Merge pull request #127 from NHSDigital/feature/CCM-12082_backup_retention

CCM-12082: Set backup retention and vault lock policy

Author: sidnhs

infrastructure/modules/aws-backup-source/README.md

@@ -73,6 +73,8 @@ No requirements.
 | <a name="input_restore_testing_plan_scheduled_expression"></a> [restore\_testing\_plan\_scheduled\_expression](#input\_restore\_testing\_plan\_scheduled\_expression) | Scheduled Expression of Recovery Selection Point | `string` | `"cron(0 1 ? * SUN *)"` | no |
 | <a name="input_restore_testing_plan_selection_window_days"></a> [restore\_testing\_plan\_selection\_window\_days](#input\_restore\_testing\_plan\_selection\_window\_days) | Selection window days | `number` | `7` | no |
 | <a name="input_restore_testing_plan_start_window"></a> [restore\_testing\_plan\_start\_window](#input\_restore\_testing\_plan\_start\_window) | Start window from the scheduled time during which the test should start | `number` | `1` | no |
+| <a name="input_vault_max_retention_days"></a> [vault\_max\_retention\_days](#input\_vault\_max\_retention\_days) | Maximum retention days for the vault lock | `number` | `35` | no |
+| <a name="input_vault_min_retention_days"></a> [vault\_min\_retention\_days](#input\_vault\_min\_retention\_days) | Minimum retention days for the vault lock | `number` | `7` | no |
 ## Modules
 
 No modules.

infrastructure/modules/aws-backup-source/backup_framework_dynamodb.tf

@@ -44,7 +44,7 @@ resource "aws_backup_framework" "dynamodb" {
 
     input_parameter {
       name  = "requiredRetentionDays"
-      value = "35"
+      value = "31"
     }
   }
 
@@ -65,7 +65,7 @@ resource "aws_backup_framework" "dynamodb" {
 
     input_parameter {
       name  = "requiredRetentionDays"
-      value = "35"
+      value = "31"
     }
 
     input_parameter {

infrastructure/modules/aws-backup-source/backup_framework_s3.tf

@@ -44,7 +44,7 @@ resource "aws_backup_framework" "s3" {
 
     input_parameter {
       name  = "requiredRetentionDays"
-      value = "35"
+      value = "31"
     }
   }
 
@@ -65,7 +65,7 @@ resource "aws_backup_framework" "s3" {
 
     input_parameter {
       name  = "requiredRetentionDays"
-      value = "35"
+      value = "31"
     }
 
     input_parameter {

infrastructure/modules/aws-backup-source/backup_vault_lock_configuration.tf

@@ -0,0 +1,6 @@
+resource "aws_backup_vault_lock_configuration" "main" {
+  backup_vault_name   = aws_backup_vault.main.name
+  changeable_for_days = 30
+  max_retention_days  = var.vault_max_retention_days
+  min_retention_days  = var.vault_min_retention_days
+}

infrastructure/modules/aws-backup-source/variables.tf

@@ -221,3 +221,15 @@ variable "backup_plan_config_dynamodb" {
     ]
   }
 }
+
+variable "vault_max_retention_days" {
+  type        = number
+  description = "Maximum retention days for the vault lock"
+  default     = 35
+}
+
+variable "vault_min_retention_days" {
+  type        = number
+  description = "Minimum retention days for the vault lock"
+  default     = 7
+}