From 5b3a1be54c7cfa594bd9146c281e5ef2aa8883e1 Mon Sep 17 00:00:00 2001
From: tom-j-smith <thomas.smith@digital.justice.gov.uk>
Date: Fri, 25 Oct 2024 16:21:27 +0100
Subject: [PATCH 1/6] Adding read-only to tagged backup resources

---
 backups.tf | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 backups.tf

diff --git a/backups.tf b/backups.tf
new file mode 100644
index 0000000..3097d34
--- /dev/null
+++ b/backups.tf
@@ -0,0 +1,31 @@
+data "aws_iam_policy_document" "backups_for_github" {
+  statement {
+    sid    = "AllowCognitoList"
+    effect = "Allow"
+    actions = [
+      "backup:ListBackupVaults",
+      "backup:ListBackupPlans"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowCognitoGetOwn"
+    effect = "Allow"
+    actions = [
+      "backup:Describe*",
+      "backup:Get*",
+      "backup:List*"
+    ]
+    resources = [
+      "arn:aws:cognito-idp:*:${data.aws_caller_identity.current.account_id}:userpool/*",
+      "arn:aws:wafv2:*:${data.aws_caller_identity.current.account_id}:*/webacl/*/*"
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:PrincipalTag/GithubTeam"
+      values   = ["*:$${aws:ResourceTag/GithubTeam}:*"]
+    }
+  }
+}

From 1acbce7b1729c9c8e30be879b425af26d4b8144d Mon Sep 17 00:00:00 2001
From: tom-j-smith <thomas.smith@digital.justice.gov.uk>
Date: Fri, 25 Oct 2024 16:25:45 +0100
Subject: [PATCH 2/6] Adding ability to list the jobs and protected resources

---
 backups.tf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/backups.tf b/backups.tf
index 3097d34..b26e850 100644
--- a/backups.tf
+++ b/backups.tf
@@ -4,7 +4,10 @@ data "aws_iam_policy_document" "backups_for_github" {
     effect = "Allow"
     actions = [
       "backup:ListBackupVaults",
-      "backup:ListBackupPlans"
+      "backup:ListBackupPlans",
+      "backup:ListBackupJobs",
+      "backup:ListRestoreJobs",
+      "backup:ListProtectedResources"
     ]
     resources = ["*"]
   }

From 096b3a401e0346a0bb6750883a3ca551f09845f9 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 25 Oct 2024 15:28:10 +0000
Subject: [PATCH 3/6] terraform-docs: automated action

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index cdcda2c..9d0e21a 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,7 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
 | [aws_iam_policy_document.api_gateway_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.backups_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.bedrock_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudwatch_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cognito_idp_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

From 071144c384be8b2783f22fe6c72d705a06ce5405 Mon Sep 17 00:00:00 2001
From: tom-j-smith <thomas.smith@digital.justice.gov.uk>
Date: Fri, 25 Oct 2024 16:38:29 +0100
Subject: [PATCH 4/6] Fixing the resources typo

---
 backups.tf | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/backups.tf b/backups.tf
index b26e850..edaf748 100644
--- a/backups.tf
+++ b/backups.tf
@@ -20,10 +20,7 @@ data "aws_iam_policy_document" "backups_for_github" {
       "backup:Get*",
       "backup:List*"
     ]
-    resources = [
-      "arn:aws:cognito-idp:*:${data.aws_caller_identity.current.account_id}:userpool/*",
-      "arn:aws:wafv2:*:${data.aws_caller_identity.current.account_id}:*/webacl/*/*"
-    ]
+    resources = ["*"]
 
     condition {
       test     = "StringLike"

From 2edb6426d42cc2703609f54b55f533df801d6b2f Mon Sep 17 00:00:00 2001
From: tom-j-smith <thomas.smith@digital.justice.gov.uk>
Date: Fri, 25 Oct 2024 16:39:24 +0100
Subject: [PATCH 5/6] Fixing sid typo

---
 backups.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backups.tf b/backups.tf
index edaf748..830a7f6 100644
--- a/backups.tf
+++ b/backups.tf
@@ -1,6 +1,6 @@
 data "aws_iam_policy_document" "backups_for_github" {
   statement {
-    sid    = "AllowCognitoList"
+    sid    = "AllowBackupsList"
     effect = "Allow"
     actions = [
       "backup:ListBackupVaults",
@@ -13,7 +13,7 @@ data "aws_iam_policy_document" "backups_for_github" {
   }
 
   statement {
-    sid    = "AllowCognitoGetOwn"
+    sid    = "AllowBackupsGetOwn"
     effect = "Allow"
     actions = [
       "backup:Describe*",

From 871adb11f196723e95ec43167a1b7bc8623a70b6 Mon Sep 17 00:00:00 2001
From: tom-j-smith <thomas.smith@digital.justice.gov.uk>
Date: Fri, 25 Oct 2024 16:40:13 +0100
Subject: [PATCH 6/6] including backup role in policy document

---
 aws.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/aws.tf b/aws.tf
index 49d8db4..d829be8 100644
--- a/aws.tf
+++ b/aws.tf
@@ -63,6 +63,7 @@ data "aws_iam_policy_document" "combined_2" {
     data.aws_iam_policy_document.bedrock_for_github.json,
     data.aws_iam_policy_document.mq_for_github.json,
     data.aws_iam_policy_document.ecr_for_github.json,
+    data.aws_iam_policy_document.backups_for_github.json,
   ]
 }