From e158cd55c071e419fb618637e52c069a3c91b8c4 Mon Sep 17 00:00:00 2001
From: Tom Gowland <tom.gowland1@nhs.net>
Date: Fri, 27 Jun 2025 14:36:25 +0000
Subject: [PATCH] SPINECORE-6443: add copy_target_arn_list which is a list of
 arns

---
 modules/aws-backup-destination/README.md              | 1 +
 modules/aws-backup-destination/backup_vault_policy.tf | 6 ++----
 modules/aws-backup-destination/locals.tf              | 6 ++++++
 modules/aws-backup-destination/variables.tf           | 6 ++++++
 4 files changed, 15 insertions(+), 4 deletions(-)
 create mode 100644 modules/aws-backup-destination/locals.tf

diff --git a/modules/aws-backup-destination/README.md b/modules/aws-backup-destination/README.md
index 34d9c90..4d1cd28 100644
--- a/modules/aws-backup-destination/README.md
+++ b/modules/aws-backup-destination/README.md
@@ -16,6 +16,7 @@ The AWS Backup Module helps automates the setup of AWS Backup resources in a des
 | <a name="input_vault_lock_max_retention_days"></a> [vault\_lock\_max\_retention\_days](#input\_vault\_lock\_max\_retention\_days) | The maximum retention period that the vault retains its recovery points | `number` | `365` | no |
 | <a name="input_vault_lock_min_retention_days"></a> [vault\_lock\_min\_retention\_days](#input\_vault\_lock\_min\_retention\_days) | The minimum retention period that the vault retains its recovery points | `number` | `365` | no |
 | <a name="input_vault_lock_type"></a> [vault\_lock\_type](#input\_vault\_lock\_type) | The type of lock that the vault should be, will default to governance | `string` | `"governance"` | no |
+| <a name="input_copy_target_arn_list"></a> [copy\_target\_arn\_list](#input\_copy\_target\_arn\_list) | A list of target ARNs to which restore points are allowed to be copied | `list(string)` | `null` | no |
 
 ## Example
 
diff --git a/modules/aws-backup-destination/backup_vault_policy.tf b/modules/aws-backup-destination/backup_vault_policy.tf
index 2249041..d267993 100644
--- a/modules/aws-backup-destination/backup_vault_policy.tf
+++ b/modules/aws-backup-destination/backup_vault_policy.tf
@@ -57,11 +57,9 @@ data "aws_iam_policy_document" "vault_policy" {
       ]
       resources = ["*"]
       condition {
-        test     = "StringNotEquals"
+        test     = "ArnNotEquals"
         variable = "backup:CopyTargets"
-        values = [
-          "arn:aws:backup:${var.region}:${var.source_account_id}:backup-vault:${var.region}-${var.source_account_id}-backup-vault"
-        ]
+        values   = local.copy_targets
       }
     }
   }
diff --git a/modules/aws-backup-destination/locals.tf b/modules/aws-backup-destination/locals.tf
new file mode 100644
index 0000000..3b8df21
--- /dev/null
+++ b/modules/aws-backup-destination/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  copy_targets = coalescelist(
+    var.copy_target_arn_list,
+    ["arn:aws:backup:${var.region}:${var.source_account_id}:backup-vault:${var.region}-${var.source_account_id}-backup-vault"]
+  )
+}
\ No newline at end of file
diff --git a/modules/aws-backup-destination/variables.tf b/modules/aws-backup-destination/variables.tf
index 5957f23..d230a43 100644
--- a/modules/aws-backup-destination/variables.tf
+++ b/modules/aws-backup-destination/variables.tf
@@ -65,3 +65,9 @@ variable "changeable_for_days" {
   type        = number
   default     = 14
 }
+
+variable "copy_target_arn_list" {
+  description = "A list of target ARNs to which restore points are allowed to be copied"
+  type        = list(string)
+  default     = null
+}
\ No newline at end of file