Few changes

NHSDigital · Jan 15, 2025 · 7474010 · 7474010
1 parent 2f68938
commit 7474010
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 27 deletions.
diff --git a/terraform_aws_backup/aws-backup-destination/modules/aws_config/backup_vault_policy.tf b/terraform_aws_backup/aws-backup-destination/modules/aws_config/backup_vault_policy.tf
@@ -20,26 +20,26 @@ data "aws_iam_policy_document" "vault_policy" {
     resources = ["*"]
   }
 
-  # dynamic "statement" {
-  #   for_each = var.enable_vault_protection ? [1] : []
-  #   content {
-  #     sid    = "DenyBackupVaultAccess"
-  #     effect = "Deny"
+  dynamic "statement" {
+    for_each = var.enable_vault_protection ? [1] : []
+    content {
+      sid    = "DenyBackupVaultAccess"
+      effect = "Deny"
 
-  #     principals {
-  #       type        = "AWS"
-  #       identifiers = ["*"]
-  #     }
-  #     actions = [
-  #       "backup:DeleteRecoveryPoint",
-  #       "backup:UpdateRecoveryPointLifecycle",
-  #       "backup:DeleteBackupVault",
-  #       "backup:StartRestoreJob",
-  #       "backup:DeleteBackupVaultLockConfiguration",
-  #     ]
-  #     resources = ["*"]
-  #   }
-  # }
+      principals {
+        type        = "AWS"
+        identifiers = ["*"]
+      }
+      actions = [
+        "backup:DeleteRecoveryPoint",
+        "backup:UpdateRecoveryPointLifecycle",
+        "backup:DeleteBackupVault",
+        "backup:StartRestoreJob",
+        "backup:DeleteBackupVaultLockConfiguration",
+      ]
+      resources = ["*"]
+    }
+  }
 
   dynamic "statement" {
     for_each = var.enable_vault_protection ? [1] : []

diff --git a/terraform_aws_backup/aws-backup-destination/modules/aws_config/kms_key.tf b/terraform_aws_backup/aws-backup-destination/modules/aws_config/kms_key.tf
@@ -19,6 +19,6 @@ resource "aws_kms_key" "destination_backup_key" {
 }
 
 resource "aws_kms_alias" "destination_backup_key" {
-  name          = "alias/imms-bkp-encryption"
+  name          = "alias/imms-bkp-prod-encryption"
   target_key_id = aws_kms_key.destination_backup_key.key_id
 }
diff --git a/terraform_aws_backup/aws-backup-destination/modules/aws_config/variables.tf b/terraform_aws_backup/aws-backup-destination/modules/aws_config/variables.tf
@@ -36,7 +36,7 @@ variable "enable_vault_protection" {
   # have its policy changed. The minimum and maximum retention periods are also set only if this is true.
   description = "Flag which controls if the vault lock is enabled"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "vault_lock_type" {
@@ -45,7 +45,7 @@ variable "vault_lock_type" {
   # See toplevel README.md:
   #   DO NOT SET THIS TO compliance UNTIL YOU ARE SURE THAT YOU WANT TO LOCK THE VAULT PERMANENTLY
   # When you do, you will also need to set "enable_vault_protection" to true for it to take effect.
-  default     = "governance"
+  default     = "compliance"
 }
 
 variable "vault_lock_min_retention_days" {
@@ -63,5 +63,5 @@ variable "vault_lock_max_retention_days" {
 variable "changeable_for_days" {
   description = "How long you want the vault lock to be changeable for, only applies to compliance mode. This value is expressed in days no less than 3 and no greater than 36,500; otherwise, an error will return."
   type        = number
-  default     = 36500
+  default     = 30
 }
diff --git a/terraform_aws_backup/aws-backup-source/main.tf b/terraform_aws_backup/aws-backup-source/main.tf
@@ -70,7 +70,7 @@ module "source" {
           "delete_after" : 2
         },
         "name" : "daily_kept_for_2_days",
-        "schedule" : "cron(40 15 * * ? *)"
+        "schedule" : "cron(00 20 * * ? *)"
       }
     ],
     "selection_tag" : "NHSE-Enable-S3-Backup"
@@ -90,7 +90,7 @@ module "source" {
           "delete_after" : 2
         },
         "name" : "daily_kept_for_2_days",
-        "schedule" : "cron(40 15 * * ? *)"
+        "schedule" : "cron(00 20 * * ? *)"
       }
     ],
     "selection_tag" : "NHSE-Enable-Dynamo-Backup"

diff --git a/terraform_aws_backup/aws-backup-source/modules/aws_config/s3_report_config.tf b/terraform_aws_backup/aws-backup-source/modules/aws_config/s3_report_config.tf
@@ -1,6 +1,6 @@
 # First, we create an S3 bucket for compliance reports.
 resource "aws_s3_bucket" "backup_reports" {
-  bucket = "${var.project_name}backup-reports"
+  bucket = "${var.project_name}-prod-backup-reports"
 }
 
 resource "aws_s3_bucket_public_access_block" "backup_reports" {

diff --git a/terraform_aws_backup/aws-backup-source/modules/aws_config/variables.tf b/terraform_aws_backup/aws-backup-source/modules/aws_config/variables.tf
@@ -38,7 +38,7 @@ variable "restore_testing_plan_start_window" {
 variable "restore_testing_plan_scheduled_expression" {
   description = "Scheduled Expression of Recovery Selection Point"
   type        = string
-  default     = "cron(0 1 ? * SUN *)"
+  default     = "cron(30 1 ? * SUN *)"
 }
 
 variable "restore_testing_plan_recovery_point_types" {