From 28f6f9e4c4cfb83b062aa286debff3bd8ddcfc86 Mon Sep 17 00:00:00 2001
From: Vladimirs Kovalovs <vladimirs.kovalovs@digital.justice.gov.uk>
Date: Fri, 5 Jul 2024 16:57:24 +0100
Subject: [PATCH] [LAWS-3906] Added vault backout policy

---
 .../contract-work-administration/backups.tf   | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/terraform/environments/contract-work-administration/backups.tf b/terraform/environments/contract-work-administration/backups.tf
index 519aeb70ab0..f2d0a557999 100644
--- a/terraform/environments/contract-work-administration/backups.tf
+++ b/terraform/environments/contract-work-administration/backups.tf
@@ -52,4 +52,49 @@ resource "aws_backup_selection" "cwa" {
       value = "yes"
     }
   }
+}
+
+data "aws_iam_policy_document" "cwa_vault" {
+  statement {
+    sid = "Allow local account basic permissions to the vault"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:root"]
+    }
+
+    actions = [
+      "backup:DescribeBackupVault",
+      "backup:PutBackupVaultAccessPolicy",
+      "backup:DeleteBackupVaultAccessPolicy",
+      "backup:GetBackupVaultAccessPolicy",
+      "backup:StartBackupJob",
+      "backup:GetBackupVaultNotifications",
+      "backup:PutBackupVaultNotifications",
+      "backup:StartRestoreJob"
+    ]
+
+    resources = [aws_backup_vault.cwa.arn]
+  }
+  statement {
+    sid = "Allow copying of recovery points from Landing Zone"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::411213865113:root"]
+    }
+
+    actions = [
+      "backup:CopyIntoBackupVault"
+    ]
+
+    resources = [aws_backup_vault.cwa.arn]
+  }
+}
+
+resource "aws_backup_vault_policy" "cwa" {
+  backup_vault_name = aws_backup_vault.cwa.name
+  policy            = data.aws_iam_policy_document.cwa_vault.json
 }
\ No newline at end of file