Merge pull request #1135 from NHSDigital/feature/kabo5-NRL-1826-immutable-backups-compliance-mode

NRL-1826 enable compliance mode

Author: katebobyn-nhs

terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf

@@ -41,28 +41,4 @@ data "aws_iam_policy_document" "vault_policy" {
       resources = ["*"]
     }
   }
-
-  dynamic "statement" {
-    for_each = var.enable_vault_protection ? [1] : []
-    content {
-      sid    = "DenyBackupCopyExceptToSourceAccount"
-      effect = "Deny"
-
-      principals {
-        type        = "AWS"
-        identifiers = ["arn:aws:iam::${var.account_id}:root"]
-      }
-      actions = [
-        "backup:CopyFromBackupVault"
-      ]
-      resources = ["*"]
-      condition {
-        test     = "StringNotEquals"
-        variable = "backup:CopyTargets"
-        values = [
-          "arn:aws:backup:${var.region}:${var.source_account_id}:backup-vault:${var.region}-${var.source_account_id}-backup-vault"
-        ]
-      }
-    }
-  }
 }

terraform/backup-infrastructure/prod/aws-backup.tf

@@ -28,7 +28,8 @@ module "destination" {
   account_id              = local.destination_account_id
   source_account_id       = local.source_account_id
   kms_key                 = aws_kms_key.destination_backup_key.arn
-  enable_vault_protection = false
+  enable_vault_protection = true
+  vault_lock_type         = "compliance"
 }
 
 ###