Add Recovery Services Vault module with VM backup policies and outputs

2026-03-01 21:17:57 +01:00
parent 1883aaa38d
commit fae7623813
5 changed files with 489 additions and 1 deletions
--- a/variables.tf
+++ b/variables.tf
@@ -0,0 +1,194 @@
+variable "rg_name" {
+  type = string
+}
+
+variable "location" {
+  type = string
+}
+
+variable "base_name" {
+  type    = string
+  default = null
+}
+
+variable "name" {
+  type    = string
+  default = null
+
+  validation {
+    condition = (
+      (var.name != null && trimspace(var.name) != "") ||
+      (var.base_name != null && trimspace(var.base_name) != "")
+    )
+    error_message = "Provide name or base_name with a non-empty value."
+  }
+}
+
+variable "sku" {
+  type    = string
+  default = "Standard"
+
+  validation {
+    condition     = contains(["Standard", "RS0"], var.sku)
+    error_message = "sku must be one of 'Standard' or 'RS0'."
+  }
+}
+
+variable "storage_mode_type" {
+  type    = string
+  default = "LocallyRedundant"
+
+  validation {
+    condition     = contains(["GeoRedundant", "LocallyRedundant", "ZoneRedundant"], var.storage_mode_type)
+    error_message = "storage_mode_type must be one of 'GeoRedundant', 'LocallyRedundant', or 'ZoneRedundant'."
+  }
+}
+
+variable "cross_region_restore_enabled" {
+  type    = bool
+  default = false
+
+  validation {
+    condition     = var.cross_region_restore_enabled == false || var.storage_mode_type == "GeoRedundant"
+    error_message = "cross_region_restore_enabled can only be true when storage_mode_type is 'GeoRedundant'."
+  }
+}
+
+variable "soft_delete_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "public_network_access_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "immutability" {
+  type    = string
+  default = "Disabled"
+
+  validation {
+    condition     = contains(["Disabled", "Locked", "Unlocked"], var.immutability)
+    error_message = "immutability must be one of 'Disabled', 'Locked', or 'Unlocked'."
+  }
+}
+
+variable "identity" {
+  type = object({
+    type         = string
+    identity_ids = optional(list(string))
+  })
+  default = null
+
+  validation {
+    condition = (
+      var.identity == null ||
+      contains([
+        "SystemAssigned",
+        "UserAssigned",
+        "SystemAssigned, UserAssigned",
+      ], var.identity.type)
+    )
+    error_message = "identity.type must be one of 'SystemAssigned', 'UserAssigned', or 'SystemAssigned, UserAssigned'."
+  }
+
+  validation {
+    condition = (
+      var.identity == null ||
+      var.identity.type == "SystemAssigned" ||
+      length(try(var.identity.identity_ids, [])) > 0
+    )
+    error_message = "identity.identity_ids must be provided when identity.type includes 'UserAssigned'."
+  }
+}
+
+variable "tags" {
+  type    = map(string)
+  default = {}
+}
+
+variable "vm_backup_policies" {
+  type = map(object({
+    name                          = optional(string)
+    policy_type                   = optional(string)
+    timezone                      = optional(string)
+    instant_restore_retention_days = optional(number)
+
+    backup = object({
+      frequency     = string
+      time          = string
+      hour_interval = optional(number)
+      hour_duration = optional(number)
+      weekdays      = optional(list(string))
+    })
+
+    retention_daily = optional(object({
+      count = number
+    }))
+
+    retention_weekly = optional(object({
+      count    = number
+      weekdays = list(string)
+    }))
+
+    retention_monthly = optional(object({
+      count             = number
+      weekdays          = optional(list(string))
+      weeks             = optional(list(string))
+      days              = optional(list(number))
+      include_last_days = optional(bool)
+    }))
+
+    retention_yearly = optional(object({
+      count             = number
+      months            = list(string)
+      weekdays          = optional(list(string))
+      weeks             = optional(list(string))
+      days              = optional(list(number))
+      include_last_days = optional(bool)
+    }))
+  }))
+  default = {}
+
+  validation {
+    condition = alltrue([
+      for policy in values(var.vm_backup_policies) : contains(["V1", "V2"], coalesce(try(policy.policy_type, null), "V2"))
+    ])
+    error_message = "Each vm_backup_policies[*].policy_type must be 'V1' or 'V2' when set."
+  }
+}
+
+variable "protected_vms" {
+  type = map(object({
+    source_vm_id      = string
+    backup_policy_key = optional(string)
+    include_disk_luns = optional(list(number))
+    exclude_disk_luns = optional(list(number))
+    protection_state  = optional(string)
+  }))
+  default = {}
+
+  validation {
+    condition = alltrue([
+      for vm in values(var.protected_vms) : (
+        try(vm.backup_policy_key, null) == null ||
+        contains(
+          keys(length(var.vm_backup_policies) > 0 ? var.vm_backup_policies : { default = {} }),
+          vm.backup_policy_key
+        )
+      )
+    ])
+    error_message = "Each protected_vms[*].backup_policy_key must exist in vm_backup_policies."
+  }
+
+  validation {
+    condition = alltrue([
+      for vm in values(var.protected_vms) : (
+        try(vm.protection_state, null) == null ||
+        contains(["Protected", "BackupsSuspended", "ProtectionStopped"], vm.protection_state)
+      )
+    ])
+    error_message = "Each protected_vms[*].protection_state must be one of 'Protected', 'BackupsSuspended', or 'ProtectionStopped' when set."
+  }
+}