terraform-provider-azurerm
terraform-provider-azurerm copied to clipboard
hashicorp
Support for Immutable vaults in Azure Backup Vault
Is there an existing issue for this?
- [X] I have searched the existing issues
Community Note
- Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Azure Backup provides an option to ensure that recovery points that are once created cannot be deleted before their intended expiry time. Azure Backup does this by preventing any operations which could lead to loss of backup data. Hence, this helps you protect backups against threats like ransomware attacks and malicious actors by disallowing operations such as deleting backups or reducing retention in backup policies.
New or Affected Resource(s)/Data Source(s)
azurerm_data_protection_backup_vault
Potential Terraform Configuration
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_data_protection_backup_vault" "example" {
name = "example-backup-vault"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
datastore_type = "VaultStore"
redundancy = "LocallyRedundant"
immutability = "Locked" or "Unlocked" or "Disabled"
}
References
https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=backup-vault
@mfatbmw Yes, this needs to be there !!
Also please note I coud not find any doc for enable_soft_delete and retention_period_days? Am I mssing something ?
I believe those are in preview feature as per the ARM Template Resource definition.
@mfatbmw - I'm expiancing an error regarding immutability of an recovery service vault and the corrisponding backup policy. The scenario is as following:
- Immuability is enabled but unlocked
- Daily retention is set to 7 days
- Increasing the retention time via the portal is working
- Decreasing the retention time via the portal is denied (as it should be)
I get the following error when I want to increase the retention time from 7 to 8 days:
Backup Policy Name: "StandardVMBackupPolicy"): protectionpolicies.ProtectionPoliciesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="UserErrorModifyPolicyOrProtectionWithReducedRetentionNotSupported" Message="Reduction in retention during Policy/Protection modification is not allowed since the selected vault is immutable. Kindly ensure that the policy/protection modification involves only same retention or retention increase for an immutable vault."
Any news on this? This feature is still not in the azurerm_data_protection_backup_vault and we have to manually set this every time. Feels weird that such a basic feature is overlooked for over a year.
Hello, in effect, we need immutability support for backup vault.
It's possible to use azapi until this feature is not available:
resource "azapi_update_resource" "main_immutability" {
resource_id = azurerm_data_protection_backup_vault.main.id
type = "Microsoft.DataProtection/backupVaults@2024-04-01"
body = {
properties = {
securitySettings = {
immutabilitySettings = {
state = "Unlocked"
}
}
}
}
}
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}