Modify the backup vault access policies that contain restrictive clau…

…ses to prevent their deletion This commit fixes the following error when trying to delete backup vault access policies for vaults (`aws/efs/automatic-backup-vault`) automatically created when EFS backup is enabled. ``` time="2023-10-05T15:37:07Z" level=error msg="AccessDeniedException: User: arn:aws:sts::X:assumed-role/XRole/SAAssumedRoleSession is not authorized to perform: backup:DeleteBackupVaultAccessPolicy on resource: arn:aws:backup:us-east-1:X:backup-vault:aws/efs/automatic-backup-vault with an explicit deny in a resource-based policy ``` The module before attempting to delete the backup vault access policy, sets a permissive policy to ensure the `backup:DeleteBackupVaultAccessPolicy` is allowed. The operation to put a policy to allow `backup:DeleteBackupVaultAccessPolicy` was silently failing due to an error: ``` The specified policy cannot be added to the vault due to cross-account sharing restrictions. Amend the policy or the vault's settings, then retry request ``` This commit updates the policy, to use the default as a template, but excluding delete actions. Signed-off-by: Gabriela S. Soria <gsoria@oreilly.com>
oreillymedia · Nov 10, 2023 · 2d96dc7 · 2d96dc7
1 parent 04688f8
commit 2d96dc7
Showing 1 changed file with 25 additions and 15 deletions.
diff --git a/resources/backup-vaults-access-policies.go b/resources/backup-vaults-access-policies.go
@@ -58,7 +58,7 @@ func ListBackupVaultAccessPolicies(sess *session.Session) ([]Resource, error) {
 }
 
 func (b *BackupVaultAccessPolicy) Remove() error {
-	// Set the policy to a policy that allows deletion before removal.
+	// Set a policy that allows deletion before removal.
 	//
 	// This is required to delete the policy for the automagically created vaults
 	// such as "aws/efs/automatic-backup-vault" from EFS automatic backups
@@ -87,21 +87,31 @@ func (b *BackupVaultAccessPolicy) Remove() error {
 	//     ]
 	// }
 	//
-	// While deletion is Denied, you can update the policy with one that
-	// doesn't deny and then delete at will.
+	// Update the default policy to remove the Deny on Delete* actions
+	// and then delete the policy.
+	//
+	// Why not putting a policy that allows `backup:DeleteBackupVaultAccessPolicy` in the first place?
+	// Because that throws an error:
+	// ' The specified policy cannot be added to the vault due to cross-account sharing restrictions.
+	// Amend the policy or the vault's settings, then retry request'
+	//
 	allowDeletionPolicy := `{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "AWS": "*"
-            },
-            "Action": "backup:DeleteBackupVaultAccessPolicy",
-            "Resource": "*"
-        }
-    ]
-}`
+		"Version": "2012-10-17",
+		"Statement": [
+			{
+				"Effect": "Deny",
+				"Principal": {
+					"AWS": "*"
+				},
+				"Action": [
+					"backup:StartCopyJob",
+					"backup:StartRestoreJob",
+					"backup:UpdateRecoveryPointLifecycle"
+				],
+				"Resource": "*"
+			}
+		]
+	}`
 	// Ignore error from if we can't put permissive backup vault policy in for some reason, that's OK.
 	_, _ = b.svc.PutBackupVaultAccessPolicy(&backup.PutBackupVaultAccessPolicyInput{
 		BackupVaultName: &b.backupVaultName,