ResourceModules
ResourceModules copied to clipboard
Azure
[Bug Report]: Issues rerunning compute module when using Recovery Vault that has immutability enabled
Describe the bug
Unable to re-run compute deploy with same settings / policy without an error.
Originally deployed using the compute module, backups were then enabled after creation of VM by adding in the Vault paramaters for the module. Re-running the deployment post backup deployment without any changes to the 'DefaultPolicy' retention for backups results in error.
To reproduce
- Deploy compute from modules/compute/virtual-machine/main.bicep
- Enable backup to existing Recovery Vault with immutability enabled and unlocked, deploy using 'DefaultPolicy '
- Error. We have multiple VMs where this is an issue. We do have 1 example where it is working though and the experience is not consistent.
Code snippet
param location string
param rgAppName string
param kvName string
param kvRG string
param coreVMName string
param coreVMSubnetID string
param coreVMStaticIPs array
param coreVMBackendStaticIPs array
param coreVMBackendSubnetID array
param coreVMSize string
param coreVMOSDiskSize int
param coreVMOSDiskType string
param coreVMDataDisk1Size int
param coreVMDataDisk1Type string
@description('Optional. Recovery service vault name for backing up VMs, Storage and SQL.')
param recoveryVaultName string = ''
@description('Optional. Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default.')
param backupVaultResourceGroup string = ''
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
name: kvName
scope: resourceGroup(kvRG)
}
resource rgApp 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: rgAppName
location: location
}
module diskEncryptionSet '../../../../carml/modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep' = : {
name: 'deploy_${coreVMName}-01-disk-encryption-set'
scope: appRG
params: {
name: '${coreVMName}-01-disk-encryption-set'
keyName: '${coreVMName}-01-disk-encryption-set'
keyVaultResourceId: kv.id
encryptionType: 'EncryptionAtRestWithPlatformAndCustomerKeys'
location: location
}
}]
module coreVM '../../../../carml/modules/Microsoft.Compute/virtualMachines/deploy.bicep' = : {
name: 'deploy_${coreVMName}-01'
scope: appRG
params: {
name: '${coreVMName}-01'
location: location
lock: enableResourceLock == true ? resourceLockType : ''
tags: tags
adminUsername: coreVMUsername
imageReference: {
offer: 'WindowsServer'
publisher: 'MicrosoftWindowsServer'
sku: '2019-Datacenter'
version: 'latest'
}
nicConfigurations: [
{
nicSuffix: '-nic01'
ipConfigurations: [
{
name: '${coreVMName}-01-nic01-ipconfig01'
privateIPAddress: coreVMStaticIPs
privateIPAllocationMethod: 'static'
privateIPAddressVersion: 'IPv4'
subnetResourceId: coreVMSubnetID
}
]
}
{
nicSuffix: '-nic02'
enableAcceleratedNetworking: false
ipConfigurations: [
{
name: '${coreVMName}-01-nic02-ipconfig01'
privateIPAddress: coreVMBackendStaticIPs
privateIPAllocationMethod: 'static'
privateIPAddressVersion: 'IPv4'
subnetResourceId: coreVMBackendSubnetID
}
]
}
]
osType: 'Windows'
vmSize: coreVMSize
osDisk: {
createOption: 'FromImage'
diskSizeGB: coreVMOSDiskSize
managedDisk: {
storageAccountType: coreVMOSDiskType
diskEncryptionSet: {
id: diskEncryptionSet.outputs.resourceId
}
}
}
dataDisks: [
{
createOption: 'Empty'
diskSizeGB: coreVMDataDisk1Size
managedDisk: {
storageAccountType: coreVMDataDisk1Type
diskEncryptionSet: {
id: diskEncryptionSet.outputs.resourceId
}
}
}
]
backupVaultName: !empty(recoveryVaultName) ? recoveryVaultName : ''
backupVaultResourceGroup: !empty(backupVaultResourceGroup) ? backupVaultResourceGroup : ''
backupPolicyName: vmBackupPolicyName
}
}
Relevant log output
Deployment logs show
"details": [
{
"code": "UserErrorModifyPolicyOrProtectionWithReducedRetentionNotSupported",
"message": "Reduction in retention during Policy/Protection modification is not allowed since the selected vault is immutable."
}
]
