From 22d50571fcfa03967a925ca82ac94e358fcfcc6c Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Wed, 11 Jun 2025 16:35:29 +0100
Subject: [PATCH 1/4] CCM-10039 addingBackupTagResourcePerm

---
 .../aws-backup-source/iam_role_backup.tf      | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/infrastructure/modules/aws-backup-source/iam_role_backup.tf b/infrastructure/modules/aws-backup-source/iam_role_backup.tf
index fc71743..dccf737 100644
--- a/infrastructure/modules/aws-backup-source/iam_role_backup.tf
+++ b/infrastructure/modules/aws-backup-source/iam_role_backup.tf
@@ -35,3 +35,30 @@ resource "aws_iam_role_policy_attachment" "s3_backup" {
   policy_arn = "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup"
   role       = aws_iam_role.backup.name
 }
+
+
+resource "aws_iam_role_policy_attachment" "backup_additional" {
+  role       = aws_iam_role.backup.name
+  policy_arn = aws_iam_policy.backup_additional.arn
+}
+
+resource "aws_iam_policy" "backup_additional" {
+  name        = "${local.csi}-backup_additional"
+  description = "Amplify "
+  policy      = data.aws_iam_policy_document.backup_additional.json
+}
+
+data "aws_iam_policy_document" "backup_additional" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "backup:TagResource",
+    ]
+
+    #trivy:ignore:aws-iam-no-policy-wildcards
+    resources = [
+      "*",
+    ]
+  }
+}

From 27d13724bf5cc8b242da87f1da2c95d54e35e8d0 Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Wed, 11 Jun 2025 16:49:48 +0100
Subject: [PATCH 2/4] CCM-10039 addingBackupTagResourcePerm

---
 infrastructure/modules/aws-backup-source/variables.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/infrastructure/modules/aws-backup-source/variables.tf b/infrastructure/modules/aws-backup-source/variables.tf
index 8922fd9..9a6f8a1 100644
--- a/infrastructure/modules/aws-backup-source/variables.tf
+++ b/infrastructure/modules/aws-backup-source/variables.tf
@@ -16,6 +16,7 @@ variable "component" {
 variable "name" {
   type        = string
   description = "The variable encapsulating the name of this bucket"
+  default     = "backup"
 }
 
 variable "default_tags" {

From 435dfe74fc246acff80585cdb1b374c46c244897 Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Wed, 11 Jun 2025 16:53:40 +0100
Subject: [PATCH 3/4] CCM-10039 addingBackupTagResourcePerm

---
 infrastructure/modules/aws-backup-source/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/modules/aws-backup-source/README.md b/infrastructure/modules/aws-backup-source/README.md
index 98ff410..1b30063 100644
--- a/infrastructure/modules/aws-backup-source/README.md
+++ b/infrastructure/modules/aws-backup-source/README.md
@@ -62,7 +62,7 @@ No requirements.
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | Default tag map for application to all taggable resources in the module | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the environment where AWS Backup is configured. | `string` | n/a | yes |
 | <a name="input_management_ci_role_arn"></a> [management\_ci\_role\_arn](#input\_management\_ci\_role\_arn) | ARN of Terraform role used to deploy to account | `string` | n/a | yes |
-| <a name="input_name"></a> [name](#input\_name) | The variable encapsulating the name of this bucket | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The variable encapsulating the name of this bucket | `string` | `"backup"` | no |
 | <a name="input_notification_kms_key"></a> [notification\_kms\_key](#input\_notification\_kms\_key) | The ARN of the bootstrap KMS key used for encryption at rest of the SNS topic. | `string` | n/a | yes |
 | <a name="input_notifications_target_email_address"></a> [notifications\_target\_email\_address](#input\_notifications\_target\_email\_address) | The email address to which backup notifications will be sent via SNS. | `string` | `""` | no |
 | <a name="input_principal_org_id"></a> [principal\_org\_id](#input\_principal\_org\_id) | The AWS Org ID (numeric) | `string` | n/a | yes |

From 161c6d0c42afa593326a3319742f121ee824507e Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Wed, 11 Jun 2025 17:03:27 +0100
Subject: [PATCH 4/4] CCM-10039 addingBackupTagResourcePerm

---
 infrastructure/modules/aws-backup-source/iam_role_backup.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/modules/aws-backup-source/iam_role_backup.tf b/infrastructure/modules/aws-backup-source/iam_role_backup.tf
index dccf737..fe8d00a 100644
--- a/infrastructure/modules/aws-backup-source/iam_role_backup.tf
+++ b/infrastructure/modules/aws-backup-source/iam_role_backup.tf
@@ -44,7 +44,7 @@ resource "aws_iam_role_policy_attachment" "backup_additional" {
 
 resource "aws_iam_policy" "backup_additional" {
   name        = "${local.csi}-backup_additional"
-  description = "Amplify "
+  description = "Additional Backup Actions"
   policy      = data.aws_iam_policy_document.backup_additional.json
 }