From dddb9da91a962e52caed8d91b19f5460ed3cd15a Mon Sep 17 00:00:00 2001
From: mikereiddigital <mike.reid@justice.gov.uk>
Date: Mon, 20 Jan 2025 09:27:44 +0000
Subject: [PATCH 1/4] Adds permissions to support creation of on-demand backup
plans to developer_policy.
---
.../environments/bootstrap/single-sign-on/data.tf | 8 +++++++-
.../bootstrap/single-sign-on/policies.tf | 15 +++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/terraform/environments/bootstrap/single-sign-on/data.tf b/terraform/environments/bootstrap/single-sign-on/data.tf
index e1f7fc6c7..1c967f1a0 100644
--- a/terraform/environments/bootstrap/single-sign-on/data.tf
+++ b/terraform/environments/bootstrap/single-sign-on/data.tf
@@ -6,4 +6,10 @@ data "aws_s3_bucket" "mod_platform_artefact" {
# To Get Modernisation Platform Account Number
data "aws_ssm_parameter" "modernisation_platform_account_id" {
name = "modernisation_platform_account_id"
-}
\ No newline at end of file
+}
+
+# Allows access to the current account ID
+data "aws_caller_identity" "current" {}
+output "account_id" {
+ value = data.aws_caller_identity.current.account_id
+}
diff --git a/terraform/environments/bootstrap/single-sign-on/policies.tf b/terraform/environments/bootstrap/single-sign-on/policies.tf
index a71d8b42b..65945317f 100644
--- a/terraform/environments/bootstrap/single-sign-on/policies.tf
+++ b/terraform/environments/bootstrap/single-sign-on/policies.tf
@@ -192,6 +192,7 @@ data "aws_iam_policy_document" "developer_additional" {
"athena:List*",
"athena:St*",
"aws-marketplace:ViewSubscriptions",
+ "backup:StartBackupJob",
"cloudwatch:DisableAlarmActions",
"cloudwatch:EnableAlarmActions",
"cloudwatch:PutDashboard",
@@ -364,6 +365,20 @@ data "aws_iam_policy_document" "developer_additional" {
values = ["true"]
}
}
+
+ # Additional statement that allows for the creation of on-demand AWS Backups.
+ statement {
+ sid = "AllowPassRoleForBackup"
+ effect = "Allow"
+ actions = ["iam:PassRole"]
+ resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/AWSBackup"]
+ condition {
+ test = "StringEquals"
+ variable = "iam:PassedToService"
+ values = ["backup.amazonaws.com"]
+ }
+ }
+
}
# data engineering policy (developer + glue + some athena)
From 9e8834e1d9292f7fa5d8ee8e704d972cdb329ac3 Mon Sep 17 00:00:00 2001
From: mikereiddigital <mike.reid@justice.gov.uk>
Date: Mon, 20 Jan 2025 09:51:19 +0000
Subject: [PATCH 2/4] Updated the backup concepts guide to include a reference
to on-demand backups.
---
source/concepts/environments/backups.html.md.erb | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/source/concepts/environments/backups.html.md.erb b/source/concepts/environments/backups.html.md.erb
index 91f792291..2fff11f39 100644
--- a/source/concepts/environments/backups.html.md.erb
+++ b/source/concepts/environments/backups.html.md.erb
@@ -57,6 +57,12 @@ Backups are retained for 30 days.
If the above built in backup plans are not suitable, you can create your own backup plans via code in the modernisation-platform-environments repository, however we will not be responsible for your lifecycle rules, backups can be costly if not removed.
+## On-Demand backups
+
+We had added, to the developer role, the ability to take on-demand backups of resources for those occasions where a one-off backup required. This can be done via the AWS Backup console or via the AWS CLI. A retention period of up to 30 days can be selected.
+
+Note that when using this feature, the AWSBackup role must be selected.
+
## How to find your backups
You can view your backups my navigating to AWS Backup in the AWS console and clicking "Backup vaults".
From 547c7491e10d9399a2c5e92623ca5500a55af8bb Mon Sep 17 00:00:00 2001
From: mikereiddigital <mike.reid@justice.gov.uk>
Date: Mon, 20 Jan 2025 09:58:04 +0000
Subject: [PATCH 3/4] Minor amendment
---
source/concepts/environments/backups.html.md.erb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source/concepts/environments/backups.html.md.erb b/source/concepts/environments/backups.html.md.erb
index 2fff11f39..79643abe2 100644
--- a/source/concepts/environments/backups.html.md.erb
+++ b/source/concepts/environments/backups.html.md.erb
@@ -59,7 +59,7 @@ If the above built in backup plans are not suitable, you can create your own bac
## On-Demand backups
-We had added, to the developer role, the ability to take on-demand backups of resources for those occasions where a one-off backup required. This can be done via the AWS Backup console or via the AWS CLI. A retention period of up to 30 days can be selected.
+We had added, to the developer role, the ability to take on-demand backups of resources for those occasions where a one-off backup required. This can be done via the AWS Backup console or via the AWS CLI. As with other backups, these can be costly if long rention periods are used.
Note that when using this feature, the AWSBackup role must be selected.
From 930d33f62cf8fc4be60090fd3fe3ddf315df07ef Mon Sep 17 00:00:00 2001
From: mikereiddigital <mike.reid@justice.gov.uk>
Date: Mon, 20 Jan 2025 10:07:56 +0000
Subject: [PATCH 4/4] Minor doc change.
---
source/concepts/environments/backups.html.md.erb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source/concepts/environments/backups.html.md.erb b/source/concepts/environments/backups.html.md.erb
index 79643abe2..3a94657ac 100644
--- a/source/concepts/environments/backups.html.md.erb
+++ b/source/concepts/environments/backups.html.md.erb
@@ -61,7 +61,7 @@ If the above built in backup plans are not suitable, you can create your own bac
We had added, to the developer role, the ability to take on-demand backups of resources for those occasions where a one-off backup required. This can be done via the AWS Backup console or via the AWS CLI. As with other backups, these can be costly if long rention periods are used.
-Note that when using this feature, the AWSBackup role must be selected.
+Note that when using this feature, the backup IAM role AWSBackup must be selected.
## How to find your backups