Add storage account for sanitised backups

DFE-Digital · Feb 5, 2025 · cc5464a · cc5464a
1 parent 67bc019
commit cc5464a
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 1 deletion.
diff --git a/terraform/aks/.terraform.lock.hcl b/terraform/aks/.terraform.lock.hcl
diff --git a/terraform/aks/storage.tf b/terraform/aks/storage.tf
@@ -0,0 +1,58 @@
+locals {
+  uploads_default_storage_account_name = "${var.azure_resource_prefix}${var.service_short}dbbkpsan${var.config_short}sa"
+}
+
+
+resource "azurerm_storage_account" "sanitised_uploads" {
+  count                             = var.enable_sanitised_storage ? 1 : 0
+
+  name                              = local.uploads_default_storage_account_name
+  resource_group_name               = "${var.azure_resource_prefix}-${var.service_short}-${var.config_short}-rg"
+  location                          = "UK South"
+  account_replication_type          = "LRS"
+  account_tier                      = "Standard"
+  account_kind                      = "StorageV2"
+  min_tls_version                   = "TLS1_2"
+  infrastructure_encryption_enabled = true
+  allow_nested_items_to_be_public   = false
+  cross_tenant_replication_enabled  = false
+
+  blob_properties {
+
+    container_delete_retention_policy {
+      days = 7
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+
+resource "azurerm_storage_management_policy" "backup" {
+  count = var.enable_sanitised_storage ? 1 : 0
+
+  storage_account_id = azurerm_storage_account.sanitised_uploads[0].id
+
+  rule {
+    name    = "DeleteAfter7Days"
+    enabled = true
+    filters {
+      blob_types = ["blockBlob"]
+    }
+    actions {
+      base_blob {
+        delete_after_days_since_modification_greater_than = 7
+      }
+    }
+  }
+}
+
+
+resource "azurerm_storage_container" "sanitised_uploads" {
+  count                 = var.enable_sanitised_storage ? 1 : 0
+
+  name                  = "database-backup"
+  storage_account_name  = azurerm_storage_account.sanitised_uploads[0].name
+  container_access_type = "private"
+}
diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf
@@ -136,3 +136,14 @@ variable "apex_urls" {
   type        = list(string)
   default     = []
 }
+
+variable "enable_sanitised_storage" {
+  description = "Enable sanitised storage account"
+  type        = bool
+  default     = false
+}
+
+variable "uploads_storage_account_name" {
+  type    = string
+  default = null
+}
diff --git a/terraform/aks/workspace_variables/production.tfvars.json b/terraform/aks/workspace_variables/production.tfvars.json
@@ -38,5 +38,6 @@
     "https://find-teacher-training-courses.service.gov.uk",
     "https://find-postgraduate-teacher-training.service.gov.uk",
     "https://publish-teacher-training-courses.service.gov.uk"
-  ]
+  ],
+  "enable_sanitised_storage": true
 }