Enable AWS Backup Vault lock - Githubissues

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform

https://user-guide.modernisation-platform.service.justice.gov.uk

MIT License

677 stars 291 forks source link

Enable AWS Backup Vault lock #7265

Closed davidkelliott closed 9 hours ago

davidkelliott commented 2 weeks ago

User Story

As a MP engineer I want to be able to lock backups So they can't be deleted in a malicious scenario

Value / Purpose

Ensure we can restore the platform

Useful Contacts

No response

Additional Information

https://docs.google.com/document/d/1b-YnoUE7ecC0qFd2bFpe86KO_VVJT0VVVX2RzbX_LpQ/edit

Resolves Principal 1

Proposal / Unknowns

Hypothesis If we... [do a thing] Then... [this will happ]

Proposal A proposal that is something testable, don't worry whether it works or not, it's a place for ideas.

Unknowns Potential pitfalls that could cause the story to expand beyond its original scope. Ideally this section will remain blank.

Definition of Done

[x] Backup lock enabled for baselines
[x] Alert if backup lock turned off
[ ] README has been updated
[ ] User docs have been updated
[ ] Another team member has reviewed
[ ] Tests are green

ep-93 commented 1 week ago

Tested in cooker

# Locks backups
resource "aws_backup_vault_lock_configuration" "default" {
  backup_vault_name = aws_backup_vault.default.name
  changeable_for_days = 3
  min_retention_days = 30
  max_retention_days = 30
}

I could make them variables, but we dont want differences, will push up a PR