slawek/terraform-azurerm-backup-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
terraform-azurerm-backup-vault/README.md

7.9 KiB
Raw Permalink Blame History

Azure Data Protection Backup Vault Module

This module creates an Azure Data Protection Backup Vault with the specified name, resource group, and location.

Usage scenarios

  • Operational recovery: Use Backup Vault to manage operational recovery workflows; exact datastore behavior is workload-specific. Example services/use cases: AKS (cluster state + PV snapshots), Azure Blobs (operational protection where data stays in the source account and backup policy also governs vaulted retention), and Azure Files (snapshot-based fast restore patterns).
  • Long-term retention: Use VaultStore for policy-based offsite retention and stronger isolation from production data. Example services/use cases: Azure Blobs, Azure Files (vaulted backup), Azure Database for PostgreSQL, and AKS (vault-tier retention rules).
  • Regional resiliency: Use VaultStore with redundancy = "GeoRedundant" and cross_region_restore_enabled = true for paired-region restore scenarios. Example services/use cases: AKS and other vault-tier backup configurations where cross-region restore is supported.
  • Compliance and low-cost cold retention: Use ArchiveStore where supported for long-term retention with lower storage cost and slower retrieval. Example services/use cases: Azure VMs, SQL Server in Azure VMs, and SAP HANA in Azure VMs (subject to archive eligibility rules).

Compatibility differs by workload, region, and policy settings. Always confirm current support in the relevant Azure Backup support matrix before rollout.

Datastore types

OperationalStore is the operational tier designed for faster recovery and short-to-medium retention windows. In Microsoft Learn examples (for example AKS), this tier keeps backup data within your tenant and is typically used for frequent restore points and day-to-day recovery operations.

VaultStore is the vault-standard tier for offsite, policy-driven retention in Backup vault storage. It is commonly used when you want stronger isolation from production resources, longer retention than operational snapshots, and optional cross-region restore when combined with geo-redundant vault settings.

ArchiveStore represents archive-style retention for infrequently accessed backup data and cost-optimized long-term preservation. Microsoft Learn notes that archive usage is workload-dependent and comes with constraints (such as eligibility and rehydration/restore behavior), so it is best suited for compliance-heavy scenarios rather than frequent restores.

SnapshotStore is a legacy/compatibility datastore value that appears in provider schemas and older patterns. For newer Azure Backup workflows, Microsoft guidance and examples more often emphasize OperationalStore and VaultStore, with OperationalStore generally preferred over snapshot-style behavior for active operational protection.

Protecting Resources

This module can protect multiple resource types. Supported resource types in Azure Backup Vault (module status):

Implemented:

  • Azure Blob Storage (azurerm_data_protection_backup_policy_blob_storage, azurerm_data_protection_backup_instance_blob_storage)

Not implemented yet:

  • Azure Managed Disks (azurerm_data_protection_backup_policy_disk)
  • Azure Kubernetes Service (AKS) (azurerm_data_protection_backup_policy_kubernetes_cluster)
  • Azure Database for PostgreSQL Flexible Server (azurerm_data_protection_backup_policy_postgresql_flexible_server)
  • Azure Database for MySQL Flexible Server (azurerm_data_protection_backup_policy_mysql_flexible_server) (Microsoft Learn: preview and currently paused for new configurations)

Azure Blob Storage

Use blob_backup_policies to define one or more Blob backup policy profiles, and protected_blob_storage_accounts to map each storage account to a selected policy via backup_policy_key.

For each protected storage account, you can optionally set:

  • container_names to protect specific containers (when omitted/null, all containers are included)
  • backup_instance_location to override backup instance location
  • backup_instance_name to override backup instance naming

Note: the Storage Account Backup Contributor role assignment for the vault identity should be configured by the caller (for example, using a separate IAM module).

Module Inputs, Outputs, and Examples

Variables

  • rg_name: The name of the resource group where the backup vault will be created.
  • location: The Azure region where the backup vault will be created.
  • base_name: Optional base name used to generate a unique backup vault name when name is not set.
  • name: Optional explicit backup vault name. If omitted, the module generates a deterministic name from base_name.
  • datastore_type: Type of datastore for the backup vault. Allowed values: ArchiveStore, OperationalStore, SnapshotStore, VaultStore.
  • redundancy: Backup storage redundancy type. Allowed values: GeoRedundant, LocallyRedundant, ZoneRedundant.
  • cross_region_restore_enabled: Enables cross-region restore. Can only be set to true when redundancy = "GeoRedundant".
  • retention_duration_in_days: Soft delete retention duration in days (14 to 180).
  • immutability: Immutability state. Allowed values: Disabled, Locked, Unlocked.
  • soft_delete: Soft delete state. Allowed values: AlwaysOn, Off, On.
  • identity: Optional managed identity configuration object:
    • type: Identity type. Allowed values: SystemAssigned, UserAssigned, SystemAssigned, UserAssigned.
    • identity_ids: Optional list of user-assigned identity IDs (required when type = "UserAssigned").
  • tags: A map of tags to apply to the backup vault.
  • protected_blob_storage_accounts: Map of Blob Storage accounts to protect. Each object supports:
    • id: Storage account resource ID (required).
    • container_names: Optional container filter list (null/omitted means all containers).
    • backup_instance_location: Optional override for backup instance location.
    • backup_instance_name: Optional override for backup instance name.
    • backup_policy_key: Optional key selecting an entry from blob_backup_policies.
  • blob_backup_policies: Map of Blob backup policy definitions. Each object supports:
    • name: Optional policy name.
    • backup_repeating_time_intervals: Optional schedule list in ISO 8601 repeating interval format.
    • operational_default_retention_duration: Optional operational retention duration (ISO 8601 duration).
    • vault_default_retention_duration: Optional vaulted retention duration (ISO 8601 duration).

Outputs

  • backup_vault_id: The ID of the created backup vault.
  • backup_vault_name: The name of the created backup vault.
  • backup_vault_identity_principal_id: Principal ID of the assigned managed identity, if configured.
  • backup_vault_identity_tenant_id: Tenant ID of the assigned managed identity, if configured.
  • backup_policy_blob_storage_ids: Map of Blob backup policy IDs keyed by policy key.
  • backup_instance_blob_storage_ids: Map of Blob backup instance IDs keyed by protected account key.

Example Usage

module "backup_vault" {
	source = "./modules/backup-vault"

	rg_name  = azurerm_resource_group.rg.name
	location = azurerm_resource_group.rg.location

	base_name = "bv"

	datastore_type    = "VaultStore"
	redundancy        = "LocallyRedundant"
	soft_delete       = "On"
	immutability      = "Disabled"
	retention_duration_in_days = 14

	tags = {
		environment = "dev"
	}
}

References

Reference in New Issue View Git Blame Copy Permalink