Merge pull request #43 from NHSDigital/CCM-7890_BackupModuleRefactor

aidenvaines-cgi · web-flow · commit c22b48ef6ee5 · 2025-01-29T09:54:35.000Z
CCM-7890 Backup Module Refactor
diff --git a/infrastructure/modules/aws-backup-source/README.md b/infrastructure/modules/aws-backup-source/README.md
@@ -7,15 +7,16 @@ See [terraform-aws-backup](https://github.com/NHSDigital/terraform-aws-backup.gi
 <!-- vale on -->
 
 ## Inputs
+<!-- markdownlint-disable MD051 -->
 <!-- vale off -->
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_backup_copy_vault_account_id"></a> [backup\_copy\_vault\_account\_id](#input\_backup\_copy\_vault\_account\_id) | The account id of the destination backup vault for allowing restores back into the source account. | `string` | `""` | no |
 | <a name="input_backup_copy_vault_arn"></a> [backup\_copy\_vault\_arn](#input\_backup\_copy\_vault\_arn) | The ARN of the destination backup vault for cross-account backup copies. | `string` | `""` | no |
-| <a name="input_backup_plan_config"></a> [backup\_plan\_config](#input\_backup\_plan\_config) | Configuration for backup plans | <pre>object({<br>    selection_tag             = string<br>    compliance_resource_types = list(string)<br>    rules = list(object({<br>      name                     = string<br>      schedule                 = string<br>      enable_continuous_backup = optional(bool)<br>      lifecycle = object({<br>        delete_after       = optional(number)<br>        cold_storage_after = optional(number)<br>      })<br>      copy_action = optional(object({<br>        delete_after = optional(number)<br>      }))<br>    }))<br>  })</pre> | <pre>{<br>  "compliance_resource_types": [<br>    "S3"<br>  ],<br>  "rules": [<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "daily_kept_5_weeks",<br>      "schedule": "cron(0 0 * * ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 90<br>      },<br>      "name": "weekly_kept_3_months",<br>      "schedule": "cron(0 1 ? * SUN *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "cold_storage_after": 30,<br>        "delete_after": 2555<br>      },<br>      "name": "monthly_kept_7_years",<br>      "schedule": "cron(0 2 1  * ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "enable_continuous_backup": true,<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "point_in_time_recovery",<br>      "schedule": "cron(0 5 * * ? *)"<br>    }<br>  ],<br>  "selection_tag": "BackupLocal"<br>}</pre> | no |
-| <a name="input_backup_plan_config_dynamodb"></a> [backup\_plan\_config\_dynamodb](#input\_backup\_plan\_config\_dynamodb) | Configuration for backup plans with dynamodb | <pre>object({<br>    enable                    = bool<br>    selection_tag             = string<br>    compliance_resource_types = list(string)<br>    rules = optional(list(object({<br>      name                     = string<br>      schedule                 = string<br>      enable_continuous_backup = optional(bool)<br>      lifecycle = object({<br>        delete_after       = number<br>        cold_storage_after = optional(number)<br>      })<br>      copy_action = optional(object({<br>        delete_after = optional(number)<br>      }))<br>    })))<br>  })</pre> | <pre>{<br>  "compliance_resource_types": [<br>    "DynamoDB"<br>  ],<br>  "enable": true,<br>  "rules": [<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "dynamodb_daily_kept_5_weeks",<br>      "schedule": "cron(0 0 * * ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 90<br>      },<br>      "name": "dynamodb_weekly_kept_3_months",<br>      "schedule": "cron(0 1 ? * SUN *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "cold_storage_after": 30,<br>        "delete_after": 2555<br>      },<br>      "name": "dynamodb_monthly_kept_7_years",<br>      "schedule": "cron(0 2 1  * ? *)"<br>    }<br>  ],<br>  "selection_tag": "BackupDynamoDB"<br>}</pre> | no |
+| <a name="input_backup_plan_config"></a> [backup\_plan\_config](#input\_backup\_plan\_config) | Configuration for backup plans | <pre>object({<br>    selection_tag             = string<br>    compliance_resource_types = list(string)<br>    rules = list(object({<br>      name                     = string<br>      schedule                 = string<br>      enable_continuous_backup = optional(bool)<br>      lifecycle = object({<br>        delete_after       = optional(number)<br>        cold_storage_after = optional(number)<br>      })<br>      copy_action = optional(object({<br>        delete_after = optional(number)<br>      }))<br>    }))<br>  })</pre> | <pre>{<br>  "compliance_resource_types": [<br>    "S3"<br>  ],<br>  "rules": [<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "daily_kept_5_weeks",<br>      "schedule": "cron(0 0 ** ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 90<br>      },<br>      "name": "weekly_kept_3_months",<br>      "schedule": "cron(0 1 ?* SUN *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "cold_storage_after": 30,<br>        "delete_after": 2555<br>      },<br>      "name": "monthly_kept_7_years",<br>      "schedule": "cron(0 2 1* ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "enable_continuous_backup": true,<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "point_in_time_recovery",<br>      "schedule": "cron(0 5* *?*)"<br>    }<br>  ],<br>  "selection_tag": "BackupLocal"<br>}</pre> | no |
+| <a name="input_backup_plan_config_dynamodb"></a> [backup\_plan\_config\_dynamodb](#input\_backup\_plan\_config\_dynamodb) | Configuration for backup plans with dynamodb | <pre>object({<br>    enable                    = bool<br>    selection_tag             = string<br>    compliance_resource_types = list(string)<br>    rules = optional(list(object({<br>      name                     = string<br>      schedule                 = string<br>      enable_continuous_backup = optional(bool)<br>      lifecycle = object({<br>        delete_after       = number<br>        cold_storage_after = optional(number)<br>      })<br>      copy_action = optional(object({<br>        delete_after = optional(number)<br>      }))<br>    })))<br>  })</pre> | <pre>{<br>  "compliance_resource_types": [<br>    "DynamoDB"<br>  ],<br>  "enable": true,<br>  "rules": [<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "dynamodb_daily_kept_5_weeks",<br>      "schedule": "cron(0 0 ** ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 90<br>      },<br>      "name": "dynamodb_weekly_kept_3_months",<br>      "schedule": "cron(0 1 ?* SUN *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "cold_storage_after": 30,<br>        "delete_after": 2555<br>      },<br>      "name": "dynamodb_monthly_kept_7_years",<br>      "schedule": "cron(0 2 1* ? *)"<br>    }<br>  ],<br>  "selection_tag": "BackupDynamoDB"<br>}</pre> | no |
 | <a name="input_notification_kms_key"></a> [bootstrap\_kms\_key\_arn](#input\_bootstrap\_kms\_key\_arn) | The ARN of the bootstrap KMS key used for encryption at rest of the SNS topic. | `string` | n/a | yes |
-| <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | The name of the environment where AWS Backup is configured. | `string` | n/a | yes |
+| <a name="input_environment"></a> [environment\_name](#input\_environment\_name) | The name of the environment where AWS Backup is configured. | `string` | n/a | yes |
 | <a name="input_notifications_target_email_address"></a> [notifications\_target\_email\_address](#input\_notifications\_target\_email\_address) | The email address to which backup notifications will be sent via SNS. | `string` | `""` | no |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the project this relates to. | `string` | n/a | yes |
 | <a name="input_reports_bucket"></a> [reports\_bucket](#input\_reports\_bucket) | Bucket to drop backup reports into | `string` | n/a | yes |
@@ -26,14 +27,15 @@ See [terraform-aws-backup](https://github.com/NHSDigital/terraform-aws-backup.gi
 | <a name="input_restore_testing_plan_start_window"></a> [restore\_testing\_plan\_start\_window](#input\_restore\_testing\_plan\_start\_window) | Start window from the scheduled time during which the test should start | `number` | `1` | no |
 | <a name="input_management_ci_role_arn"></a> [terraform\_role\_arn](#input\_terraform\_role\_arn) | ARN of Terraform role used to deploy to account | `string` | n/a | yes |
 <!-- vale on -->
+<!-- markdownlint-enable MD051 -->
 
 ## Example
 
 ```terraform
 module "test_aws_backup" {
   source = "./modules/aws-backup"
 
-  environment_name      = "environment_name"
+  environment      = "environment"
   notification_kms_key = kms_key[0].arn
   project_name          = "testproject"
   reports_bucket        = "compliance-reports"
diff --git a/infrastructure/modules/aws-backup-source/backup_framework_dynamodb.tf b/infrastructure/modules/aws-backup-source/backup_framework_dynamodb.tf
@@ -2,16 +2,16 @@ resource "aws_backup_framework" "dynamodb" {
   count = var.backup_plan_config_dynamodb.enable ? 1 : 0
 
   # must be underscores instead of dashes
-  name        = replace("${local.resource_name_prefix}-dynamodb-framework", "-", "_")
-  description = "${var.project_name} DynamoDB Backup Framework"
+  name        = replace("${local.csi}-dynamodb-framework", "-", "_")
+  description = "${var.project} DynamoDB Backup Framework"
 
   # Evaluates if recovery points are encrypted.
   control {
     name = "BACKUP_RECOVERY_POINT_ENCRYPTED"
 
     scope {
       tags = {
-        Environment = var.environment_name
+        Environment = var.environment
       }
     }
   }
@@ -22,7 +22,7 @@ resource "aws_backup_framework" "dynamodb" {
 
     scope {
       tags = {
-        Environment = var.environment_name
+        Environment = var.environment
       }
     }
 
@@ -38,7 +38,7 @@ resource "aws_backup_framework" "dynamodb" {
 
     scope {
       tags = {
-        Environment = var.environment_name
+        Environment = var.environment
       }
     }
 
@@ -54,7 +54,7 @@ resource "aws_backup_framework" "dynamodb" {
 
     scope {
       tags = {
-        Environment = var.environment_name
+        Environment = var.environment
       }
     }
 
diff --git a/infrastructure/modules/aws-backup-source/backup_framework_s3.tf b/infrastructure/modules/aws-backup-source/backup_framework_s3.tf
@@ -2,16 +2,16 @@ resource "aws_backup_framework" "s3" {
   count = var.backup_plan_config_s3.enable ? 1 : 0
 
   # must be underscores instead of dashes
-  name        = replace("${local.resource_name_prefix}-framework", "-", "_")
-  description = "${var.project_name} Backup Framework"
+  name        = replace("${local.csi}-framework", "-", "_")
+  description = "${var.project} Backup Framework"
 
   # Evaluates if recovery points are encrypted.
   control {
     name = "BACKUP_RECOVERY_POINT_ENCRYPTED"
 
     scope {
       tags = {
-        Environment = var.environment_name
+        Environment = var.environment
       }
     }
   }
@@ -22,7 +22,7 @@ resource "aws_backup_framework" "s3" {
 
     scope {
       tags = {
-        Environment = var.environment_name
+        Environment = var.environment
       }
     }
 
@@ -38,7 +38,7 @@ resource "aws_backup_framework" "s3" {
 
     scope {
       tags = {
-        Environment = var.environment_name
+        Environment = var.environment
       }
     }
 
@@ -54,7 +54,7 @@ resource "aws_backup_framework" "s3" {
 
     scope {
       tags = {
-        Environment = var.environment_name
+        Environment = var.environment
       }
     }
 
diff --git a/infrastructure/modules/aws-backup-source/backup_plan_dynamodb.tf b/infrastructure/modules/aws-backup-source/backup_plan_dynamodb.tf
@@ -2,7 +2,7 @@
 resource "aws_backup_plan" "dynamodb" {
   count = var.backup_plan_config_dynamodb.enable ? 1 : 0
 
-  name  = "${local.resource_name_prefix}-dynamodb-plan"
+  name  = "${local.csi}-dynamodb"
 
   dynamic "rule" {
     for_each = var.backup_plan_config_dynamodb.rules
diff --git a/infrastructure/modules/aws-backup-source/backup_plan_s3.tf b/infrastructure/modules/aws-backup-source/backup_plan_s3.tf
@@ -1,7 +1,7 @@
 resource "aws_backup_plan" "s3" {
   count = var.backup_plan_config_s3.enable ? 1 : 0
 
-  name = "${local.resource_name_prefix}-plan"
+  name = "${local.csi}-s3"
 
   dynamic "rule" {
     for_each = var.backup_plan_config_s3.rules
diff --git a/infrastructure/modules/aws-backup-source/backup_report_plan_backup_jobs.tf b/infrastructure/modules/aws-backup-source/backup_report_plan_backup_jobs.tf
@@ -1,6 +1,6 @@
 # Create the reports
 resource "aws_backup_report_plan" "backup_jobs" {
-  name        = "backup_jobs"
+  name        = "${local.csi_underscore}_backup_jobs"
   description = "Report for showing whether backups ran successfully in the last 24 hours"
 
   report_delivery_channel {
diff --git a/infrastructure/modules/aws-backup-source/backup_report_plan_backup_restore_testing_jobs.tf b/infrastructure/modules/aws-backup-source/backup_report_plan_backup_restore_testing_jobs.tf
@@ -1,6 +1,6 @@
 # Create the restore testing completion reports
 resource "aws_backup_report_plan" "backup_restore_testing_jobs" {
-  name        = "backup_restore_testing_jobs"
+  name        = "${local.csi_underscore}_backup_restore_testing_jobs"
   description = "Report for showing whether backup restore test ran successfully in the last 24 hours"
 
   report_delivery_channel {
diff --git a/infrastructure/modules/aws-backup-source/backup_report_plan_copy_jobs.tf b/infrastructure/modules/aws-backup-source/backup_report_plan_copy_jobs.tf
@@ -1,7 +1,7 @@
 resource "aws_backup_report_plan" "copy_jobs" {
   count       = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? 1 : 0
 
-  name        = "copy_jobs"
+  name        = "${local.csi_underscore}_copy_jobs"
   description = "Report for showing whether copies ran successfully in the last 24 hours"
 
   report_delivery_channel {
diff --git a/infrastructure/modules/aws-backup-source/backup_report_plan_resource_compliance.tf b/infrastructure/modules/aws-backup-source/backup_report_plan_resource_compliance.tf
@@ -1,5 +1,5 @@
 resource "aws_backup_report_plan" "resource_compliance" {
-  name        = "resource_compliance"
+  name        = "${local.csi_underscore}_resource_compliance"
   description = "Report for showing whether resources are compliant with the framework"
 
   report_delivery_channel {
diff --git a/infrastructure/modules/aws-backup-source/backup_restore_testing_plan.tf b/infrastructure/modules/aws-backup-source/backup_restore_testing_plan.tf
@@ -1,5 +1,5 @@
 resource "awscc_backup_restore_testing_plan" "main" {
-  restore_testing_plan_name = local.resource_name_prefix
+  restore_testing_plan_name = local.csi_underscore
   schedule_expression       = var.restore_testing_plan_scheduled_expression
   start_window_hours        = var.restore_testing_plan_start_window
   recovery_point_selection = {
diff --git a/infrastructure/modules/aws-backup-source/backup_selection_dynamodb.tf b/infrastructure/modules/aws-backup-source/backup_selection_dynamodb.tf
@@ -2,13 +2,13 @@ resource "aws_backup_selection" "dynamodb" {
   count = var.backup_plan_config_dynamodb.enable ? 1 : 0
 
   iam_role_arn = aws_iam_role.backup.arn
-  name         = "${local.resource_name_prefix}-dynamodb-selection"
+  name         = "${local.csi}-dynamodb"
   plan_id      = aws_backup_plan.dynamodb[0].id
 
   selection_tag {
     key   = "Envrionment"
     type  = "STRINGEQUALS"
-    value = var.environment_name
+    value = var.environment
   }
 
   selection_tag {
diff --git a/infrastructure/modules/aws-backup-source/backup_selection_s3.tf b/infrastructure/modules/aws-backup-source/backup_selection_s3.tf
@@ -2,13 +2,13 @@ resource "aws_backup_selection" "s3" {
   count = var.backup_plan_config_s3.enable ? 1 : 0
 
   iam_role_arn = aws_iam_role.backup.arn
-  name         = "${local.resource_name_prefix}-s3-selection"
+  name         = "${local.csi}-s3"
   plan_id      = aws_backup_plan.s3[0].id
 
   selection_tag {
     key   = "Envrionment"
     type  = "STRINGEQUALS"
-    value = var.environment_name
+    value = var.environment
   }
 
   selection_tag {
diff --git a/infrastructure/modules/aws-backup-source/backup_vault.tf b/infrastructure/modules/aws-backup-source/backup_vault.tf
@@ -1,4 +1,4 @@
 resource "aws_backup_vault" "main" {
-  name        = "${local.resource_name_prefix}-vault"
+  name        = "${local.csi}-vault"
   kms_key_arn = aws_kms_key.aws_backup_key.arn
 }
diff --git a/infrastructure/modules/aws-backup-source/backup_vault_policy.tf b/infrastructure/modules/aws-backup-source/backup_vault_policy.tf
@@ -28,6 +28,30 @@ data "aws_iam_policy_document" "vault_policy" {
     resources = ["*"]
   }
 
+
+  # Allow Org to copy to vault as cross-account sharing directly is now restricted by SCP
+  statement {
+    sid    = "BackupVaultAccess"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "backup:CopyIntoBackupVault"
+    ]
+
+    resources = [aws_backup_vault.main.arn]
+    condition {
+      test     = "StringEquals"
+      values   = [var.principal_org_id]
+      variable = "aws:PrincipalOrgID"
+    }
+  }
+
+
   dynamic "statement" {
     for_each = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? [1] : []
     content {
diff --git a/infrastructure/modules/aws-backup-source/iam_role_backup.tf b/infrastructure/modules/aws-backup-source/iam_role_backup.tf
@@ -1,5 +1,5 @@
 resource "aws_iam_role" "backup" {
-  name               = "${var.project_name}BackupRole"
+  name               = "${local.csi}"
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 
diff --git a/infrastructure/modules/aws-backup-source/kms.tf b/infrastructure/modules/aws-backup-source/kms.tf
@@ -6,7 +6,7 @@ resource "aws_kms_key" "aws_backup_key" {
 }
 
 resource "aws_kms_alias" "backup_key" {
-  name          = "alias/${var.environment_name}/backup-key"
+  name          = "alias/${local.csi}/backup-key"
   target_key_id = aws_kms_key.aws_backup_key.key_id
 }
 
diff --git a/infrastructure/modules/aws-backup-source/locals.tf b/infrastructure/modules/aws-backup-source/locals.tf
@@ -1,3 +1,18 @@
 locals {
-  resource_name_prefix = "${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}-backup"
+  csi = format(
+    "%s-%s-%s-%s",
+    var.project,
+    var.environment,
+    var.component,
+    "backup"
+  )
+
+  csi_underscore = replace(local.csi,"-","_")
+
+  default_tags = merge(
+    var.default_tags,
+    {
+      Name = local.csi
+    },
+  )
 }
diff --git a/infrastructure/modules/aws-backup-source/sns.tf b/infrastructure/modules/aws-backup-source/sns.tf
@@ -1,6 +1,6 @@
 resource "aws_sns_topic" "backup" {
   count             = var.notifications_target_email_address != "" ? 1 : 0
-  name              = "${local.resource_name_prefix}-notifications"
+  name              = "${local.csi}-notifications"
   kms_master_key_id = var.notification_kms_key
   policy            = data.aws_iam_policy_document.allow_backup_to_sns.json
 }
diff --git a/infrastructure/modules/aws-backup-source/variables.tf b/infrastructure/modules/aws-backup-source/variables.tf
@@ -1,13 +1,24 @@
-variable "project_name" {
+variable "project" {
   description = "The name of the project this relates to."
   type        = string
 }
 
-variable "environment_name" {
+variable "environment" {
   description = "The name of the environment where AWS Backup is configured."
   type        = string
 }
 
+variable "component" {
+  type        = string
+  description = "The name of the tfscaffold component"
+}
+
+variable "default_tags" {
+  type        = map(string)
+  description = "Default tag map for application to all taggable resources in the module"
+  default     = {}
+}
+
 variable "notifications_target_email_address" {
   description = "The email address to which backup notifications will be sent via SNS."
   type        = string
@@ -24,6 +35,11 @@ variable "reports_bucket" {
   type        = string
 }
 
+variable "principal_org_id" {
+  type        = string
+  description = "The AWS Org ID (numeric)"
+}
+
 variable "management_ci_role_arn" {
   description = "ARN of Terraform role used to deploy to account"
   type        = string

Original file line number	Diff line number	Diff line change
`@@ -2,16 +2,16 @@ resource "aws_backup_framework" "dynamodb" {`
`2`	`2`	`count = var.backup_plan_config_dynamodb.enable ? 1 : 0`
`3`	`3`
`4`	`4`	`# must be underscores instead of dashes`
`5`		`- name = replace("${local.resource_name_prefix}-dynamodb-framework", "-", "_")`
`6`		`- description = "${var.project_name} DynamoDB Backup Framework"`
	`5`	`+ name = replace("${local.csi}-dynamodb-framework", "-", "_")`
	`6`	`+ description = "${var.project} DynamoDB Backup Framework"`
`7`	`7`
`8`	`8`	`# Evaluates if recovery points are encrypted.`
`9`	`9`	`control {`
`10`	`10`	`name = "BACKUP_RECOVERY_POINT_ENCRYPTED"`
`11`	`11`
`12`	`12`	`scope {`
`13`	`13`	`tags = {`
`14`		`- Environment = var.environment_name`
	`14`	`+ Environment = var.environment`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`	`}`
`@@ -22,7 +22,7 @@ resource "aws_backup_framework" "dynamodb" {`
`22`	`22`
`23`	`23`	`scope {`
`24`	`24`	`tags = {`
`25`		`- Environment = var.environment_name`
	`25`	`+ Environment = var.environment`
`26`	`26`	`}`
`27`	`27`	`}`
`28`	`28`
`@@ -38,7 +38,7 @@ resource "aws_backup_framework" "dynamodb" {`
`38`	`38`
`39`	`39`	`scope {`
`40`	`40`	`tags = {`
`41`		`- Environment = var.environment_name`
	`41`	`+ Environment = var.environment`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`
`@@ -54,7 +54,7 @@ resource "aws_backup_framework" "dynamodb" {`
`54`	`54`
`55`	`55`	`scope {`
`56`	`56`	`tags = {`
`57`		`- Environment = var.environment_name`
	`57`	`+ Environment = var.environment`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`
Original file line number	Diff line number	Diff line change
`@@ -2,16 +2,16 @@ resource "aws_backup_framework" "s3" {`
`2`	`2`	`count = var.backup_plan_config_s3.enable ? 1 : 0`
`3`	`3`
`4`	`4`	`# must be underscores instead of dashes`
`5`		`- name = replace("${local.resource_name_prefix}-framework", "-", "_")`
`6`		`- description = "${var.project_name} Backup Framework"`
	`5`	`+ name = replace("${local.csi}-framework", "-", "_")`
	`6`	`+ description = "${var.project} Backup Framework"`
`7`	`7`
`8`	`8`	`# Evaluates if recovery points are encrypted.`
`9`	`9`	`control {`
`10`	`10`	`name = "BACKUP_RECOVERY_POINT_ENCRYPTED"`
`11`	`11`
`12`	`12`	`scope {`
`13`	`13`	`tags = {`
`14`		`- Environment = var.environment_name`
	`14`	`+ Environment = var.environment`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`	`}`
`@@ -22,7 +22,7 @@ resource "aws_backup_framework" "s3" {`
`22`	`22`
`23`	`23`	`scope {`
`24`	`24`	`tags = {`
`25`		`- Environment = var.environment_name`
	`25`	`+ Environment = var.environment`
`26`	`26`	`}`
`27`	`27`	`}`
`28`	`28`
`@@ -38,7 +38,7 @@ resource "aws_backup_framework" "s3" {`
`38`	`38`
`39`	`39`	`scope {`
`40`	`40`	`tags = {`
`41`		`- Environment = var.environment_name`
	`41`	`+ Environment = var.environment`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`
`@@ -54,7 +54,7 @@ resource "aws_backup_framework" "s3" {`
`54`	`54`
`55`	`55`	`scope {`
`56`	`56`	`tags = {`
`57`		`- Environment = var.environment_name`
	`57`	`+ Environment = var.environment`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`