From 95a7163e7d0754030f9faecae00078273d131223 Mon Sep 17 00:00:00 2001 From: Kate Bobyn Date: Mon, 2 Feb 2026 11:05:59 +0000 Subject: [PATCH] NRL-1826 enable compliance mode --- .../backup_vault_policy.tf | 24 ------------------- .../backup-infrastructure/prod/aws-backup.tf | 3 ++- 2 files changed, 2 insertions(+), 25 deletions(-) diff --git a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf index 224904193..88ff64351 100644 --- a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf +++ b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf @@ -41,28 +41,4 @@ data "aws_iam_policy_document" "vault_policy" { resources = ["*"] } } - - dynamic "statement" { - for_each = var.enable_vault_protection ? [1] : [] - content { - sid = "DenyBackupCopyExceptToSourceAccount" - effect = "Deny" - - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.account_id}:root"] - } - actions = [ - "backup:CopyFromBackupVault" - ] - resources = ["*"] - condition { - test = "StringNotEquals" - variable = "backup:CopyTargets" - values = [ - "arn:aws:backup:${var.region}:${var.source_account_id}:backup-vault:${var.region}-${var.source_account_id}-backup-vault" - ] - } - } - } } diff --git a/terraform/backup-infrastructure/prod/aws-backup.tf b/terraform/backup-infrastructure/prod/aws-backup.tf index 69e4c03d2..6ef64e94a 100644 --- a/terraform/backup-infrastructure/prod/aws-backup.tf +++ b/terraform/backup-infrastructure/prod/aws-backup.tf @@ -28,7 +28,8 @@ module "destination" { account_id = local.destination_account_id source_account_id = local.source_account_id kms_key = aws_kms_key.destination_backup_key.arn - enable_vault_protection = false + enable_vault_protection = true + vault_lock_type = "compliance" } ###