Fix deletion of backup vault access policies that contain restrictive policy

[gsoria]

This commit fixes the following error when trying to delete backup vault access policies for vaults (aws/efs/automatic-backup-vault) automatically created when EFS backup is enabled.

time="2023-10-05T15:37:07Z" level=error msg="AccessDeniedException: User: arn:aws:sts::X:assumed-role/XRole/SAAssumedRoleSession is not authorized to perform: backup:DeleteBackupVaultAccessPolicy on resource: arn:aws:backup:us-east-1:X:backup-vault:aws/efs/automatic-backup-vault with an explicit deny in a resource-based policy

The module before attempting to delete the backup vault access policy, sets a permissive policy to ensure the backup:DeleteBackupVaultAccessPolicy is allowed.

The operation to put a policy to allow backup:DeleteBackupVaultAccessPolicy was silently failing due to an error:

The specified policy cannot be added to the vault due to cross-account sharing restrictions.
Amend the policy or the vault's settings, then retry request

This commit updates the policy, to use the default as a template, but excluding delete actions.

Testing

# https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html
#
# create efs file system
aws efs create-file-system --creation-token MyEfsFileSystem --tags Key=Name,Value=MyEfsFileSystem

# enable backup policy
aws efs put-backup-policy --file-system-id $(aws efs describe-file-systems | jq -r .FileSystems[].FileSystemId) --backup-policy Status="ENABLED"

# verify if backup policy is enabled
aws efs describe-backup-policy --file-system-id $(aws efs describe-file-systems | jq -r .FileSystems[].FileSystemId)

Cleanup the account, specifying the resource AWSBackupVaultAccessPolicy.

You should see an output similar to this:

us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - triggered remove
Removal requested: 1 waiting, 0 failed, 1 skipped, 0 finished
us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - waiting
Removal requested: 1 waiting, 0 failed, 1 skipped, 0 finished
us-east-1 - AWSBackupVaultAccessPolicy - aws/efs/automatic-backup-vault - removed
Removal requested: 0 waiting, 0 failed, 1 skipped, 1 finished
Nuke complete: 0 failed, 1 skipped, 1 finished.

[sstoops]

@svenwltr @der-eismann These changes have been running in our production environment since last year. Would it be possible to merge so we can sync our build with upstream?

[ekristen]

I think #1110 is the most logical way to handle this issue, but it's not clear so I've opened an issue on the fork to track and review ekristen/aws-nuke#353 .. comments welcome.

---

Please see the copy of the notice from the README about the deprecation of this project. Sven was kind enough to grant me access to help triage and close issues and pull requests that have already been addressed in the actively maintained fork. Some additional information is located in the welcome issue for more information.

Caution

This repository for aws-nuke is no longer being actively maintained. We recommend users to switch to the actively maintained fork of this project at ekristen/aws-nuke.
We appreciate all the support and contributions we've received throughout the life of this project. We believe that the fork will continue to provide the functionality and support that you have come to expect from aws-nuke.
Please note that this deprecation means we will not be addressing issues, accepting pull requests, or making future releases from this repository.
Thank you for your understanding and support.