NRL-2180 Make backup lifecycle duration fit into vault lock retention period range

terraform/backup-infrastructure/modules/aws-backup-destination/backup_vault_lock.tf

@@ -1,7 +1,6 @@
 resource "aws_backup_vault_lock_configuration" "vault_lock" {
-  count               = var.enable_vault_protection ? 1 : 0
   backup_vault_name   = aws_backup_vault.vault.name
-  changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null
+  changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null # providing changeable_for_days === enabling compliance mode
   max_retention_days  = var.vault_lock_max_retention_days
   min_retention_days  = var.vault_lock_min_retention_days
 }

terraform/backup-infrastructure/modules/aws-backup-destination/variables.tf

@@ -51,17 +51,15 @@ variable "vault_lock_type" {
 variable "vault_lock_min_retention_days" {
   description = "The minimum retention period that the vault retains its recovery points"
   type        = number
-  default     = 365
 }
 
 variable "vault_lock_max_retention_days" {
   description = "The maximum retention period that the vault retains its recovery points"
   type        = number
-  default     = 365
 }
 
 variable "changeable_for_days" {
   description = "How long you want the vault lock to be changeable for, only applies to compliance mode. This value is expressed in days no less than 3 and no greater than 36,500; otherwise, an error will return."
   type        = number
-  default     = 14
+  default     = 30
 }

terraform/backup-infrastructure/prod/aws-backup.tf

@@ -24,12 +24,14 @@ resource "aws_kms_key" "destination_backup_key" {
 module "destination" {
   source = "../modules/aws-backup-destination"
 
-  source_account_name     = "prod" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name
-  account_id              = local.destination_account_id
-  source_account_id       = local.source_account_id
-  kms_key                 = aws_kms_key.destination_backup_key.arn
-  enable_vault_protection = true
-  vault_lock_type         = "compliance"
+  source_account_name           = "prod" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name
+  account_id                    = local.destination_account_id
+  source_account_id             = local.source_account_id
+  kms_key                       = aws_kms_key.destination_backup_key.arn
+  enable_vault_protection       = true
+  vault_lock_type               = "compliance"
+  vault_lock_min_retention_days = 28
+  vault_lock_max_retention_days = 400
 }
 
 ###

terraform/backup-infrastructure/test/aws-backup.tf

@@ -24,11 +24,14 @@ resource "aws_kms_key" "destination_backup_key" {
 module "destination" {
   source = "../modules/aws-backup-destination"
 
-  source_account_name     = "test" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name
-  account_id              = local.destination_account_id
-  source_account_id       = local.source_account_id
-  kms_key                 = aws_kms_key.destination_backup_key.arn
-  enable_vault_protection = false
+  source_account_name           = "test" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name
+  account_id                    = local.destination_account_id
+  source_account_id             = local.source_account_id
+  kms_key                       = aws_kms_key.destination_backup_key.arn
+  enable_vault_protection       = false
+  vault_lock_type               = "governance"
+  vault_lock_min_retention_days = 4
+  vault_lock_max_retention_days = 105
 }
 
 ###