Fix deletion of backup vault access policies that contain restrictive policy

[gsoria]

This commit fixes the following error when trying to delete backup vault access policies for vaults (aws/efs/automatic-backup-vault) automatically created when EFS backup is enabled.

time="2023-10-05T15:37:07Z" level=error msg="AccessDeniedException: User: arn:aws:sts::X:assumed-role/XRole/SAAssumedRoleSession is not authorized to perform: backup:DeleteBackupVaultAccessPolicy on resource: arn:aws:backup:us-east-1:X:backup-vault:aws/efs/automatic-backup-vault with an explicit deny in a resource-based policy

The module before attempting to delete the backup vault access policy, sets a permissive policy to ensure the backup:DeleteBackupVaultAccessPolicy is allowed.

The operation to put a policy to allow backup:DeleteBackupVaultAccessPolicy was silently failing due to an error:

The specified policy cannot be added to the vault due to cross-account sharing restrictions.
Amend the policy or the vault's settings, then retry request

This commit updates the policy, to use the default as a template, but excluding delete actions.

Testing

# https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html
#
# create efs file system
aws efs create-file-system --creation-token MyEfsFileSystem --tags Key=Name,Value=MyEfsFileSystem

# enable backup policy
aws efs put-backup-policy --file-system-id $(aws efs describe-file-systems | jq -r .FileSystems[].FileSystemId) --backup-policy Status="ENABLED"

# verify if backup policy is enabled
aws efs describe-backup-policy --file-system-id $(aws efs describe-file-systems | jq -r .FileSystems[].FileSystemId)

Cleanup the account, specifying the resource AWSBackupVaultAccessPolicy.

You should see an output similar to this:

us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - triggered remove
Removal requested: 1 waiting, 0 failed, 1 skipped, 0 finished
us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - waiting
Removal requested: 1 waiting, 0 failed, 1 skipped, 0 finished
us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - removed
Removal requested: 0 waiting, 0 failed, 1 skipped, 1 finished
Nuke complete: 0 failed, 1 skipped, 1 finished.

[danarbaugh]

I followed the testing steps to confirm I received the expected AccessDeniedException error on the account with a version built from main then a subsequent run with the same configuration using a build from this branch resulted in
us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - removed as expected. Thanks Gaby. This is a great bugfix that I am sure will be appreciated upstream! 👏

[corybekk]

Everything worked for me! thank you for including the commands for creating the resources.

Testing output

Do you really want to nuke these resources on the account with the ID 299719426765 and the alias 'alias-299719426765'?
Waiting 3s before continuing.
us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - triggered remove

Removal requested: 1 waiting, 0 failed, 1 skipped, 0 finished

us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - waiting

Removal requested: 1 waiting, 0 failed, 1 skipped, 0 finished

us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - removed

Removal requested: 0 waiting, 0 failed, 1 skipped, 1 finished

Nuke complete: 0 failed, 1 skipped, 1 finished.