From 0cc50720812133f952010363fd97ae6a2c579684 Mon Sep 17 00:00:00 2001
From: neil-sproston <neil.sproston1@nhs.net>
Date: Tue, 25 Jun 2024 22:22:07 +0100
Subject: [PATCH] Backup remote vault initial commit

---
 modules/vault/README.md    | 36 +++++++++++++++
 modules/vault/data.tf      |  6 +++
 modules/vault/main.tf      | 92 ++++++++++++++++++++++++++++++++++++++
 modules/vault/outputs.tf   |  6 +++
 modules/vault/variables.tf | 17 +++++++
 5 files changed, 157 insertions(+)
 create mode 100644 modules/vault/README.md
 create mode 100644 modules/vault/data.tf
 create mode 100644 modules/vault/main.tf
 create mode 100644 modules/vault/outputs.tf
 create mode 100644 modules/vault/variables.tf

diff --git a/modules/vault/README.md b/modules/vault/README.md
new file mode 100644
index 0000000..bb7fe0d
--- /dev/null
+++ b/modules/vault/README.md
@@ -0,0 +1,36 @@
+# Terraform module: vault
+
+## Description
+
+This is a simple module to create a AWS Backup vault set up to act as a destination for
+remote off-account AWS backup copy jobs. The vault can be "locked" which prevents
+pre-mature backup snapshot deletion.
+
+The vault should be located in an isolated AWS account
+
+**WARNING** Once a vault is locked you have 8 days to reverse the setting. Once this
+cool-off period has been passed vault locking can not be removed.
+
+## Module parameters
+
+|Name|Description|Type|Default setting|
+|client_name|The name of the client being served|string|-|
+|client_account|The AWS Account ID number being served|string|-|
+|lock_vault|Whether to lock the vault|bool|false|
+
+## Sample usage
+
+This snippet creates a locked vault for RSS prod backup called rss-prod. The AWS account
+number "123456789012" is the only account which can copy backup snapshots into this
+vault. (Only one account is allowed to copy into each vault so as to ensure data
+segregation).
+
+```
+module "rss_prod_prod_backup_vault" {
+  source = "../modules/vault"
+
+  client_name    = "rss-prod"
+  client_account = "123456789012"
+  lock_vault     = true
+}
+```
diff --git a/modules/vault/data.tf b/modules/vault/data.tf
new file mode 100644
index 0000000..cf60175
--- /dev/null
+++ b/modules/vault/data.tf
@@ -0,0 +1,6 @@
+data "aws_caller_identity" "current" {
+}
+
+locals {
+  service_account = data.aws_caller_identity.current.account_id
+}
diff --git a/modules/vault/main.tf b/modules/vault/main.tf
new file mode 100644
index 0000000..b37179f
--- /dev/null
+++ b/modules/vault/main.tf
@@ -0,0 +1,92 @@
+resource "aws_backup_vault" "backup" {
+  name        = "${replace(var.client_name, "-", "_")}_backup"
+  kms_key_arn = aws_kms_key.backup.arn
+}
+
+resource "aws_backup_vault_lock_configuration" "backup" {
+  count               = var.lock_vault ? 1 : 0
+  backup_vault_name   = aws_backup_vault.backup.name
+  changeable_for_days = 8
+}
+
+resource "aws_backup_vault_policy" "backup" {
+  backup_vault_name = aws_backup_vault.backup.name
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "backup:CopyIntoBackupVault",
+            "Resource": "*",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::${var.client_account}:root"
+                ]
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_kms_alias" "backup" {
+  name          = "alias/backup-vault-key/${var.client_name}"
+  target_key_id = aws_kms_key.backup.key_id
+}
+
+resource "aws_kms_key" "backup" {
+  description = "${var.client_name} Backup Vault Key"
+
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Id": "key-default-plus",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${local.service_account}:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow access from remote backup account",
+            "Effect": "Allow",
+            "Principal": {
+              "AWS": "arn:aws:iam::${var.client_account}:root"
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow attachment of persistant resources",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::${var.client_account}:root"
+            },
+            "Action": [
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": "true"
+                }
+            }
+        }
+    ]
+}
+POLICY
+}
\ No newline at end of file
diff --git a/modules/vault/outputs.tf b/modules/vault/outputs.tf
new file mode 100644
index 0000000..e92f948
--- /dev/null
+++ b/modules/vault/outputs.tf
@@ -0,0 +1,6 @@
+# Output variable definitions
+
+output "vault_arn" {
+  description = "The vault ARN"
+  value       = aws_backup_vault.backup.arn
+}
diff --git a/modules/vault/variables.tf b/modules/vault/variables.tf
new file mode 100644
index 0000000..bd9e15e
--- /dev/null
+++ b/modules/vault/variables.tf
@@ -0,0 +1,17 @@
+# Input variable definitions
+
+variable "client_name" {
+  description = "The name of the client being served"
+  type        = string
+}
+
+variable "client_account" {
+  description = "The AWS Account ID number being served"
+  type        = string
+}
+
+variable "lock_vault" {
+  description = "Whether to lock the vault"
+  type        = bool
+  default     = false
+}