Merge pull request #44 from ministryofjustice/backups-read-only

Backups read only
ministryofjustice · Oct 25, 2024 · 0244793 · 0244793
2 parents ffe88a5 + 871adb1
commit 0244793
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -51,6 +51,7 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
 | [aws_iam_policy_document.api_gateway_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.backups_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.bedrock_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudwatch_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cognito_idp_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

diff --git a/aws.tf b/aws.tf
@@ -63,6 +63,7 @@ data "aws_iam_policy_document" "combined_2" {
     data.aws_iam_policy_document.bedrock_for_github.json,
     data.aws_iam_policy_document.mq_for_github.json,
     data.aws_iam_policy_document.ecr_for_github.json,
+    data.aws_iam_policy_document.backups_for_github.json,
   ]
 }
 

diff --git a/backups.tf b/backups.tf
@@ -0,0 +1,31 @@
+data "aws_iam_policy_document" "backups_for_github" {
+  statement {
+    sid    = "AllowBackupsList"
+    effect = "Allow"
+    actions = [
+      "backup:ListBackupVaults",
+      "backup:ListBackupPlans",
+      "backup:ListBackupJobs",
+      "backup:ListRestoreJobs",
+      "backup:ListProtectedResources"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowBackupsGetOwn"
+    effect = "Allow"
+    actions = [
+      "backup:Describe*",
+      "backup:Get*",
+      "backup:List*"
+    ]
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:PrincipalTag/GithubTeam"
+      values   = ["*:$${aws:ResourceTag/GithubTeam}:*"]
+    }
+  }
+}