# Azure Recovery Services Vault Module Creates a Recovery Services Vault and can optionally configure VM backup policies and VM protection. ## Usage scenarios The recovery services vault may be used to protect the following Azure workloads: - **Azure Virtual Machines**: Policy-based backup and restore for IaaS VMs. - **SQL Server in Azure VMs**: Workload-aware database backup for SQL running inside Azure VMs. - **SAP HANA in Azure VMs**: Workload-aware backup for SAP HANA databases running in Azure VMs. - **Azure Files**: Share-level backup and restore for Azure file shares. - **MARS agent workloads**: File/folder and system-state backup from supported Windows servers/clients. - **MABS / DPM-protected workloads**: Backup streams managed through Azure Backup Server or System Center DPM. ## Storage modes `LocallyRedundant` stores backup data redundantly within a single region. `ZoneRedundant` stores backup data across availability zones in the same region. `GeoRedundant` replicates backup data to a paired region and enables cross-region restore when `cross_region_restore_enabled` is set to `true`. ## Protecting Resources This module can protect Recovery Services Vault workloads. Supported resource types in module status are listed below. Implemented: - Azure Virtual Machines (`azurerm_backup_policy_vm`, `azurerm_backup_protected_vm`) Not implemented yet: - SQL Server in Azure VMs (`azurerm_backup_policy_vm_workload` + protected workload resources) - SAP HANA in Azure VMs (`azurerm_backup_policy_vm_workload` + protected workload resources) ### Azure Virtual Machines Use `vm_backup_policies` to define one or more VM backup policy profiles, and `protected_vms` to map each VM to a selected policy via `backup_policy_key`. For each protected VM, you can optionally set: - `include_disk_luns` to include only selected data disks - `exclude_disk_luns` to exclude selected data disks - `protection_state` to control protection state (`Protected`, `BackupsSuspended`, `ProtectionStopped`) ## Module Inputs, Outputs, and Examples ### Variables - `rg_name`: The name of the resource group where the Recovery Services Vault will be created. - `location`: The Azure region where the Recovery Services Vault will be created. - `base_name`: Optional base name used to generate a unique vault name when `name` is not set. - `name`: Optional explicit vault name. If omitted, the module generates a deterministic name from `base_name`. - `sku`: Vault SKU. Allowed values: `Standard`, `RS0`. - `storage_mode_type`: Backup storage redundancy type. Allowed values: `GeoRedundant`, `LocallyRedundant`, `ZoneRedundant`. - `cross_region_restore_enabled`: Enables cross-region restore. Can only be set to `true` when `storage_mode_type = "GeoRedundant"`. - `soft_delete_enabled`: Enables soft delete in the Recovery Services Vault. - `public_network_access_enabled`: Enables public network access to the vault. - `immutability`: Immutability state. Allowed values: `Disabled`, `Locked`, `Unlocked`. - `identity`: Optional managed identity configuration object: - `type`: Identity type. Allowed values: `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`. - `identity_ids`: Optional list of user-assigned identity IDs (required when `type` includes `UserAssigned`). - `tags`: A map of tags to apply to the vault. - `vm_backup_policies`: Map of VM backup policy definitions. - `protected_vms`: Map of VMs to protect, including policy mapping via `backup_policy_key`. ### Outputs - `recovery_services_vault_id`: The ID of the created Recovery Services Vault. - `recovery_services_vault_name`: The name of the created Recovery Services Vault. - `recovery_services_vault_identity_principal_id`: Principal ID of the assigned managed identity, if configured. - `vm_backup_policy_ids`: Map of VM backup policy IDs keyed by policy key. - `protected_vm_backup_ids`: Map of protected VM backup item IDs keyed by protected VM key. ### Example Usage ```hcl module "recovery_services_vault" { source = "./modules/recovery-services-vault" rg_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location base_name = "rsv" storage_mode_type = "LocallyRedundant" vm_backup_policies = { default = { backup = { frequency = "Daily" time = "23:00" } retention_daily = { count = 30 } } } protected_vms = { app = { source_vm_id = azurerm_linux_virtual_machine.app.id backup_policy_key = "default" } } } ``` ## References - [Recovery Services vaults overview](https://learn.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview) - [Back up Azure VMs in a Recovery Services vault](https://learn.microsoft.com/azure/backup/backup-azure-arm-vms-prepare) - [Azure Backup FAQ: vault support matrix](https://learn.microsoft.com/azure/backup/backup-azure-backup-faq#what-are-the-various-vaults-supported-for-backup-and-restore)