Merge pull request #397 from ministryofjustice/fix/address-sca

Allow customer managed KMS key for backup SNS topic
ministryofjustice · Feb 26, 2024 · 757dfd9 · 757dfd9
2 parents ef3a3b4 + 6f4956a
commit 757dfd9
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/modules/backup/main.tf b/modules/backup/main.tf
@@ -115,8 +115,9 @@ resource "aws_backup_selection" "non_production" {
 }
 
 # SNS topic
+#trivy:ignore:avd-aws-0136
 resource "aws_sns_topic" "backup_failure_topic" {
-  kms_master_key_id = "alias/aws/sns"
+  kms_master_key_id = var.sns_backup_topic_key
   name              = "backup_failure_topic"
   tags = merge(var.tags, {
     Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"

diff --git a/modules/backup/variables.tf b/modules/backup/variables.tf
@@ -3,6 +3,12 @@ variable "iam_role_arn" {
   description = "IAM role ARN for the AWS Backup service role"
 }
 
+variable "sns_backup_topic_key" {
+  type        = string
+  default     = "alias/aws/sns"
+  description = "KMS key used to encrypt backup failure SNS topic"
+}
+
 variable "tags" {
   default     = {}
   description = "Tags to apply to resources, where applicable"