From f20ab1e739c39f2c420a704319009e0e892b631b Mon Sep 17 00:00:00 2001
From: Anjali Trace <anjali.trace2@nhs.net>
Date: Thu, 23 Apr 2026 15:28:32 +0100
Subject: [PATCH 1/4] NRL-2180 Make backup lifecycle duration fit into vault
 lock retention period range. Proposal

---
 terraform/account-wide-infrastructure/prod/aws-backup.tf    | 1 +
 .../modules/aws-backup-destination/backup_vault_lock.tf     | 2 +-
 .../modules/aws-backup-destination/backup_vault_policy.tf   | 1 -
 .../modules/aws-backup-destination/variables.tf             | 6 +++---
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/terraform/account-wide-infrastructure/prod/aws-backup.tf b/terraform/account-wide-infrastructure/prod/aws-backup.tf
index 5b2509b42..98ecff75a 100644
--- a/terraform/account-wide-infrastructure/prod/aws-backup.tf
+++ b/terraform/account-wide-infrastructure/prod/aws-backup.tf
@@ -180,6 +180,7 @@ module "source" {
         "schedule" : "cron(30 0 ? * 4#1)" # first Thursday each month from 00:30
         "copy_action" : [{
           "cold_storage_after" : 35,
+          # do we want this to be 400 for realsies?
           "delete_after" : 400 # ensures 1 from previous restore test
         }],
         "lifecycle" : {
diff --git a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf
index e1a31781e..6ae7e0c4e 100644
--- a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf
+++ b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf
@@ -1,7 +1,7 @@
 resource "aws_backup_vault_lock_configuration" "vault_lock" {
   count               = var.enable_vault_protection ? 1 : 0
   backup_vault_name   = aws_backup_vault.vault.name
-  changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null
+  changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null # must not include this parameter at all UNLESS you want to create the vault lock in compliance mode. null = omitting the arg, yay!
   max_retention_days  = var.vault_lock_max_retention_days
   min_retention_days  = var.vault_lock_min_retention_days
 }
diff --git a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf
index 88ff64351..19e68a795 100644
--- a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf
+++ b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf
@@ -32,7 +32,6 @@ data "aws_iam_policy_document" "vault_policy" {
       }
       actions = [
         "backup:DeleteRecoveryPoint",
-        "backup:PutBackupVaultAccessPolicy",
         "backup:UpdateRecoveryPointLifecycle",
         "backup:DeleteBackupVault",
         "backup:StartRestoreJob",
diff --git a/terraform/backup-infrastructure/modules/aws-backup-destination/variables.tf b/terraform/backup-infrastructure/modules/aws-backup-destination/variables.tf
index 75e620cfa..38fcce3d8 100644
--- a/terraform/backup-infrastructure/modules/aws-backup-destination/variables.tf
+++ b/terraform/backup-infrastructure/modules/aws-backup-destination/variables.tf
@@ -51,17 +51,17 @@ variable "vault_lock_type" {
 variable "vault_lock_min_retention_days" {
   description = "The minimum retention period that the vault retains its recovery points"
   type        = number
-  default     = 365
+  default     = 1
 }
 
 variable "vault_lock_max_retention_days" {
   description = "The maximum retention period that the vault retains its recovery points"
   type        = number
-  default     = 365
+  default     = 401
 }
 
 variable "changeable_for_days" {
   description = "How long you want the vault lock to be changeable for, only applies to compliance mode. This value is expressed in days no less than 3 and no greater than 36,500; otherwise, an error will return."
   type        = number
-  default     = 14
+  default     = 30
 }

From 3c73167d1555e1fd874d9a2c738494ba95e59d31 Mon Sep 17 00:00:00 2001
From: Anjali Trace <anjali.trace2@nhs.net>
Date: Mon, 27 Apr 2026 09:03:06 +0100
Subject: [PATCH 2/4] NRL-2180 Make defaults sensible and define retention
 period per env

---
 .../account-wide-infrastructure/prod/aws-backup.tf |  1 -
 .../aws-backup-destination/backup_vault_lock.tf    |  4 ++--
 .../aws-backup-destination/backup_vault_policy.tf  |  1 +
 terraform/backup-infrastructure/prod/aws-backup.tf | 14 ++++++++------
 terraform/backup-infrastructure/test/aws-backup.tf | 13 ++++++++-----
 5 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/terraform/account-wide-infrastructure/prod/aws-backup.tf b/terraform/account-wide-infrastructure/prod/aws-backup.tf
index 98ecff75a..5b2509b42 100644
--- a/terraform/account-wide-infrastructure/prod/aws-backup.tf
+++ b/terraform/account-wide-infrastructure/prod/aws-backup.tf
@@ -180,7 +180,6 @@ module "source" {
         "schedule" : "cron(30 0 ? * 4#1)" # first Thursday each month from 00:30
         "copy_action" : [{
           "cold_storage_after" : 35,
-          # do we want this to be 400 for realsies?
           "delete_after" : 400 # ensures 1 from previous restore test
         }],
         "lifecycle" : {
diff --git a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf
index 6ae7e0c4e..56fa3885a 100644
--- a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf
+++ b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf
@@ -1,7 +1,7 @@
 resource "aws_backup_vault_lock_configuration" "vault_lock" {
-  count               = var.enable_vault_protection ? 1 : 0
+  count               = 1
   backup_vault_name   = aws_backup_vault.vault.name
-  changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null # must not include this parameter at all UNLESS you want to create the vault lock in compliance mode. null = omitting the arg, yay!
+  changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null # providing changeable_for_days === enabling compliance mode
   max_retention_days  = var.vault_lock_max_retention_days
   min_retention_days  = var.vault_lock_min_retention_days
 }
diff --git a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf
index 19e68a795..88ff64351 100644
--- a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf
+++ b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_policy.tf
@@ -32,6 +32,7 @@ data "aws_iam_policy_document" "vault_policy" {
       }
       actions = [
         "backup:DeleteRecoveryPoint",
+        "backup:PutBackupVaultAccessPolicy",
         "backup:UpdateRecoveryPointLifecycle",
         "backup:DeleteBackupVault",
         "backup:StartRestoreJob",
diff --git a/terraform/backup-infrastructure/prod/aws-backup.tf b/terraform/backup-infrastructure/prod/aws-backup.tf
index 6ef64e94a..08f464ded 100644
--- a/terraform/backup-infrastructure/prod/aws-backup.tf
+++ b/terraform/backup-infrastructure/prod/aws-backup.tf
@@ -24,12 +24,14 @@ resource "aws_kms_key" "destination_backup_key" {
 module "destination" {
   source = "../modules/aws-backup-destination"
 
-  source_account_name     = "prod" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name
-  account_id              = local.destination_account_id
-  source_account_id       = local.source_account_id
-  kms_key                 = aws_kms_key.destination_backup_key.arn
-  enable_vault_protection = true
-  vault_lock_type         = "compliance"
+  source_account_name           = "prod" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name
+  account_id                    = local.destination_account_id
+  source_account_id             = local.source_account_id
+  kms_key                       = aws_kms_key.destination_backup_key.arn
+  enable_vault_protection       = true
+  vault_lock_type               = "compliance"
+  vault_lock_min_retention_days = 28
+  vault_lock_max_retention_days = 400
 }
 
 ###
diff --git a/terraform/backup-infrastructure/test/aws-backup.tf b/terraform/backup-infrastructure/test/aws-backup.tf
index 19ee2e43a..44672a80e 100644
--- a/terraform/backup-infrastructure/test/aws-backup.tf
+++ b/terraform/backup-infrastructure/test/aws-backup.tf
@@ -24,11 +24,14 @@ resource "aws_kms_key" "destination_backup_key" {
 module "destination" {
   source = "../modules/aws-backup-destination"
 
-  source_account_name     = "test" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name
-  account_id              = local.destination_account_id
-  source_account_id       = local.source_account_id
-  kms_key                 = aws_kms_key.destination_backup_key.arn
-  enable_vault_protection = false
+  source_account_name           = "test" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name
+  account_id                    = local.destination_account_id
+  source_account_id             = local.source_account_id
+  kms_key                       = aws_kms_key.destination_backup_key.arn
+  enable_vault_protection       = false
+  vault_lock_type               = "governance"
+  vault_lock_min_retention_days = 4
+  vault_lock_max_retention_days = 105
 }
 
 ###

From 35efd5c36c6a06deee006c60bcec30744df08823 Mon Sep 17 00:00:00 2001
From: Anjali Trace <anjali.trace2@nhs.net>
Date: Mon, 27 Apr 2026 09:13:23 +0100
Subject: [PATCH 3/4] NRL-2180 remove retention defaults

---
 .../modules/aws-backup-destination/variables.tf                 | 2 --
 1 file changed, 2 deletions(-)

diff --git a/terraform/backup-infrastructure/modules/aws-backup-destination/variables.tf b/terraform/backup-infrastructure/modules/aws-backup-destination/variables.tf
index 38fcce3d8..2433a36f1 100644
--- a/terraform/backup-infrastructure/modules/aws-backup-destination/variables.tf
+++ b/terraform/backup-infrastructure/modules/aws-backup-destination/variables.tf
@@ -51,13 +51,11 @@ variable "vault_lock_type" {
 variable "vault_lock_min_retention_days" {
   description = "The minimum retention period that the vault retains its recovery points"
   type        = number
-  default     = 1
 }
 
 variable "vault_lock_max_retention_days" {
   description = "The maximum retention period that the vault retains its recovery points"
   type        = number
-  default     = 401
 }
 
 variable "changeable_for_days" {

From eae2b38447a229aaf1876372ae2d13a0eedc89ee Mon Sep 17 00:00:00 2001
From: Anjali Trace <anjali.trace2@nhs.net>
Date: Tue, 28 Apr 2026 10:29:46 +0100
Subject: [PATCH 4/4] NRL-2180 remove redundant count line

---
 .../modules/aws-backup-destination/backup_vault_lock.tf          | 1 -
 1 file changed, 1 deletion(-)

diff --git a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf
index 56fa3885a..f0ec6708c 100644
--- a/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf
+++ b/terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf
@@ -1,5 +1,4 @@
 resource "aws_backup_vault_lock_configuration" "vault_lock" {
-  count               = 1
   backup_vault_name   = aws_backup_vault.vault.name
   changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null # providing changeable_for_days === enabling compliance mode
   max_retention_days  = var.vault_lock_max_retention_days