Add Recovery Services Vault module with VM backup policies and outputs

2026-03-01 21:17:57 +01:00
parent 1883aaa38d
commit fae7623813
5 changed files with 489 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -1,3 +1,116 @@
-# Azure Recovery Services Vault Terraform Module
+# Azure Recovery Services Vault Module
+
+Creates a Recovery Services Vault and can optionally configure VM backup policies and VM protection.
+
+## Usage scenarios
+
+The recovery services vault may be used to protect the following Azure workloads:
+
+- **Azure Virtual Machines**: Policy-based backup and restore for IaaS VMs.
+- **SQL Server in Azure VMs**: Workload-aware database backup for SQL running inside Azure VMs.
+- **SAP HANA in Azure VMs**: Workload-aware backup for SAP HANA databases running in Azure VMs.
+- **Azure Files**: Share-level backup and restore for Azure file shares.
+- **MARS agent workloads**: File/folder and system-state backup from supported Windows servers/clients.
+- **MABS / DPM-protected workloads**: Backup streams managed through Azure Backup Server or System Center DPM.
+
+## Storage modes
+
+`LocallyRedundant` stores backup data redundantly within a single region.
+
+`ZoneRedundant` stores backup data across availability zones in the same region.
+
+`GeoRedundant` replicates backup data to a paired region and enables cross-region restore when `cross_region_restore_enabled` is set to `true`.
+
+## Protecting Resources
+
+This module can protect Recovery Services Vault workloads. Supported resource types in module status are listed below.
+
+Implemented:
+
+- Azure Virtual Machines (`azurerm_backup_policy_vm`, `azurerm_backup_protected_vm`)
+
+Not implemented yet:
+
+- SQL Server in Azure VMs (`azurerm_backup_policy_vm_workload` + protected workload resources)
+- SAP HANA in Azure VMs (`azurerm_backup_policy_vm_workload` + protected workload resources)
+
+### Azure Virtual Machines
+
+Use `vm_backup_policies` to define one or more VM backup policy profiles, and `protected_vms` to map each VM to a selected policy via `backup_policy_key`.
+
+For each protected VM, you can optionally set:
+
+- `include_disk_luns` to include only selected data disks
+- `exclude_disk_luns` to exclude selected data disks
+- `protection_state` to control protection state (`Protected`, `BackupsSuspended`, `ProtectionStopped`)
+
+## Module Inputs, Outputs, and Examples
+
+### Variables
+
+- `rg_name`: The name of the resource group where the Recovery Services Vault will be created.
+- `location`: The Azure region where the Recovery Services Vault will be created.
+- `base_name`: Optional base name used to generate a unique vault name when `name` is not set.
+- `name`: Optional explicit vault name. If omitted, the module generates a deterministic name from `base_name`.
+- `sku`: Vault SKU. Allowed values: `Standard`, `RS0`.
+- `storage_mode_type`: Backup storage redundancy type. Allowed values: `GeoRedundant`, `LocallyRedundant`, `ZoneRedundant`.
+- `cross_region_restore_enabled`: Enables cross-region restore. Can only be set to `true` when `storage_mode_type = "GeoRedundant"`.
+- `soft_delete_enabled`: Enables soft delete in the Recovery Services Vault.
+- `public_network_access_enabled`: Enables public network access to the vault.
+- `immutability`: Immutability state. Allowed values: `Disabled`, `Locked`, `Unlocked`.
+- `identity`: Optional managed identity configuration object:
+	- `type`: Identity type. Allowed values: `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`.
+	- `identity_ids`: Optional list of user-assigned identity IDs (required when `type` includes `UserAssigned`).
+- `tags`: A map of tags to apply to the vault.
+- `vm_backup_policies`: Map of VM backup policy definitions.
+- `protected_vms`: Map of VMs to protect, including policy mapping via `backup_policy_key`.
+
+### Outputs
+
+- `recovery_services_vault_id`: The ID of the created Recovery Services Vault.
+- `recovery_services_vault_name`: The name of the created Recovery Services Vault.
+- `recovery_services_vault_identity_principal_id`: Principal ID of the assigned managed identity, if configured.
+- `vm_backup_policy_ids`: Map of VM backup policy IDs keyed by policy key.
+- `protected_vm_backup_ids`: Map of protected VM backup item IDs keyed by protected VM key.
+
+### Example Usage
+
+```hcl
+module "recovery_services_vault" {
+	source = "./modules/recovery-services-vault"
+
+	rg_name  = azurerm_resource_group.rg.name
+	location = azurerm_resource_group.rg.location
+
+	base_name = "rsv"
+
+	storage_mode_type = "LocallyRedundant"
+
+	vm_backup_policies = {
+		default = {
+			backup = {
+				frequency = "Daily"
+				time      = "23:00"
+			}
+			retention_daily = {
+				count = 30
+			}
+		}
+	}
+
+	protected_vms = {
+		app = {
+			source_vm_id      = azurerm_linux_virtual_machine.app.id
+			backup_policy_key = "default"
+		}
+	}
+}
+```
+
+## References
+
+- [Recovery Services vaults overview](https://learn.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview)
+- [Back up Azure VMs in a Recovery Services vault](https://learn.microsoft.com/azure/backup/backup-azure-arm-vms-prepare)
+- [Azure Backup FAQ: vault support matrix](https://learn.microsoft.com/azure/backup/backup-azure-backup-faq#what-are-the-various-vaults-supported-for-backup-and-restore)