terraform-azurerm-backup-vault/README.md

# Azure Data Protection Backup Vault Module

This module creates an Azure Data Protection Backup Vault with the specified name, resource group, and location.

## Usage scenarios

- **Operational recovery**: Use Backup Vault to manage operational recovery workflows; exact datastore behavior is workload-specific. Example services/use cases: **AKS** (cluster state + PV snapshots), **Azure Blobs** (operational protection where data stays in the source account and backup policy also governs vaulted retention), and **Azure Files** (snapshot-based fast restore patterns).
- **Long-term retention**: Use `VaultStore` for policy-based offsite retention and stronger isolation from production data. Example services/use cases: **Azure Blobs**, **Azure Files (vaulted backup)**, **Azure Database for PostgreSQL**, and **AKS** (vault-tier retention rules).
- **Regional resiliency**: Use `VaultStore` with `redundancy = "GeoRedundant"` and `cross_region_restore_enabled = true` for paired-region restore scenarios. Example services/use cases: **AKS** and other vault-tier backup configurations where cross-region restore is supported.
- **Compliance and low-cost cold retention**: Use `ArchiveStore` where supported for long-term retention with lower storage cost and slower retrieval. Example services/use cases: **Azure VMs**, **SQL Server in Azure VMs**, and **SAP HANA in Azure VMs** (subject to archive eligibility rules).

> Compatibility differs by workload, region, and policy settings. Always confirm current support in the relevant Azure Backup support matrix before rollout.

## Datastore types

**OperationalStore** is the operational tier designed for faster recovery and short-to-medium retention windows. In Microsoft Learn examples (for example AKS), this tier keeps backup data within your tenant and is typically used for frequent restore points and day-to-day recovery operations.

**VaultStore** is the vault-standard tier for offsite, policy-driven retention in Backup vault storage. It is commonly used when you want stronger isolation from production resources, longer retention than operational snapshots, and optional cross-region restore when combined with geo-redundant vault settings.

**ArchiveStore** represents archive-style retention for infrequently accessed backup data and cost-optimized long-term preservation. Microsoft Learn notes that archive usage is workload-dependent and comes with constraints (such as eligibility and rehydration/restore behavior), so it is best suited for compliance-heavy scenarios rather than frequent restores.

**SnapshotStore** is a legacy/compatibility datastore value that appears in provider schemas and older patterns. For newer Azure Backup workflows, Microsoft guidance and examples more often emphasize `OperationalStore` and `VaultStore`, with `OperationalStore` generally preferred over snapshot-style behavior for active operational protection.

## Protecting Resources

This module can protect multiple resource types. Supported resource types in Azure Backup Vault (module status):

Implemented:

- Azure Blob Storage (`azurerm_data_protection_backup_policy_blob_storage`, `azurerm_data_protection_backup_instance_blob_storage`)

Not implemented yet:

- Azure Managed Disks (`azurerm_data_protection_backup_policy_disk`)
- Azure Kubernetes Service (AKS) (`azurerm_data_protection_backup_policy_kubernetes_cluster`)
- Azure Database for PostgreSQL Flexible Server (`azurerm_data_protection_backup_policy_postgresql_flexible_server`)
- Azure Database for MySQL Flexible Server (`azurerm_data_protection_backup_policy_mysql_flexible_server`) (Microsoft Learn: preview and currently paused for new configurations)

### Azure Blob Storage

Use `blob_backup_policies` to define one or more Blob backup policy profiles, and `protected_blob_storage_accounts` to map each storage account to a selected policy via `backup_policy_key`.

For each protected storage account, you can optionally set:

- `container_names` to protect specific containers (when omitted/null, all containers are included)
- `backup_instance_location` to override backup instance location
- `backup_instance_name` to override backup instance naming

Note: the `Storage Account Backup Contributor` role assignment for the vault identity should be configured by the caller (for example, using a separate IAM module).

## Module Inputs, Outputs, and Examples

### Variables

- `rg_name`: The name of the resource group where the backup vault will be created.
- `location`: The Azure region where the backup vault will be created.
- `base_name`: Optional base name used to generate a unique backup vault name when `name` is not set.
- `name`: Optional explicit backup vault name. If omitted, the module generates a deterministic name from `base_name`.
- `datastore_type`: Type of datastore for the backup vault. Allowed values: `ArchiveStore`, `OperationalStore`, `SnapshotStore`, `VaultStore`.
- `redundancy`: Backup storage redundancy type. Allowed values: `GeoRedundant`, `LocallyRedundant`, `ZoneRedundant`.
- `cross_region_restore_enabled`: Enables cross-region restore. Can only be set to `true` when `redundancy = "GeoRedundant"`.
- `retention_duration_in_days`: Soft delete retention duration in days (`14` to `180`).
- `immutability`: Immutability state. Allowed values: `Disabled`, `Locked`, `Unlocked`.
- `soft_delete`: Soft delete state. Allowed values: `AlwaysOn`, `Off`, `On`.
- `identity`: Optional managed identity configuration object:
	- `type`: Identity type. Allowed values: `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`.
	- `identity_ids`: Optional list of user-assigned identity IDs (required when `type = "UserAssigned"`).
- `tags`: A map of tags to apply to the backup vault.
- `protected_blob_storage_accounts`: Map of Blob Storage accounts to protect. Each object supports:
	- `id`: Storage account resource ID (required).
	- `container_names`: Optional container filter list (null/omitted means all containers).
	- `backup_instance_location`: Optional override for backup instance location.
	- `backup_instance_name`: Optional override for backup instance name.
	- `backup_policy_key`: Optional key selecting an entry from `blob_backup_policies`.
- `blob_backup_policies`: Map of Blob backup policy definitions. Each object supports:
	- `name`: Optional policy name.
	- `backup_repeating_time_intervals`: Optional schedule list in ISO 8601 repeating interval format.
	- `operational_default_retention_duration`: Optional operational retention duration (ISO 8601 duration).
	- `vault_default_retention_duration`: Optional vaulted retention duration (ISO 8601 duration).

### Outputs

- `backup_vault_id`: The ID of the created backup vault.
- `backup_vault_name`: The name of the created backup vault.
- `backup_vault_identity_principal_id`: Principal ID of the assigned managed identity, if configured.
- `backup_vault_identity_tenant_id`: Tenant ID of the assigned managed identity, if configured.
- `backup_policy_blob_storage_ids`: Map of Blob backup policy IDs keyed by policy key.
- `backup_instance_blob_storage_ids`: Map of Blob backup instance IDs keyed by protected account key.

### Example Usage

```hcl
module "backup_vault" {
	source = "./modules/backup-vault"

	rg_name  = azurerm_resource_group.rg.name
	location = azurerm_resource_group.rg.location

	base_name = "bv"

	datastore_type    = "VaultStore"
	redundancy        = "LocallyRedundant"
	soft_delete       = "On"
	immutability      = "Disabled"
	retention_duration_in_days = 14

	tags = {
		environment = "dev"
	}
}
```

## References

- [Overview of Azure Blob backup](https://learn.microsoft.com/azure/backup/blob-backup-overview)
- [What is Azure Kubernetes Service backup?](https://learn.microsoft.com/azure/backup/azure-kubernetes-service-backup-overview#which-backup-storage-tier-does-aks-backup-support)
- [Overview of Archive tier in Azure Backup](https://learn.microsoft.com/azure/backup/archive-tier-support)
- [About Azure Files backup](https://learn.microsoft.com/azure/backup/azure-file-share-backup-overview)