Replace homegrown backup policy with AWS managed ones

heerener · heerener · commit a276e05e5629 · 2025-10-23T16:20:38.000+02:00
diff --git a/backups/backup_plan.tf b/backups/backup_plan.tf
@@ -33,77 +33,18 @@ resource "aws_iam_role" "backup_role" {
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 
-resource "aws_iam_role_policy" "backup_role_policy" {
-  name = "backup_role_policy"
-  role = aws_iam_role.backup_role.id
+resource "aws_iam_role_policy_attachment" "backup_role_managed_s3_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup"
+  role       = aws_iam_role.backup_role.name
+}
 
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = [
-          "tag:getResources",
-        ]
-        Effect   = "Allow"
-        Resource = "*"
-      },
-      {
-        Action = [
-          "rds:DescribeDBInstances",
-          "rds:DescribeDBClusters",
-          "rds:ListTagsForResource",
-          "rds:CreateDBSnapshot",
-          "rds:DeleteDBSnapshot",
-          "rds:CopyDBSnapshot",
-          "rds:DescribeDBSnapshots",
-          "rds:AddTagsToResource"
-        ]
-        Effect   = "Allow"
-        Resource = "*"
-      },
-      {
-        Action = [
-          "s3:GetBucketNotification",
-          "s3:GetBucketLocation",
-          "s3:ListBucket",
-          "s3:GetBucketTagging",
-          "s3:GetBucketVersioning",
-          "s3:GetBucketPublicAccessBlock",
-          "s3:GetBucketAcl",
-          "s3:GetBucketPolicy",
-          "s3:GetObject",
-          "s3:GetObjectVersion",
-          "s3:GetObjectTagging",
-          "s3:GetObjectAcl",
-          "s3:PutBucketNotification",
-          "s3:ListBucketVersions",
-          "events:ListRules",
-          "events:PutRule",
-          "events:ListTargetsByRule",
-          "events:PutTargets",
-          "events:RemoveTargets",
-          "events:DeleteRule",
-          "cloudwatch:GetMetricData"
-        ]
-        Effect   = "Allow"
-        Resource = "*"
-      },
-      {
-        Action = [
-          "elasticfilesystem:DescribeFileSystems",
-          "elasticfilesystem:DescribeBackupPolicy",
-          "elasticfilesystem:Backup",
-          "elasticfilesystem:DescribeTags"
-        ]
-        Effect   = "Allow"
-        Resource = "*"
-      }
-    ]
-  })
+resource "aws_iam_role_policy_attachment" "backup_role_service_linked_backu" {
+  policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AWSBackupServiceLinkedRolePolicyForBackup"
+  role       = aws_iam_role.backup_role.name
 }
 
-resource "aws_iam_role_policy_attachment" "backup_role_managed_s3_policy" {
-  policy_arn = "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup"
+resource "aws_iam_role_policy_attachment" "backup_role_service_linked_backu" {
+  policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AWSBackupServiceRolePolicyForBackup"
   role       = aws_iam_role.backup_role.name
 }
 
