Merge pull request #9027 from ministryofjustice/issue/8617-usinglocal

Issue/8617 - Using local environment_management to obtain the local account id.
ministryofjustice · Jan 21, 2025 · 4604f2e · 4604f2e
2 parents 3bca868 + ab9cb1c
commit 4604f2e
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/terraform/environments/bootstrap/single-sign-on/policies.tf b/terraform/environments/bootstrap/single-sign-on/policies.tf
@@ -367,6 +367,19 @@ data "aws_iam_policy_document" "developer_additional" {
     }
   }
 
+  # Additional statement that allows for the creation of on-demand AWS Backups.
+  statement {
+    sid       = "AllowPassRoleForBackup"
+    effect    = "Allow"
+    actions   = ["iam:PassRole"]
+    resources = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/AWSBackup"]
+    condition {
+      test     = "StringEquals"
+      variable = "iam:PassedToService"
+      values   = ["backup.amazonaws.com"]
+    }
+  }
+
 }
 
 # data engineering policy (developer + glue + some athena)