Merge branch 'develop' into feature/kabo5-NRL-856-SDLC1

Author: katebobyn-nhs

terraform/account-wide-infrastructure/dev/ec2.tf

@@ -19,6 +19,8 @@ module "powerbi_gw_instance" {
   glue_kms_key_arn   = module.dev-glue.aws_kms_key_arn
   athena_kms_key_arn = module.dev-athena[0].kms_key_arn
   athena_bucket_arn  = module.dev-athena[0].bucket_arn
+  root_volume_size   = var.powerbi_gw_root_volume_size
+  root_volume_iops   = var.powerbi_gw_root_volume_iops
 
   subnet_id       = module.vpc[0].private_subnet_id
   security_groups = [module.vpc[0].powerbi_gw_security_group_id]

terraform/account-wide-infrastructure/dev/vars.tf

@@ -67,3 +67,15 @@ variable "use_powerbi_gw_custom_ami" {
   description = "Use custom image for PowerBI GW instance"
   default     = true
 }
+
+variable "powerbi_gw_root_volume_size" {
+  type        = number
+  description = "Size of the root EBS volume in GB"
+  default     = 40
+}
+
+variable "powerbi_gw_root_volume_iops" {
+  type        = number
+  description = "IOPS for the root EBS volume"
+  default     = 3000
+}

terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf

@@ -8,8 +8,9 @@ resource "aws_instance" "powerbi_gw" {
   vpc_security_group_ids      = var.security_groups
 
   root_block_device {
-    volume_size = 40
-    volume_type = "gp2"
+    volume_size = var.root_volume_size
+    volume_type = "gp3"
+    iops        = var.root_volume_iops
   }
 
   user_data = file("${path.module}/scripts/user_data.tpl")

terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/vars.tf

@@ -7,3 +7,13 @@ variable "athena_kms_key_arn" {}
 variable "target_bucket_arn" {}
 variable "athena_bucket_arn" {}
 variable "use_custom_ami" {}
+variable "root_volume_size" {
+  type        = number
+  description = "Size of the root EBS volume in GB"
+  default     = 40
+}
+variable "root_volume_iops" {
+  type        = number
+  description = "IOPS for the root EBS volume if using io1 or gp3 volume type"
+  default     = 3000
+}

terraform/account-wide-infrastructure/prod/ec2.tf

@@ -19,6 +19,8 @@ module "powerbi_gw_instance" {
   glue_kms_key_arn   = module.prod-glue.aws_kms_key_arn
   athena_kms_key_arn = module.prod-athena[0].kms_key_arn
   athena_bucket_arn  = module.prod-athena[0].bucket_arn
+  root_volume_size   = var.powerbi_gw_root_volume_size
+  root_volume_iops   = var.powerbi_gw_root_volume_iops
 
   subnet_id       = module.vpc[0].private_subnet_id
   security_groups = [module.vpc[0].powerbi_gw_security_group_id]

terraform/account-wide-infrastructure/prod/vars.tf

@@ -68,3 +68,15 @@ variable "use_powerbi_gw_custom_ami" {
   description = "Use custom image for PowerBI GW instance"
   default     = true
 }
+
+variable "powerbi_gw_root_volume_size" {
+  type        = number
+  description = "Size of the root EBS volume in GB"
+  default     = 256
+}
+
+variable "powerbi_gw_root_volume_iops" {
+  type        = number
+  description = "IOPS for the root EBS volume"
+  default     = 3000
+}

terraform/account-wide-infrastructure/test/ec2.tf

@@ -19,6 +19,8 @@ module "powerbi_gw_instance" {
   glue_kms_key_arn   = module.test-glue.aws_kms_key_arn
   athena_kms_key_arn = module.test-athena[0].kms_key_arn
   athena_bucket_arn  = module.test-athena[0].bucket_arn
+  root_volume_size   = var.powerbi_gw_root_volume_size
+  root_volume_iops   = var.powerbi_gw_root_volume_iops
 
   subnet_id       = module.vpc[0].private_subnet_id
   security_groups = [module.vpc[0].powerbi_gw_security_group_id]

terraform/account-wide-infrastructure/test/vars.tf

@@ -87,3 +87,15 @@ variable "use_powerbi_gw_custom_ami" {
   description = "Use custom image for PowerBI GW instance"
   default     = true
 }
+
+variable "powerbi_gw_root_volume_size" {
+  type        = number
+  description = "Size of the root EBS volume in GB"
+  default     = 40
+}
+
+variable "powerbi_gw_root_volume_iops" {
+  type        = number
+  description = "IOPS for the root EBS volume"
+  default     = 3000
+}

terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf

@@ -41,28 +41,4 @@ data "aws_iam_policy_document" "vault_policy" {
       resources = ["*"]
     }
   }
-
-  dynamic "statement" {
-    for_each = var.enable_vault_protection ? [1] : []
-    content {
-      sid    = "DenyBackupCopyExceptToSourceAccount"
-      effect = "Deny"
-
-      principals {
-        type        = "AWS"
-        identifiers = ["arn:aws:iam::${var.account_id}:root"]
-      }
-      actions = [
-        "backup:CopyFromBackupVault"
-      ]
-      resources = ["*"]
-      condition {
-        test     = "StringNotEquals"
-        variable = "backup:CopyTargets"
-        values = [
-          "arn:aws:backup:${var.region}:${var.source_account_id}:backup-vault:${var.region}-${var.source_account_id}-backup-vault"
-        ]
-      }
-    }
-  }
 }

terraform/backup-infrastructure/prod/aws-backup.tf

@@ -28,7 +28,8 @@ module "destination" {
   account_id              = local.destination_account_id
   source_account_id       = local.source_account_id
   kms_key                 = aws_kms_key.destination_backup_key.arn
-  enable_vault_protection = false
+  enable_vault_protection = true
+  vault_lock_type         = "compliance"
 }
 
 ###