NHSDigital
diff --git a/‎.tool-versions‎
Lines changed: 1 addition & 1 deletion b/‎.tool-versions‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎infrastructure/modules/aws-backup-source/README.md‎
Lines changed: 42 additions & 0 deletions b/‎infrastructure/modules/aws-backup-source/README.md‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎infrastructure/modules/aws-backup-source/backup_framework.tf‎
Lines changed: 149 additions & 0 deletions b/‎infrastructure/modules/aws-backup-source/backup_framework.tf‎
Lines changed: 149 additions & 0 deletions
diff --git a/‎infrastructure/modules/aws-backup-source/backup_notification.tf‎
Lines changed: 12 additions & 0 deletions b/‎infrastructure/modules/aws-backup-source/backup_notification.tf‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎infrastructure/modules/aws-backup-source/backup_plan.tf‎
Lines changed: 85 additions & 0 deletions b/‎infrastructure/modules/aws-backup-source/backup_plan.tf‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎infrastructure/modules/aws-backup-source/backup_report_plan.tf‎
Lines changed: 72 additions & 0 deletions b/‎infrastructure/modules/aws-backup-source/backup_report_plan.tf‎
Lines changed: 72 additions & 0 deletions
@@ -20,7 +20,7 @@ terraform-docs 0.19.0
 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image
 # docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags
 # docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags
-# docker/jdkato/vale v2.29.7@sha256:5ccfac574231b006284513ac3e4e9f38833989d83f2a68db149932c09de85149 # SEE: https://hub.docker.com/r/jdkato/vale/tags
+# docker/jdkato/vale v3.6.0@sha256:0ef22c8d537f079633cfff69fc46f69a2196072f69cab1ab232e8a79a388e425 # SEE: https://hub.docker.com/r/jdkato/vale/tags
 # docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags
 # docker/mstruebing/editorconfig-checker 2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2a620b5ddc24 # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags
 # docker/sonarsource/sonar-scanner-cli 5.0.1@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags
@@ -0,0 +1,42 @@
+# AWS Backup Module
+
+The AWS Backup Module helps automates the setup of AWS Backup resources in a source account. It streamlines the process of creating, managing, and standardising backup configurations.
+
+<!-- vale off -->
+See [terraform-aws-backup](https://github.com/NHSDigital/terraform-aws-backup.git) for more details.
+<!-- vale on -->
+
+## Inputs
+<!-- vale off -->
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_backup_copy_vault_account_id"></a> [backup\_copy\_vault\_account\_id](#input\_backup\_copy\_vault\_account\_id) | The account id of the destination backup vault for allowing restores back into the source account. | `string` | `""` | no |
+| <a name="input_backup_copy_vault_arn"></a> [backup\_copy\_vault\_arn](#input\_backup\_copy\_vault\_arn) | The ARN of the destination backup vault for cross-account backup copies. | `string` | `""` | no |
+| <a name="input_backup_plan_config"></a> [backup\_plan\_config](#input\_backup\_plan\_config) | Configuration for backup plans | <pre>object({<br>    selection_tag             = string<br>    compliance_resource_types = list(string)<br>    rules = list(object({<br>      name                     = string<br>      schedule                 = string<br>      enable_continuous_backup = optional(bool)<br>      lifecycle = object({<br>        delete_after       = optional(number)<br>        cold_storage_after = optional(number)<br>      })<br>      copy_action = optional(object({<br>        delete_after = optional(number)<br>      }))<br>    }))<br>  })</pre> | <pre>{<br>  "compliance_resource_types": [<br>    "S3"<br>  ],<br>  "rules": [<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "daily_kept_5_weeks",<br>      "schedule": "cron(0 0 * * ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 90<br>      },<br>      "name": "weekly_kept_3_months",<br>      "schedule": "cron(0 1 ? * SUN *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "cold_storage_after": 30,<br>        "delete_after": 2555<br>      },<br>      "name": "monthly_kept_7_years",<br>      "schedule": "cron(0 2 1  * ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "enable_continuous_backup": true,<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "point_in_time_recovery",<br>      "schedule": "cron(0 5 * * ? *)"<br>    }<br>  ],<br>  "selection_tag": "BackupLocal"<br>}</pre> | no |
+| <a name="input_backup_plan_config_dynamodb"></a> [backup\_plan\_config\_dynamodb](#input\_backup\_plan\_config\_dynamodb) | Configuration for backup plans with dynamodb | <pre>object({<br>    enable                    = bool<br>    selection_tag             = string<br>    compliance_resource_types = list(string)<br>    rules = optional(list(object({<br>      name                     = string<br>      schedule                 = string<br>      enable_continuous_backup = optional(bool)<br>      lifecycle = object({<br>        delete_after       = number<br>        cold_storage_after = optional(number)<br>      })<br>      copy_action = optional(object({<br>        delete_after = optional(number)<br>      }))<br>    })))<br>  })</pre> | <pre>{<br>  "compliance_resource_types": [<br>    "DynamoDB"<br>  ],<br>  "enable": true,<br>  "rules": [<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 35<br>      },<br>      "name": "dynamodb_daily_kept_5_weeks",<br>      "schedule": "cron(0 0 * * ? *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "delete_after": 90<br>      },<br>      "name": "dynamodb_weekly_kept_3_months",<br>      "schedule": "cron(0 1 ? * SUN *)"<br>    },<br>    {<br>      "copy_action": {<br>        "delete_after": 365<br>      },<br>      "lifecycle": {<br>        "cold_storage_after": 30,<br>        "delete_after": 2555<br>      },<br>      "name": "dynamodb_monthly_kept_7_years",<br>      "schedule": "cron(0 2 1  * ? *)"<br>    }<br>  ],<br>  "selection_tag": "BackupDynamoDB"<br>}</pre> | no |
+| <a name="input_bootstrap_kms_key_arn"></a> [bootstrap\_kms\_key\_arn](#input\_bootstrap\_kms\_key\_arn) | The ARN of the bootstrap KMS key used for encryption at rest of the SNS topic. | `string` | n/a | yes |
+| <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | The name of the environment where AWS Backup is configured. | `string` | n/a | yes |
+| <a name="input_notifications_target_email_address"></a> [notifications\_target\_email\_address](#input\_notifications\_target\_email\_address) | The email address to which backup notifications will be sent via SNS. | `string` | `""` | no |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the project this relates to. | `string` | n/a | yes |
+| <a name="input_reports_bucket"></a> [reports\_bucket](#input\_reports\_bucket) | Bucket to drop backup reports into | `string` | n/a | yes |
+| <a name="input_restore_testing_plan_algorithm"></a> [restore\_testing\_plan\_algorithm](#input\_restore\_testing\_plan\_algorithm) | Algorithm of the Recovery Selection Point | `string` | `"LATEST_WITHIN_WINDOW"` | no |
+| <a name="input_restore_testing_plan_recovery_point_types"></a> [restore\_testing\_plan\_recovery\_point\_types](#input\_restore\_testing\_plan\_recovery\_point\_types) | Recovery Point Types | `list(string)` | <pre>[<br>  "SNAPSHOT"<br>]</pre> | no |
+| <a name="input_restore_testing_plan_scheduled_expression"></a> [restore\_testing\_plan\_scheduled\_expression](#input\_restore\_testing\_plan\_scheduled\_expression) | Scheduled Expression of Recovery Selection Point | `string` | `"cron(0 1 ? * SUN *)"` | no |
+| <a name="input_restore_testing_plan_selection_window_days"></a> [restore\_testing\_plan\_selection\_window\_days](#input\_restore\_testing\_plan\_selection\_window\_days) | Selection window days | `number` | `7` | no |
+| <a name="input_restore_testing_plan_start_window"></a> [restore\_testing\_plan\_start\_window](#input\_restore\_testing\_plan\_start\_window) | Start window from the scheduled time during which the test should start | `number` | `1` | no |
+| <a name="input_terraform_role_arn"></a> [terraform\_role\_arn](#input\_terraform\_role\_arn) | ARN of Terraform role used to deploy to account | `string` | n/a | yes |
+<!-- vale on -->
+
+## Example
+
+```terraform
+module "test_aws_backup" {
+  source = "./modules/aws-backup"
+
+  environment_name      = "environment_name"
+  bootstrap_kms_key_arn = kms_key[0].arn
+  project_name          = "testproject"
+  reports_bucket        = "compliance-reports"
+  terraform_role_arn    = data.aws_iam_role.terraform_role.arn
+}
+```
@@ -0,0 +1,149 @@
+resource "aws_backup_framework" "main" {
+  # must be underscores instead of dashes
+  name        = replace("${local.resource_name_prefix}-framework", "-", "_")
+  description = "${var.project_name} Backup Framework"
+
+  # Evaluates if recovery points are encrypted.
+  control {
+    name = "BACKUP_RECOVERY_POINT_ENCRYPTED"
+
+    scope {
+      tags = {
+        "environment_name" = var.environment_name
+      }
+    }
+  }
+
+  # Evaluates if backup vaults do not allow manual deletion of recovery points with the exception of certain IAM roles.
+  control {
+    name = "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED"
+
+    scope {
+      tags = {
+        "environment_name" = var.environment_name
+      }
+    }
+
+    input_parameter {
+      name  = "principalArnList"
+      value = var.terraform_role_arn
+    }
+  }
+
+  # Evaluates if recovery point retention period is at least 1 month.
+  control {
+    name = "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK"
+
+    scope {
+      tags = {
+        "environment_name" = var.environment_name
+      }
+    }
+
+    input_parameter {
+      name  = "requiredRetentionDays"
+      value = "35"
+    }
+  }
+
+  # Evaluates if backup plan creates backups at least every 1 day and retains them for at least 1 month before deleting them.
+  control {
+    name = "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK"
+
+    scope {
+      tags = {
+        "environment_name" = var.environment_name
+      }
+    }
+
+    input_parameter {
+      name  = "requiredFrequencyUnit"
+      value = "days"
+    }
+
+    input_parameter {
+      name  = "requiredRetentionDays"
+      value = "35"
+    }
+
+    input_parameter {
+      name  = "requiredFrequencyValue"
+      value = "1"
+    }
+  }
+
+  # Evaluates if resources are protected by a backup plan.
+  control {
+    name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
+
+    scope {
+      compliance_resource_types = var.backup_plan_config.compliance_resource_types
+      tags = {
+        (var.backup_plan_config.selection_tag) = "True"
+      }
+    }
+  }
+
+  # Evaluates if resources have at least one recovery point created within the past 1 day.
+  control {
+    name = "BACKUP_LAST_RECOVERY_POINT_CREATED"
+
+    input_parameter {
+      name  = "recoveryPointAgeUnit"
+      value = "days"
+    }
+
+    input_parameter {
+      name  = "recoveryPointAgeValue"
+      value = "1"
+    }
+
+    scope {
+      compliance_resource_types = var.backup_plan_config.compliance_resource_types
+      tags = {
+        (var.backup_plan_config.selection_tag) = "True"
+      }
+    }
+  }
+}
+
+resource "aws_backup_framework" "dynamodb" {
+  count = var.backup_plan_config_dynamodb.enable ? 1 : 0
+  # must be underscores instead of dashes
+  name        = replace("${local.resource_name_prefix}-dynamodb-framework", "-", "_")
+  description = "${var.project_name} DynamoDB Backup Framework"
+
+  # Evaluates if resources are protected by a backup plan.
+  control {
+    name = "BACKUP_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
+
+    scope {
+      compliance_resource_types = var.backup_plan_config_dynamodb.compliance_resource_types
+      tags = {
+        (var.backup_plan_config_dynamodb.selection_tag) = "True"
+      }
+    }
+  }
+
+  # Evaluates if resources have at least one recovery point created within the past 1 day.
+  control {
+    name = "BACKUP_LAST_RECOVERY_POINT_CREATED"
+
+    input_parameter {
+      name  = "recoveryPointAgeUnit"
+      value = "days"
+    }
+
+    input_parameter {
+      name  = "recoveryPointAgeValue"
+      value = "1"
+    }
+
+    scope {
+      compliance_resource_types = var.backup_plan_config_dynamodb.compliance_resource_types
+      tags = {
+        (var.backup_plan_config_dynamodb.selection_tag) = "True"
+      }
+    }
+  }
+}
@@ -0,0 +1,12 @@
+resource "aws_backup_vault_notifications" "backup_notification" {
+  count             = var.notifications_target_email_address != "" ? 1 : 0
+  backup_vault_name = aws_backup_vault.main.name
+  sns_topic_arn     = aws_sns_topic.backup[0].arn
+  backup_vault_events = [
+    "BACKUP_JOB_COMPLETED",
+    "RESTORE_JOB_COMPLETED",
+    "S3_BACKUP_OBJECT_FAILED",
+    "S3_RESTORE_OBJECT_FAILED",
+    "COPY_JOB_FAILED"
+  ]
+}
@@ -0,0 +1,85 @@
+resource "aws_backup_plan" "default" {
+  name = "${local.resource_name_prefix}-plan"
+
+  dynamic "rule" {
+    for_each = var.backup_plan_config.rules
+    content {
+      recovery_point_tags = {
+        backup_rule_name = rule.value.name
+      }
+      rule_name         = rule.value.name
+      target_vault_name = aws_backup_vault.main.name
+      schedule          = rule.value.schedule
+      enable_continuous_backup  = rule.value.enable_continuous_backup != null ? rule.value.enable_continuous_backup : null
+      lifecycle {
+        delete_after       = rule.value.lifecycle.delete_after != null ? rule.value.lifecycle.delete_after : null
+        cold_storage_after = rule.value.lifecycle.cold_storage_after != null ? rule.value.lifecycle.cold_storage_after : null
+      }
+      dynamic "copy_action" {
+        for_each = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" && rule.value.copy_action != null ? rule.value.copy_action : {}
+        content {
+          lifecycle {
+            delete_after = copy_action.value
+          }
+          destination_vault_arn = var.backup_copy_vault_arn
+        }
+      }
+    }
+  }
+}
+
+# this backup plan shouldn't include a continous backup rule as it isn't supported for DynamoDB
+resource "aws_backup_plan" "dynamodb" {
+  count = var.backup_plan_config_dynamodb.enable ? 1 : 0
+  name  = "${local.resource_name_prefix}-dynamodb-plan"
+
+  dynamic "rule" {
+    for_each = var.backup_plan_config_dynamodb.rules
+    content {
+      recovery_point_tags = {
+        backup_rule_name = rule.value.name
+      }
+      rule_name         = rule.value.name
+      target_vault_name = aws_backup_vault.main.name
+      schedule          = rule.value.schedule
+      lifecycle {
+        delete_after       = rule.value.lifecycle.delete_after != null ? rule.value.lifecycle.delete_after : null
+        cold_storage_after = rule.value.lifecycle.cold_storage_after != null ? rule.value.lifecycle.cold_storage_after : null
+      }
+      dynamic "copy_action" {
+        for_each = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" && rule.value.copy_action != null ? rule.value.copy_action : {}
+        content {
+          lifecycle {
+            delete_after = copy_action.value
+          }
+          destination_vault_arn = var.backup_copy_vault_arn
+        }
+      }
+    }
+  }
+}
+
+resource "aws_backup_selection" "default" {
+  iam_role_arn = aws_iam_role.backup.arn
+  name         = "${local.resource_name_prefix}-selection"
+  plan_id      = aws_backup_plan.default.id
+
+  selection_tag {
+    key   = var.backup_plan_config.selection_tag
+    type  = "STRINGEQUALS"
+    value = "True"
+  }
+}
+
+resource "aws_backup_selection" "dynamodb" {
+  count        = var.backup_plan_config_dynamodb.enable ? 1 : 0
+  iam_role_arn = aws_iam_role.backup.arn
+  name         = "${local.resource_name_prefix}-dynamodb-selection"
+  plan_id      = aws_backup_plan.dynamodb[0].id
+
+  selection_tag {
+    key   = var.backup_plan_config_dynamodb.selection_tag
+    type  = "STRINGEQUALS"
+    value = "True"
+  }
+}
@@ -0,0 +1,72 @@
+# Create the reports
+resource "aws_backup_report_plan" "backup_jobs" {
+  name        = "backup_jobs"
+  description = "Report for showing whether backups ran successfully in the last 24 hours"
+
+  report_delivery_channel {
+    formats = [
+      "JSON"
+    ]
+    s3_bucket_name = var.reports_bucket
+    s3_key_prefix  = "backup_jobs"
+  }
+
+  report_setting {
+    report_template = "BACKUP_JOB_REPORT"
+  }
+}
+
+# Create the restore testing completion reports
+resource "aws_backup_report_plan" "backup_restore_testing_jobs" {
+  name        = "backup_restore_testing_jobs"
+  description = "Report for showing whether backup restore test ran successfully in the last 24 hours"
+
+  report_delivery_channel {
+    formats = [
+      "JSON"
+    ]
+    s3_bucket_name = var.reports_bucket
+    s3_key_prefix  = "backup_restore_testing_jobs"
+  }
+
+  report_setting {
+    report_template = "RESTORE_JOB_REPORT"
+  }
+}
+
+resource "aws_backup_report_plan" "resource_compliance" {
+  name        = "resource_compliance"
+  description = "Report for showing whether resources are compliant with the framework"
+
+  report_delivery_channel {
+    formats = [
+      "JSON"
+    ]
+    s3_bucket_name = var.reports_bucket
+    s3_key_prefix  = "resource_compliance"
+  }
+
+  report_setting {
+    framework_arns       = var.backup_plan_config_dynamodb.enable ? [aws_backup_framework.main.arn, aws_backup_framework.dynamodb[0].arn] : [aws_backup_framework.main.arn]
+    number_of_frameworks = 2
+    report_template      = "RESOURCE_COMPLIANCE_REPORT"
+  }
+}
+
+resource "aws_backup_report_plan" "copy_jobs" {
+  count       = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? 1 : 0
+  name        = "copy_jobs"
+  description = "Report for showing whether copies ran successfully in the last 24 hours"
+
+  report_delivery_channel {
+    formats = [
+      "JSON"
+    ]
+    s3_bucket_name = var.reports_bucket
+    s3_key_prefix  = "copy_jobs"
+  }
+
+  report_setting {
+    report_template = "COPY_JOB_REPORT"
+  }
+}