This adds permissions to allow the developer policy to create on-dema…

…nd AWS Backups.
ministryofjustice · Jan 17, 2025 · 1536f26 · 1536f26
1 parent e25ff36
commit 1536f26
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/terraform/environments/bootstrap/single-sign-on/data.tf b/terraform/environments/bootstrap/single-sign-on/data.tf
@@ -6,4 +6,11 @@ data "aws_s3_bucket" "mod_platform_artefact" {
 # To Get Modernisation Platform Account Number
 data "aws_ssm_parameter" "modernisation_platform_account_id" {
   name = "modernisation_platform_account_id"
+}
+
+# Allows access to the current account ID
+data "aws_caller_identity" "current" {}
+
+output "account_id" {
+  value = data.aws_caller_identity.current.account_id
 }
diff --git a/terraform/environments/bootstrap/single-sign-on/policies.tf b/terraform/environments/bootstrap/single-sign-on/policies.tf
@@ -361,6 +361,20 @@ data "aws_iam_policy_document" "developer_additional" {
       values   = ["true"]
     }
   }
+
+  # Additional statement that allows for the creation of on-demand AWS Backups.
+  statement {
+    sid    = "AllowPassRoleForBackup"
+    effect = "Allow"
+    actions = ["iam:PassRole"]
+    resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/AWSBackup"]
+    condition {
+      test     = "StringEquals"
+      variable = "iam:PassedToService"
+      values   = ["backup.amazonaws.com"]
+    }
+  }
+
 }
 
 # data engineering policy (developer + glue + some athena)