LZVS-2638: Add support for Logically Air-Gapped Vault

[michelfasen-nhs]

Description

This PR adds support for the Logically Air-gapped Vault. It's an extension to the existing Backup Vault and as such the changes required to the template are minimal. The table below details how the resources supported by this template are backed up with Logically Air-gapped Vault enabled.

Resource	Fully managed	Air-gapped support	Vault destination
S3	Yes	Yes	Logically Air-Gapped Vault
DynamoDB	Yes	Yes	Logically Air-Gapped Vault
EBS	No	Yes	Backup Vault -> Logically Air-Gapped Vault
Aurora	No	Yes	Backup Vault -> Logically Air-Gapped Vault
RDS	No	No	Backup Vault

• Unsupported resources only back up to the Backup Vault
• Supported fully managed resources back up directly to Logically Air-Gapped Vault
• Other supported resources create a temporary (billable) snapshot in Backup Vault, then copy it to Logically Air-Gapped Vault

Context

Add support for Logically Air-Gapped Vault.

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

[TurboNHS]

I'm interested in this PR as well, so I've merge in main and resolved the conflicts.

I will test this out and see how it works shortly.

[TurboNHS]

@michelfasen-nhs, what's the purpose of calling it ...-vault-lag?

Wouldn't it be better to call it ...-air-gapped or something? To make it .. "more" clear?

[michelfasen-nhs]

@michelfasen-nhs, what's the purpose of calling it ...-vault-lag?

Wouldn't it be better to call it ...-air-gapped or something? To make it .. "more" clear?

No specific reason, we just happen to call the logically air-gapped vault 'lag'. It's what we're currently using in our deployments and it's not trivial to change Vault names.

[TurboNHS]

Ok, fair enough. Thanx.

So another question then, why is it still a DRAFT? Something missing?

[michelfasen-nhs]

It's in draft because we only just concluded the deployment in dev, we're only starting now to deploy it in prod. I actually just pushed another (small) change but don't expect anything else to come up. Our deployment also depends on PR#109 so haven't been able to test this PR on its own.

Happy to have a catch up to see how we're doing it and the pitfalls we encountered.

[TurboNHS]

I have my own PRs that I'm applying this on top, some of it does roughly the same as what you're doing in PR#109.

• Allow backup plans to be unset. #116
• Allow for the name prefix to have dashes. #117
• Allow to include environment name in resource names. #118
• Allow creating resources for multiple environments in the same account. #120

So can't really comment on this as a completely stand alone PR :). However, it does seem to apply perfectly fine.

[TurboNHS]

One question popped up in my head while I was applying it for my dev environment:

Because I create everything in ONE account, with several environments, all separated by environment (I do have prod and backup account separate as is required), should that/those air-gapped vault(s) be created one per environment, OR one per account?

I only want/need ONE backup vault (for the immutable backups), I don't really care if that account is destroyed, we have the data "elsewhere" and can fairly easily and quickly rebuild it from IaC. So they all (vaults for all the envs) copy into that one backup vault..

What exactly is the air-gapped vault used for!?

[michelfasen-nhs]

So you only backup Aurora (as RDS is not supported by the air-gapped vault and you seem to want to disable all other resource types)?

If you only backup Aurora then there's no need for a backup account as you can share the air-gapped vault with other accounts (via multi party approval). Air-gapped vaults are hosted in AWS managed accounts so even if your account got deleted or compromised, you can still access the backups. In theory that also means you don't need a backup account and thus reducing cost. But this all depends on the resource types you want to backup.

I created a document for our team about air-gapped vaults: https://nhsd-confluence.digital.nhs.uk/spaces/CCE/pages/1307479567/Logically+air-gapped+vault (should be public).

[TurboNHS]

That (account, backup, and immutable storage separation) is what I'm doing for prod (which copies it over to the backup account), but for non-prod, I don't care :).

MY (!) view is that this IaC is just as important to check, validate and verify as any other IaC, where we (everyone I hope!! :) have separation between environments. So getting this to work in "one account, many envs" is what I'm doing in my PRs.

Getting new account(s) is a lengthy process, and those before me choose to put all non-prod envs in one account. Which I'm not completely against, although I've always treated "account = environment" - accounts cost nothing, so why not do the separation if/when you have the chance.

However, I'm now stuck with multiple envs in my "dev" (i.e. "non-prod") account, and I don't really feel like separating them at this point. This kind'a works, so.. :).

So my question was more like, how should I do this in this (non-prod) case? It makes sense both ways, one shared air-gapped, but also individual air-gapped vaults.. So not sure how I should proceed.. Any toughts?

PS. This have technically nothing to do with this/your PR, but you seem to have a better understanding about this than me..