From 299956b4876ecbfdea83abbd9f280a3837a7e53a Mon Sep 17 00:00:00 2001
From: TurboNHS <turbo.fredriksson1@nhs.net>
Date: Wed, 22 Apr 2026 15:24:10 +0100
Subject: [PATCH] Allow to include environment name in resource names.

If we're going to be able to have all resources for multiple environments
in one account (PR pending), we must make sure that all resources have the
environment name in them, so they can be separated.
---
 modules/aws-backup-source/backup_report_plan.tf     | 8 ++++----
 modules/aws-backup-source/backup_restore_testing.tf | 2 +-
 modules/aws-backup-source/iam.tf                    | 2 +-
 modules/aws-backup-source/kms.tf                    | 2 +-
 modules/aws-backup-source/locals.tf                 | 2 +-
 modules/aws-backup-source/variables.tf              | 6 ++++++
 6 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/modules/aws-backup-source/backup_report_plan.tf b/modules/aws-backup-source/backup_report_plan.tf
index cdb1d1c..a736884 100644
--- a/modules/aws-backup-source/backup_report_plan.tf
+++ b/modules/aws-backup-source/backup_report_plan.tf
@@ -1,6 +1,6 @@
 # Create the reports
 resource "aws_backup_report_plan" "backup_jobs" {
-  name        = var.name_prefix != null ? "${var.name_prefix}_backup_jobs" : "backup_jobs"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_jobs" : "backup_jobs"
   description = "Report for showing whether backups ran successfully in the last 24 hours"
 
   report_delivery_channel {
@@ -18,7 +18,7 @@ resource "aws_backup_report_plan" "backup_jobs" {
 
 # Create the restore testing completion reports
 resource "aws_backup_report_plan" "backup_restore_testing_jobs" {
-  name        = var.name_prefix != null ? "${var.name_prefix}_backup_restore_testing_jobs" : "backup_restore_testing_jobs"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_restore_testing_jobs" : "backup_restore_testing_jobs"
   description = "Report for showing whether backup restore test ran successfully in the last 24 hours"
 
   report_delivery_channel {
@@ -35,7 +35,7 @@ resource "aws_backup_report_plan" "backup_restore_testing_jobs" {
 }
 
 resource "aws_backup_report_plan" "resource_compliance" {
-  name        = var.name_prefix != null ? "${var.name_prefix}_resource_compliance" : "resource_compliance"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_resource_compliance" : "resource_compliance"
   description = "Report for showing whether resources are compliant with the framework"
 
   report_delivery_channel {
@@ -55,7 +55,7 @@ resource "aws_backup_report_plan" "resource_compliance" {
 
 resource "aws_backup_report_plan" "copy_jobs" {
   count       = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? 1 : 0
-  name        = var.name_prefix != null ? "${var.name_prefix}_copy_jobs" : "copy_jobs"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_copy_jobs" : "copy_jobs"
   description = "Report for showing whether copies ran successfully in the last 24 hours"
 
   report_delivery_channel {
diff --git a/modules/aws-backup-source/backup_restore_testing.tf b/modules/aws-backup-source/backup_restore_testing.tf
index b6389fc..0c64c08 100644
--- a/modules/aws-backup-source/backup_restore_testing.tf
+++ b/modules/aws-backup-source/backup_restore_testing.tf
@@ -1,5 +1,5 @@
 resource "awscc_backup_restore_testing_plan" "backup_restore_testing_plan" {
-  restore_testing_plan_name = var.name_prefix != null ? "${var.name_prefix}_backup_restore_testing_plan" : "backup_restore_testing_plan"
+  restore_testing_plan_name = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_restore_testing_plan" : "backup_restore_testing_plan"
   schedule_expression       = var.restore_testing_plan_scheduled_expression
   start_window_hours        = var.restore_testing_plan_start_window
   recovery_point_selection = {
diff --git a/modules/aws-backup-source/iam.tf b/modules/aws-backup-source/iam.tf
index 3b81513..384f746 100644
--- a/modules/aws-backup-source/iam.tf
+++ b/modules/aws-backup-source/iam.tf
@@ -12,7 +12,7 @@ data "aws_iam_policy_document" "assume_role" {
 }
 
 resource "aws_iam_role" "backup" {
-  name                 = "${var.project_name}BackupRole"
+  name                 = "${var.include_environment_in_resource_names ? "${var.project_name}-${var.environment_name}" : var.project_name}BackupRole"
   assume_role_policy   = data.aws_iam_policy_document.assume_role.json
   permissions_boundary = length(var.iam_role_permissions_boundary) > 0 ? var.iam_role_permissions_boundary : null
 }
diff --git a/modules/aws-backup-source/kms.tf b/modules/aws-backup-source/kms.tf
index e8a07a2..a36e37a 100644
--- a/modules/aws-backup-source/kms.tf
+++ b/modules/aws-backup-source/kms.tf
@@ -6,7 +6,7 @@ resource "aws_kms_key" "aws_backup_key" {
 }
 
 resource "aws_kms_alias" "backup_key" {
-  name          = var.name_prefix != null ? "alias/${var.name_prefix}/backup-key" : "alias/${var.environment_name}/backup-key"
+  name          = var.name_prefix != null ? "alias/${var.include_environment_in_resource_names ? "${local.resource_name_prefix}" : var.name_prefix}/backup-key" : "alias/${var.environment_name}/backup-key"
   target_key_id = aws_kms_key.aws_backup_key.key_id
 }
 
diff --git a/modules/aws-backup-source/locals.tf b/modules/aws-backup-source/locals.tf
index 39d37d0..a55be65 100644
--- a/modules/aws-backup-source/locals.tf
+++ b/modules/aws-backup-source/locals.tf
@@ -1,5 +1,5 @@
 locals {
-  resource_name_prefix                             = var.name_prefix != null ? var.name_prefix : "${data.aws_region.current.id}-${data.aws_caller_identity.current.account_id}-backup"
+  resource_name_prefix                             = var.name_prefix != null ? (var.include_environment_in_resource_names ? "${var.name_prefix}-${var.environment_name}" : var.name_prefix) : (var.include_environment_in_resource_names ? "${data.aws_region.current.id}-${data.aws_caller_identity.current.account_id}-${var.environment_name}-backup" : "${data.aws_region.current.id}-${data.aws_caller_identity.current.account_id}-backup")
   selection_tag_value_null_checked                 = (var.backup_plan_config.selection_tag_value == null) ? "True" : var.backup_plan_config.selection_tag_value
   selection_tag_value_dynamodb_null_checked        = (var.backup_plan_config_dynamodb.selection_tag_value == null) ? "True" : var.backup_plan_config_dynamodb.selection_tag_value
   selection_tags_null_checked                      = (var.backup_plan_config.selection_tags == null) ? [{ "key" : var.backup_plan_config.selection_tag, "value" : local.selection_tag_value_null_checked }] : var.backup_plan_config.selection_tags
diff --git a/modules/aws-backup-source/variables.tf b/modules/aws-backup-source/variables.tf
index d99aa10..7b0fba0 100644
--- a/modules/aws-backup-source/variables.tf
+++ b/modules/aws-backup-source/variables.tf
@@ -520,3 +520,9 @@ variable "lambda_restore_to_s3_max_wait_minutes" {
   type        = number
   default     = 5
 }
+
+variable "include_environment_in_resource_names" {
+  description = "Should the environment name be included in resource names. Required for 'all resources in the same account'"
+  type        = bool
+  default     = false
+}