From 6e81c8b83849b9b7188bbd383d43ecb9e35005f5 Mon Sep 17 00:00:00 2001
From: Sandy Forrester <sandy.forrester1@nhs.net>
Date: Thu, 6 Nov 2025 17:15:31 +0000
Subject: [PATCH] NRL-1582 Update KMS policy with backup perms

---
 terraform/account-wide-infrastructure/dev/aws-backup.tf  | 8 ++++++++
 terraform/account-wide-infrastructure/prod/aws-backup.tf | 8 ++++++++
 terraform/account-wide-infrastructure/test/aws-backup.tf | 8 ++++++++
 3 files changed, 24 insertions(+)

diff --git a/terraform/account-wide-infrastructure/dev/aws-backup.tf b/terraform/account-wide-infrastructure/dev/aws-backup.tf
index 8fe8ace39..b4e9b27a1 100644
--- a/terraform/account-wide-infrastructure/dev/aws-backup.tf
+++ b/terraform/account-wide-infrastructure/dev/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/prod/aws-backup.tf b/terraform/account-wide-infrastructure/prod/aws-backup.tf
index 05cd010fd..e86fed016 100644
--- a/terraform/account-wide-infrastructure/prod/aws-backup.tf
+++ b/terraform/account-wide-infrastructure/prod/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }
diff --git a/terraform/account-wide-infrastructure/test/aws-backup.tf b/terraform/account-wide-infrastructure/test/aws-backup.tf
index f4aec0652..7bd80f364 100644
--- a/terraform/account-wide-infrastructure/test/aws-backup.tf
+++ b/terraform/account-wide-infrastructure/test/aws-backup.tf
@@ -103,6 +103,14 @@ resource "aws_kms_key" "backup_notifications" {
         Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
         Resource = "*"
       },
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+        Action   = ["kms:GenerateDataKey*", "kms:Decrypt"]
+        Resource = "*"
+      },
     ]
   })
 }