Merge pull request #9006 from ministryofjustice/issue/8617

Issue/8617
ministryofjustice · Jan 20, 2025 · f3afe9f · f3afe9f
2 parents abe8932 + 93b6fa6
commit f3afe9f
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/source/concepts/environments/backups.html.md.erb b/source/concepts/environments/backups.html.md.erb
@@ -57,6 +57,12 @@ Backups are retained for 30 days.
 
 If the above built in backup plans are not suitable, you can create your own backup plans via code in the modernisation-platform-environments repository, however we will not be responsible for your lifecycle rules, backups can be costly if not removed.
 
+## On-Demand backups
+
+We had added, to the developer role, the ability to take on-demand backups of resources for those occasions where a one-off backup required.  This can be done via the AWS Backup console or via the AWS CLI. As with other backups, these can be costly if long rention periods are used.
+
+Note that when using this feature, the backup IAM role AWSBackup must be selected. 
+
 ## How to find your backups
 
 You can view your backups my navigating to AWS Backup in the AWS console and clicking "Backup vaults".

diff --git a/terraform/environments/bootstrap/single-sign-on/data.tf b/terraform/environments/bootstrap/single-sign-on/data.tf
@@ -6,4 +6,10 @@ data "aws_s3_bucket" "mod_platform_artefact" {
 # To Get Modernisation Platform Account Number
 data "aws_ssm_parameter" "modernisation_platform_account_id" {
   name = "modernisation_platform_account_id"
-}
+}
+
+# Allows access to the current account ID
+data "aws_caller_identity" "current" {}
+output "account_id" {
+  value = data.aws_caller_identity.current.account_id
+}
diff --git a/terraform/environments/bootstrap/single-sign-on/policies.tf b/terraform/environments/bootstrap/single-sign-on/policies.tf
@@ -192,6 +192,7 @@ data "aws_iam_policy_document" "developer_additional" {
       "athena:List*",
       "athena:St*",
       "aws-marketplace:ViewSubscriptions",
+      "backup:StartBackupJob",
       "cloudwatch:DisableAlarmActions",
       "cloudwatch:EnableAlarmActions",
       "cloudwatch:PutDashboard",
@@ -364,6 +365,20 @@ data "aws_iam_policy_document" "developer_additional" {
       values   = ["true"]
     }
   }
+
+  # Additional statement that allows for the creation of on-demand AWS Backups.
+  statement {
+    sid    = "AllowPassRoleForBackup"
+    effect = "Allow"
+    actions = ["iam:PassRole"]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/AWSBackup"]
+    condition {
+      test     = "StringEquals"
+      variable = "iam:PassedToService"
+      values   = ["backup.amazonaws.com"]
+    }
+  }
+
 }
 
 # data engineering policy (developer + glue + some athena)