption at rest of the SNS topic. | `string` | n/a | yes |
 | <a name="input_notifications_target_email_address"></a> [notifications\_target\_email\_address](#input\_notifications\_target\_email\_address) | The email address to which backup notifications will be sent via SNS. | `string` | `""` | no |
 | <a name="input_principal_org_id"></a> [principal\_org\_id](#input\_principal\_org\_id) | The AWS Org ID (numeric) | `string` | n/a | yes |
diff --git a/infrastructure/modules/aws-backup-source/iam_role_backup.tf b/infrastructure/modules/aws-backup-source/iam_role_backup.tf
@@ -35,3 +35,30 @@ resource "aws_iam_role_policy_attachment" "s3_backup" {
   policy_arn = "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup"
   role       = aws_iam_role.backup.name
 }
+
+
+resource "aws_iam_role_policy_attachment" "backup_additional" {
+  role       = aws_iam_role.backup.name
+  policy_arn = aws_iam_policy.backup_additional.arn
+}
+
+resource "aws_iam_policy" "backup_additional" {
+  name        = "${local.csi}-backup_additional"
+  description = "Additional Backup Actions"
+  policy      = data.aws_iam_policy_document.backup_additional.json
+}
+
+data "aws_iam_policy_document" "backup_additional" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "backup:TagResource",
+    ]
+
+    #trivy:ignore:aws-iam-no-policy-wildcards
+    resources = [
+      "*",
+    ]
+  }
+}
diff --git a/infrastructure/modules/aws-backup-source/variables.tf b/infrastructure/modules/aws-backup-source/variables.tf
@@ -16,6 +16,7 @@ variable "component" {
 variable "name" {
   type        = string
   description = "The variable encapsulating the name of this bucket"
+  default     = "backup"
 }
 
 variable "default_tags" {

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ variable "component" {`
`16`	`16`	`variable "name" {`
`17`	`17`	`type = string`
`18`	`18`	`description = "The variable encapsulating the name of this bucket"`
	`19`	`+ default = "backup"`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`variable "default_tags" {`