NHSDigital · TurboNHS · Apr 22, 2026 · Apr 23, 2026 · Apr 23, 2026 · Apr 24, 2026
diff --git a/modules/aws-backup-destination/backup.tf b/modules/aws-backup-destination/backup.tf
@@ -1,13 +1,22 @@
 resource "aws_backup_vault" "vault" {
+  count = var.resources_in_same_account ? 1 : 0
+
   name        = var.name_prefix != null ? "${var.name_prefix}-backup-vault" : "${var.source_account_name}-backup-vault"
   kms_key_arn = var.kms_key
 }
 
 output "vault_arn" {
-  value = aws_backup_vault.vault.arn
+  value = var.resources_in_same_account ? aws_backup_vault.vault[0].arn : null
 }
 
 output "vault_name" {
   description = "The name of the backup vault."
-  value       = aws_backup_vault.vault.name
+  value       = var.resources_in_same_account ? aws_backup_vault.vault[0].name : null
+}
+
+# -----
+
+moved {
+  from = aws_backup_vault.vault
+  to   = aws_backup_vault.vault[0]
 }
diff --git a/modules/aws-backup-destination/backup_vault_lock.tf b/modules/aws-backup-destination/backup_vault_lock.tf
@@ -1,6 +1,7 @@
 resource "aws_backup_vault_lock_configuration" "vault_lock" {
-  count               = var.enable_vault_protection ? 1 : 0
-  backup_vault_name   = aws_backup_vault.vault.name
+  count = var.enable_vault_protection && var.resources_in_same_account ? 1 : 0
+
+  backup_vault_name   = aws_backup_vault.vault[0].name
   changeable_for_days = var.vault_lock_type == "compliance" ? var.changeable_for_days : null
   max_retention_days  = var.vault_lock_max_retention_days
   min_retention_days  = var.vault_lock_min_retention_days

diff --git a/modules/aws-backup-destination/backup_vault_policy.tf b/modules/aws-backup-destination/backup_vault_policy.tf
@@ -1,9 +1,12 @@
 resource "aws_backup_vault_policy" "vault_policy" {
-  backup_vault_name = aws_backup_vault.vault.name
-  policy            = data.aws_iam_policy_document.vault_policy.json
+  count = var.resources_in_same_account ? 1 : 0
+
+  backup_vault_name = aws_backup_vault.vault[0].name
+  policy            = data.aws_iam_policy_document.vault_policy[0].json
 }
 
 data "aws_iam_policy_document" "vault_policy" {
+  count = var.resources_in_same_account ? 1 : 0
 
   statement {
     sid    = "AllowCopyToVault"
@@ -66,3 +69,15 @@ data "aws_iam_policy_document" "vault_policy" {
     }
   }
 }
+
+# -----
+
+moved {
+  from = aws_backup_vault_policy.vault_policy
+  to   = aws_backup_vault_policy.vault_policy[0]
+}
+
+moved {
+  from = data.aws_iam_policy_document.vault_policy
+  to   = data.aws_iam_policy_document.vault_policy[0]
+}
diff --git a/modules/aws-backup-destination/iam.tf b/modules/aws-backup-destination/iam.tf
@@ -42,7 +42,7 @@ resource "aws_iam_role" "copy_recovery_point" {
 }
 
 data "aws_iam_policy_document" "copy_recovery_point_permissions" {
-  count = var.enable_cross_account_vault_access ? 1 : 0
+  count = var.enable_cross_account_vault_access && var.resources_in_same_account ? 1 : 0
 
   # Start copy job (resource-level supports recoveryPoint*)
   statement {
@@ -71,7 +71,7 @@ data "aws_iam_policy_document" "copy_recovery_point_permissions" {
     ]
     resources = [
       "arn:aws:backup:${var.region}:${var.account_id}:recovery-point:*",
-      "arn:aws:backup:${var.region}:${var.account_id}:backup-vault:${aws_backup_vault.vault.name}",
+      "arn:aws:backup:${var.region}:${var.account_id}:backup-vault:${aws_backup_vault.vault[0].name}",
       "arn:aws:backup:${var.region}:${var.source_account_id}:backup-vault:*"
     ]
   }

diff --git a/modules/aws-backup-destination/parameter_store_kms.tf b/modules/aws-backup-destination/parameter_store_kms.tf
@@ -1,4 +1,6 @@
 data "aws_iam_policy_document" "kms_key_policy" {
+  count = var.resources_in_same_account ? 1 : 0
+
   statement {
     sid    = "Enable IAM User Permissions"
     effect = "Allow"
@@ -33,17 +35,38 @@ data "aws_iam_policy_document" "kms_key_policy" {
 }
 
 resource "aws_kms_key" "parameter_store_key" {
+  count = var.resources_in_same_account ? 1 : 0
+
   description             = "KMS key for cross-account encryption of Parameter Store backups."
   deletion_window_in_days = 7
-  policy                  = data.aws_iam_policy_document.kms_key_policy.json
+  policy                  = data.aws_iam_policy_document.kms_key_policy[0].json
 }
 
 resource "aws_kms_alias" "parameter_store_alias" {
+  count = var.resources_in_same_account ? 1 : 0
+
   name          = "alias/parameter-store-backup-key"
-  target_key_id = aws_kms_key.parameter_store_key.key_id
+  target_key_id = aws_kms_key.parameter_store_key[0].key_id
 }
 
 output "parameter_store_kms_key_arn" {
   description = "The ARN of the KMS key created in the backup account."
-  value       = aws_kms_key.parameter_store_key.arn
+  value       = var.resources_in_same_account ? aws_kms_key.parameter_store_key[0].arn : null
+}
+
+# -----
+
+moved {
+  from = data.aws_iam_policy_document.kms_key_policy
+  to   = data.aws_iam_policy_document.kms_key_policy[0]
+}
+
+moved {
+  from = aws_kms_key.parameter_store_key
+  to   = aws_kms_key.parameter_store_key[0]
+}
+
+moved {
+  from = aws_kms_alias.parameter_store_alias
+  to   = aws_kms_alias.parameter_store_alias[0]
 }
diff --git a/modules/aws-backup-destination/variables.tf b/modules/aws-backup-destination/variables.tf
@@ -100,3 +100,12 @@ variable "enable_cross_account_vault_access" {
   type        = bool
   default     = false
 }
+
+# If we're building this for multiple environments in the same account, some things
+# should not be created. Such as the vault! There can be only one - the environment
+# vaults should all copy to this, main/backup/immutable vault.
+variable "resources_in_same_account" {
+  description = "Should all resources be created in the same account. Set to 'true' if base resources already exists in the account, and they should be reused."
+  type        = bool
+  default     = false
+}
diff --git a/modules/aws-backup-source/backup_framework.tf b/modules/aws-backup-source/backup_framework.tf
@@ -1,4 +1,16 @@
+# There can be only one [framework with x controls in one account]!
+#
+# For the frameworks of the other envs in the account, we "import"
+# them using a `data` record, looking for the environment name set
+# in the `resources_in_same_account` variable.
+
+data "aws_backup_framework" "main" {
+  count = var.backup_plan_config.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-framework", "-", "_")
+}
 resource "aws_backup_framework" "main" {
+  count = var.backup_plan_config.enable && var.resources_in_same_account == "" ? 1 : 0
+
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-framework", "-", "_")
   description = "${var.project_name} Backup Framework"
@@ -131,8 +143,12 @@ resource "aws_backup_framework" "main" {
   }
 }
 
+data "aws_backup_framework" "dynamodb" {
+  count = var.backup_plan_config_dynamodb.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-dynamodb-framework", "-", "_")
+}
 resource "aws_backup_framework" "dynamodb" {
-  count = var.backup_plan_config_dynamodb.enable ? 1 : 0
+  count = var.backup_plan_config_dynamodb.enable && var.resources_in_same_account == "" ? 1 : 0
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-dynamodb-framework", "-", "_")
   description = "${var.project_name} DynamoDB Backup Framework"
@@ -172,8 +188,12 @@ resource "aws_backup_framework" "dynamodb" {
   }
 }
 
+data "aws_backup_framework" "ebsvol" {
+  count = var.backup_plan_config_ebsvol.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-ebsvol-framework", "-", "_")
+}
 resource "aws_backup_framework" "ebsvol" {
-  count = var.backup_plan_config_ebsvol.enable ? 1 : 0
+  count = var.backup_plan_config_ebsvol.enable && var.resources_in_same_account == "" ? 1 : 0
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-ebsvol-framework", "-", "_")
   description = "${var.project_name} EBS Backup Framework"
@@ -213,8 +233,12 @@ resource "aws_backup_framework" "ebsvol" {
   }
 }
 
+data "aws_backup_framework" "aurora" {
+  count = var.backup_plan_config_aurora.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-aurora-framework", "-", "_")
+}
 resource "aws_backup_framework" "aurora" {
-  count = var.backup_plan_config_aurora.enable ? 1 : 0
+  count = var.backup_plan_config_aurora.enable && var.resources_in_same_account == "" ? 1 : 0
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-aurora-framework", "-", "_")
   description = "${var.project_name} Aurora Backup Framework"
@@ -253,8 +277,12 @@ resource "aws_backup_framework" "aurora" {
   }
 }
 
+data "aws_backup_framework" "parameter_store" {
+  count = var.backup_plan_config_parameter_store.enable && var.resources_in_same_account != "" ? 1 : 0
+  name  = replace("${var.name_prefix}-${var.resources_in_same_account}-parameter-store-framework", "-", "_")
+}
 resource "aws_backup_framework" "parameter_store" {
-  count = var.backup_plan_config_parameter_store.enable ? 1 : 0
+  count = var.backup_plan_config_parameter_store.enable && var.resources_in_same_account == "" ? 1 : 0
   # must be underscores instead of dashes
   name        = replace("${local.resource_name_prefix}-parameter-store-framework", "-", "_")
   description = "${var.project_name} Parameter Store Backup Framework"
@@ -292,3 +320,10 @@ resource "aws_backup_framework" "parameter_store" {
     }
   }
 }
+
+# -----
+
+moved {
+  from = aws_backup_framework.main
+  to   = aws_backup_framework.main[0]
+}
diff --git a/modules/aws-backup-source/backup_plan.tf b/modules/aws-backup-source/backup_plan.tf
@@ -168,7 +168,12 @@ resource "aws_backup_selection" "default" {
   }
   condition {
     dynamic "string_equals" {
-      for_each = local.selection_tags_null_checked
+      for_each = concat(local.selection_tags_null_checked, [
+        {
+          "key" : var.backup_plan_config.selection_tag,
+          "value" : var.backup_plan_config.selection_tag_value != null ? var.backup_plan_config.selection_tag_value : "True"
+        }
+      ])
       content {
         key   = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}"
         value = try(string_equals.value.value, null)
@@ -190,7 +195,12 @@ resource "aws_backup_selection" "dynamodb" {
   }
   condition {
     dynamic "string_equals" {
-      for_each = local.selection_tags_dynamodb_null_checked
+      for_each = concat(local.selection_tags_dynamodb_null_checked, [
+        {
+          "key" : var.backup_plan_config_dynamodb.selection_tag,
+          "value" : var.backup_plan_config_dynamodb.selection_tag_value != null ? var.backup_plan_config_dynamodb.selection_tag_value : "True"
+        }
+      ])
       content {
         key   = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}"
         value = try(string_equals.value.value, null)
@@ -212,7 +222,12 @@ resource "aws_backup_selection" "ebsvol" {
   }
   condition {
     dynamic "string_equals" {
-      for_each = local.selection_tags_ebsvol_null_checked
+      for_each = concat(local.selection_tags_ebsvol_null_checked, [
+        {
+          "key" : var.backup_plan_config_ebsvol.selection_tag,
+          "value" : var.backup_plan_config_ebsvol.selection_tag_value != null ? var.backup_plan_config_ebsvol.selection_tag_value : "True"
+        }
+      ])
       content {
         key   = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}"
         value = try(string_equals.value.value, null)
@@ -230,7 +245,21 @@ resource "aws_backup_selection" "aurora" {
   selection_tag {
     key   = var.backup_plan_config_aurora.selection_tag
     type  = "STRINGEQUALS"
-    value = "True"
+    value = (var.backup_plan_config_aurora.selection_tag_value == null) ? "True" : var.backup_plan_config_aurora.selection_tag_value
+  }
+  condition {
+    dynamic "string_equals" {
+      for_each = concat(local.selection_tags_aurora_null_checked, [
+        {
+          "key" : var.backup_plan_config_aurora.selection_tag,
+          "value" : var.backup_plan_config_aurora.selection_tag_value != null ? var.backup_plan_config_aurora.selection_tag_value : "True"
+        }
+      ])
+      content {
+        key   = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}"
+        value = try(string_equals.value.value, null)
+      }
+    }
   }
 }
 
@@ -247,7 +276,12 @@ resource "aws_backup_selection" "parameter_store" {
   }
   condition {
     dynamic "string_equals" {
-      for_each = local.selection_tags_parameter_store_null_checked
+      for_each = concat(local.selection_tags_parameter_store_null_checked, [
+        {
+          "key" : var.backup_plan_config_parameter_store.selection_tag,
+          "value" : var.backup_plan_config_parameter_store.selection_tag_value != null ? var.backup_plan_config_parameter_store.selection_tag_value : "True"
+        }
+      ])
       content {
         key   = (try(string_equals.value.key, null) == null) ? null : "aws:ResourceTag/${string_equals.value.key}"
         value = try(string_equals.value.value, null)

diff --git a/modules/aws-backup-source/backup_report_plan.tf b/modules/aws-backup-source/backup_report_plan.tf
@@ -1,6 +1,6 @@
 # Create the reports
 resource "aws_backup_report_plan" "backup_jobs" {
-  name        = var.name_prefix != null ? "${var.name_prefix}_backup_jobs" : "backup_jobs"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_jobs" : "backup_jobs"
   description = "Report for showing whether backups ran successfully in the last 24 hours"
 
   report_delivery_channel {
@@ -18,7 +18,7 @@ resource "aws_backup_report_plan" "backup_jobs" {
 
 # Create the restore testing completion reports
 resource "aws_backup_report_plan" "backup_restore_testing_jobs" {
-  name        = var.name_prefix != null ? "${var.name_prefix}_backup_restore_testing_jobs" : "backup_restore_testing_jobs"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_backup_restore_testing_jobs" : "backup_restore_testing_jobs"
   description = "Report for showing whether backup restore test ran successfully in the last 24 hours"
 
   report_delivery_channel {
@@ -35,7 +35,7 @@ resource "aws_backup_report_plan" "backup_restore_testing_jobs" {
 }
 
 resource "aws_backup_report_plan" "resource_compliance" {
-  name        = var.name_prefix != null ? "${var.name_prefix}_resource_compliance" : "resource_compliance"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_resource_compliance" : "resource_compliance"
   description = "Report for showing whether resources are compliant with the framework"
 
   report_delivery_channel {
@@ -55,7 +55,7 @@ resource "aws_backup_report_plan" "resource_compliance" {
 
 resource "aws_backup_report_plan" "copy_jobs" {
   count       = var.backup_copy_vault_arn != "" && var.backup_copy_vault_account_id != "" ? 1 : 0
-  name        = var.name_prefix != null ? "${var.name_prefix}_copy_jobs" : "copy_jobs"
+  name        = var.name_prefix != null ? "${replace(local.resource_name_prefix, "-", "_")}_copy_jobs" : "copy_jobs"
   description = "Report for showing whether copies ran successfully in the last 24 hours"
 
   report_delivery_channel {