Merge pull request #1536 from ministryofjustice/MLPAB-2539-resources-…

…appear-to-be-shared-between-ur-2-and-test MLPAB-2539 - Make AWS backup vault resoources a regional module
ministryofjustice · Oct 8, 2024 · 41a1c15 · 41a1c15
2 parents 9b9fa10 + 6eda27f
commit 41a1c15
Show file tree

Hide file tree

Showing 8 changed files with 106 additions and 81 deletions.
diff --git a/terraform/account/backup_vaults.tf b/terraform/account/backup_vaults.tf
diff --git a/terraform/account/refactoring.tf b/terraform/account/refactoring.tf
@@ -169,3 +169,8 @@ moved {
   from = aws_kms_alias.sqs_alias_eu_west_2
   to   = module.sqs_kms.aws_kms_alias.main_eu_west_2
 }
+
+moved {
+  from = aws_backup_vault.eu_west_1
+  to   = module.eu_west_1[0].module.aws_backup_vaults.aws_backup_vault.main
+}
diff --git a/terraform/account/region/backup_vaults.tf b/terraform/account/region/backup_vaults.tf
@@ -0,0 +1,7 @@
+module "aws_backup_vaults" {
+  source = "./modules/aws_backup_vault"
+  providers = {
+    aws.region = aws.region
+    aws.global = aws.global
+  }
+}
diff --git a/terraform/account/region/modules/aws_backup_vault/data_sources.tf b/terraform/account/region/modules/aws_backup_vault/data_sources.tf
@@ -0,0 +1,22 @@
+data "aws_region" "current" {
+  provider = aws.region
+}
+
+data "aws_default_tags" "current" {
+  provider = aws.region
+}
+
+data "aws_kms_alias" "sns_encryption_key" {
+  name     = "alias/${data.aws_default_tags.current.tags.application}_sns_secret_encryption_key"
+  provider = aws.region
+}
+
+data "aws_iam_role" "sns_success_feedback" {
+  name     = "SNSSuccessFeedback"
+  provider = aws.global
+}
+
+data "aws_iam_role" "sns_failure_feedback" {
+  provider = aws.global
+  name     = "SNSFailureFeedback"
+}
diff --git a/terraform/account/region/modules/aws_backup_vault/main.tf b/terraform/account/region/modules/aws_backup_vault/main.tf
@@ -0,0 +1,58 @@
+resource "aws_backup_vault" "main" {
+  name     = "${data.aws_region.current.name}-${data.aws_default_tags.current.tags.account-name}-backup-vault"
+  provider = aws.region
+}
+
+resource "aws_sns_topic" "aws_backup_failure_events" {
+  name                                     = "${data.aws_default_tags.current.tags.account-name}-backup-vault-failure-events"
+  kms_master_key_id                        = data.aws_kms_alias.sns_encryption_key.target_key_arn
+  application_failure_feedback_role_arn    = data.aws_iam_role.sns_failure_feedback.arn
+  application_success_feedback_role_arn    = data.aws_iam_role.sns_success_feedback.arn
+  application_success_feedback_sample_rate = 100
+  firehose_failure_feedback_role_arn       = data.aws_iam_role.sns_failure_feedback.arn
+  firehose_success_feedback_role_arn       = data.aws_iam_role.sns_success_feedback.arn
+  firehose_success_feedback_sample_rate    = 100
+  http_failure_feedback_role_arn           = data.aws_iam_role.sns_failure_feedback.arn
+  http_success_feedback_role_arn           = data.aws_iam_role.sns_success_feedback.arn
+  http_success_feedback_sample_rate        = 100
+  lambda_failure_feedback_role_arn         = data.aws_iam_role.sns_failure_feedback.arn
+  lambda_success_feedback_role_arn         = data.aws_iam_role.sns_success_feedback.arn
+  lambda_success_feedback_sample_rate      = 100
+  sqs_failure_feedback_role_arn            = data.aws_iam_role.sns_failure_feedback.arn
+  sqs_success_feedback_role_arn            = data.aws_iam_role.sns_success_feedback.arn
+  sqs_success_feedback_sample_rate         = 100
+  provider                                 = aws.region
+}
+
+data "aws_iam_policy_document" "aws_backup_sns" {
+  statement {
+    actions = [
+      "SNS:Publish",
+    ]
+
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["backup.amazonaws.com"]
+    }
+
+    resources = [
+      aws_sns_topic.aws_backup_failure_events.arn,
+    ]
+  }
+  provider = aws.region
+}
+
+resource "aws_sns_topic_policy" "aws_backup_failure_events" {
+  arn      = aws_sns_topic.aws_backup_failure_events.arn
+  policy   = data.aws_iam_policy_document.aws_backup_sns.json
+  provider = aws.region
+}
+
+resource "aws_backup_vault_notifications" "aws_backup_failure_events" {
+  backup_vault_name   = aws_backup_vault.main.name
+  sns_topic_arn       = aws_sns_topic.aws_backup_failure_events.arn
+  backup_vault_events = ["BACKUP_JOB_FAILED", "COPY_JOB_FAILED"]
+  provider            = aws.region
+}
diff --git a/terraform/account/region/modules/aws_backup_vault/versions.tf b/terraform/account/region/modules/aws_backup_vault/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.5.2"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.70.0"
+      configuration_aliases = [
+        aws.region,
+        aws.global
+      ]
+    }
+  }
+}
diff --git a/terraform/environment/backup_plan.tf b/terraform/environment/backup_plan.tf
@@ -70,66 +70,3 @@ resource "aws_backup_selection" "main" {
   ]
   provider = aws.eu_west_1
 }
-
-data "aws_kms_alias" "sns_encryption_key_eu_west_1" {
-  name     = "alias/${local.default_tags.application}_sns_secret_encryption_key"
-  provider = aws.eu_west_1
-}
-
-resource "aws_sns_topic" "aws_backup_failure_events" {
-  count                                    = local.environment.backups.backup_plan_enabled ? 1 : 0
-  name                                     = "${local.environment_name}-backup-vault-failure-events"
-  kms_master_key_id                        = data.aws_kms_alias.sns_encryption_key_eu_west_1.target_key_arn
-  application_failure_feedback_role_arn    = data.aws_iam_role.sns_failure_feedback.arn
-  application_success_feedback_role_arn    = data.aws_iam_role.sns_success_feedback.arn
-  application_success_feedback_sample_rate = 100
-  firehose_failure_feedback_role_arn       = data.aws_iam_role.sns_failure_feedback.arn
-  firehose_success_feedback_role_arn       = data.aws_iam_role.sns_success_feedback.arn
-  firehose_success_feedback_sample_rate    = 100
-  http_failure_feedback_role_arn           = data.aws_iam_role.sns_failure_feedback.arn
-  http_success_feedback_role_arn           = data.aws_iam_role.sns_success_feedback.arn
-  http_success_feedback_sample_rate        = 100
-  lambda_failure_feedback_role_arn         = data.aws_iam_role.sns_failure_feedback.arn
-  lambda_success_feedback_role_arn         = data.aws_iam_role.sns_success_feedback.arn
-  lambda_success_feedback_sample_rate      = 100
-  sqs_failure_feedback_role_arn            = data.aws_iam_role.sns_failure_feedback.arn
-  sqs_success_feedback_role_arn            = data.aws_iam_role.sns_success_feedback.arn
-  sqs_success_feedback_sample_rate         = 100
-  provider                                 = aws.eu_west_1
-}
-
-data "aws_iam_policy_document" "aws_backup_sns" {
-  count = local.environment.backups.backup_plan_enabled ? 1 : 0
-  statement {
-    actions = [
-      "SNS:Publish",
-    ]
-
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["backup.amazonaws.com"]
-    }
-
-    resources = [
-      aws_sns_topic.aws_backup_failure_events[0].arn,
-    ]
-  }
-  provider = aws.eu_west_1
-}
-
-resource "aws_sns_topic_policy" "aws_backup_failure_events" {
-  count    = local.environment.backups.backup_plan_enabled ? 1 : 0
-  arn      = aws_sns_topic.aws_backup_failure_events[0].arn
-  policy   = data.aws_iam_policy_document.aws_backup_sns[0].json
-  provider = aws.eu_west_1
-}
-
-resource "aws_backup_vault_notifications" "aws_backup_failure_events" {
-  count               = local.environment.backups.backup_plan_enabled ? 1 : 0
-  backup_vault_name   = data.aws_backup_vault.eu_west_1.name
-  sns_topic_arn       = aws_sns_topic.aws_backup_failure_events[0].arn
-  backup_vault_events = ["BACKUP_JOB_FAILED", "COPY_JOB_FAILED"]
-  provider            = aws.eu_west_1
-}
diff --git a/terraform/environment/iam_sns_feedback_role.tf b/terraform/environment/iam_sns_feedback_role.tf