Add extra managed policy dedicated to S3 backups

[GregoryVds]

what

AWS Backup for S3 buckets has reached GA recently (Feb 18 2022).

It seems AWS created a separate dedicated managed policy with the
permissions required to backup S3.

why

I am not sure if my fix is the correct way to address this, but for some reason that I ignore the managed policy of the backup service-linked role does not include the necessary S3 permissions and my backup fail (note that I did enable S3 for Backup in the Backup options via the Web Console).

references

• https://aws.amazon.com/about-aws/whats-new/2022/02/general-availability-aws-backup-amazon-s3/
• https://docs.aws.amazon.com/aws-backup/latest/devguide/security-iam-awsmanpol.html#aws-managed-policies

[GregoryVds]

Hello everyone,
Anyone to have a look and hopefully help me merge this patch? 🙏

[nitrocode]

Thanks for the PR @GregoryVds . I'm unsure if this is the correct way to fix this.

You can use the existing iam role functionality and attach this policy from outside the module. See iam_role_enabled = false and then give the module the role name created outside of the module using iam_role_name.

https://github.com/cloudposse/terraform-aws-iam-role#input_managed_policy_arns

module "iam_role" {
  source = "cloudposse/iam-role/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"

  # ... your inputs

  managed_policy_arns = [
    "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup",
  ]
}

module "backup" {
  source = "cloudposse/backup/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"

  iam_role_enabled = false
  iam_role_name    = module.iam_role.name
}

---

It may be better to expose the iam role name as an output and then you can create the attachment from outside of the module

module "backup" {
  source = "cloudposse/backup/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"

  # ... your inputs
}

resource "aws_iam_role_policy_attachment" "s3" {
  policy_arn = "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup"
  role       = module.backup.iam_role_name
}

See PR #40

What do you think ?

[GregoryVds]

@nitrocode Thanks for reviewing and answering.

Yes, I could definitely create the attachment from outside of the module like you suggest.

Do you have a specific reason to treat the attachment of the generic AWSBackupServiceRolePolicyForBackup policy differently from the attachment of the S3 policy AWSBackupServiceRolePolicyForS3Backup?

Right now the module encapsulates nicely the policy attachment if you ask it to create the IAM role. This would be convenient for the user as I don't even need to know about this obscure new S3 policy.