Terraform module for management of Azure Virtual Machine backup. Supports creating Recovery Services Vault, multiple backup policies and assigning backup policies to specific VMs.
Here are some short examples with referenced resources cut out. See examples-directory for full examples.
This example features the deployment of two backup policies default_policy and daily_backup.
default_policy is run weekly on Fridays and is assigned all virtual machines.
daily_backup is run daily and is assigned only virtual machine number 2.
See full example here.
module "backup" {
source = "decensas/azure-virtual-machine-backup/azurerm"
version = "0.1.0"
resource_group_name = azurerm_resource_group.backup.name
location = azurerm_resource_group.backup.location
storage_mode_type = "LocallyRedundant"
soft_delete_enabled = false
backup_policies = {
default_policy = {
backup_time = "20:00"
backup_frequency = "Weekly"
instant_restore_retention_days = 10
retention = {
weekly_backups_retention = 20 # retains 20 weekly backups at a time
weekdays = ["Friday"]
}
protected_virtual_machines = [azurerm_windows_virtual_machine.main[1], azurerm_windows_virtual_machine.main[3]]
}
daily_backup = {
backup_time = "20:00"
backup_frequency = "Daily"
retention = {
daily_backups_retention = 10 # Retains 10 daily backups at a time
}
protected_virtual_machines = [azurerm_windows_virtual_machine.main[2]]
}
}
tags = {
environment = "Demo"
}
}| Name | Version |
|---|---|
| terraform | >= 1.2.8 |
| azurerm | ~> 3.0 |
| Name | Version |
|---|---|
| azurerm | ~> 3.0 |
No modules.
| Name | Type |
|---|---|
| azurerm_backup_policy_vm.backup_policy | resource |
| azurerm_backup_protected_vm.backup_vms | resource |
| azurerm_private_endpoint.backup | resource |
| azurerm_recovery_services_vault.vault | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| backup_policies | A map of backup policy objects where the key is the name of the policy. Review for comprehensive documentation | map(object({ |
n/a | yes |
| cross_region_restore_enabled | Whether to enable cross region restore for Recovery Services Vault. For this to be true var.storage_mode_type must be set to GeoRedundant | bool |
false |
no |
| encryption_with_cmk | Whether to manage encryption using Customer Managed Key (CMK) provisioned with var.key_vault_key_id. Relevant documentation: https://learn.microsoft.com/en-us/azure/backup/backup-encryption | bool |
false |
no |
| identity | What identity to enable for the Recovery Service Vault. The identity is used when using Customer Managed Key (CMK for encryption) or accessing the vault using Private Endpoints. Available options are: 'SystemAssigned', 'UserAssigned', 'SystemAssigned, UserAssigned'. Required if encryption_with_cmk is enabled. | string |
"SystemAssigned" |
no |
| identity_ids | List of User Assigned Managed Identity IDs to be used by the Recovery Services Vault. Only relevant if var.identity is set to either 'SystemAssigned' or 'SystemAssigned, UserAssigned'. | list(string) |
null |
no |
| immutability | Whether you want vault to be immutable. Allowed values are: 'Locked', 'Unlocked' or 'Disabled'. Review https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-concept?tabs=recovery-services-vault | string |
"Disabled" |
no |
| infrastructure_encryption_enabled | Whether to add an additional layer of encryption on the storage infrastructure | bool |
false |
no |
| key_vault_key_id | ID of key within Azure Key Vault. This should be the Customer Managed Key (CMK) | string |
null |
no |
| location | Name of location to where backups will be stored | string |
n/a | yes |
| manage_dns_zone | Whether to manage private DNS zone or not for Recovery Services Vault | bool |
true |
no |
| manage_private_endpoint | Whether this module will manage a private endpoint for the Recovery Service Vault | bool |
false |
no |
| private_dns_zone_group_name | Name of Azure Private DNS zone group for resolving private endpoint. Only relevant if var.private_endpoint_subnet_id is set | string |
"backup-dns-zone" |
no |
| private_dns_zone_ids | A list of private DNS zone IDs to add DNS entry to. Required if var.manage_dns_zone is true | list(string) |
[] |
no |
| private_endpoint_subnet_id | Subnet ID of subnet to deploy Private Endpoint in. Required if public_network_access_enabled is diabled | string |
null |
no |
| public_network_access_enabled | Enable access to Recovery Services Vault from public networks or not. Requires configuration of a Private Endpoint and DNS resolve for backup operations and vault access. | bool |
false |
no |
| recovery_services_vault_name | Name of Recovery Services Vault where backups will be stored. | string |
"backup-rsv" |
no |
| resource_group_name | The name of the resource group in which to deploy the backup resources. | string |
n/a | yes |
| rsv_alerts_for_all_job_failures_enabled | Enabling/Disabling built-in Azure Monitor alerts for security scenarios and job failure scenarios. More details could be found here. | bool |
true |
no |
| rsv_alerts_for_critical_operation_failures_enabled | Enabling/Disabling alerts from the older (classic alerts) solution. More details could be found here. | bool |
true |
no |
| sku | SKU of Recovery Services Vault, either 'Standard' or 'RS0'. | string |
"Standard" |
no |
| soft_delete_enabled | Whether to enable soft delete on Recovery Services Vault | bool |
true |
no |
| storage_mode_type | Storage type of the Recovery Services Vault. Must be one of 'GeoRedundant', 'LocallyRedundant' or 'ZoneRedundant'. | string |
"GeoRedundant" |
no |
| tags | (Optional) Tags that will be applied to all deployed resources. | map(string) |
{} |
no |
| user_assigned_identity_id_encryption | User assigned ID to be used for additional encryption. Only relevant if var.encryption_with_cmk is enabled. System Assigned Identity for the Recovery Services Vault is used if no value is provided. | string |
null |
no |
| Name | Description |
|---|---|
| policy | A map of backup policy objects created by this module. |
| vault | Recovery Services Vault object created by this module. |
var.backup_policy is a complex structure and require additional documentation.
The outer layer is a key-value map where the key is the name of the backup policy and its value is a complex object describing the policy and its assignees.
<policy_name> => { <policy_configuration> }The backup policy configuration options are as follows:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
| timezone | string |
Allowed values | "UTC" | Optional |
| backup_time | string |
Time of day to perform backup in 24h format, e.g. 23:00 | n/a | Required |
| backup_frequency | string |
Frequency of backup, supported values 'Hourly', 'Daily', 'Weekly' | n/a | Required |
| policy_type | string |
Available values are 'V1' or 'V2', Review | n/a | Optional |
| instant_restore_retention_days | number |
Between 1-5 for var.policy_type V1, 1-30 for V2 | n/a | Optional |
| backup_hour_interval | number |
Interval of which backup is triggered. Allowed values are: 4, 6, 8 or 12. Used if backup_frequency is set to Hourly. | n/a | Optional |
| backup_hour_duration | number |
Duration of the backup window in hours. Value between 4 and 24. Used if backup_frequency is Hourly. Must be a multiplier of backup_hour_interval | n/a | Optional |
| protected_virtual_machines | map(object({ |
A map describing which VMs to assign backup policy to. The key should describe the VM e.g. its name, avoid retrieving the value from an Azure Resource to avoid dependency issues. The value is an object containing VM name and ID | n/a | Optional |
| retention | object({<attributes>}) |
Describing retention settings for the policy. | n/a | Optional |
Furthermore the retention configuration options are as follows:
| Name | Type | Description | Default | Required |
|---|---|---|---|---|
| daily_backups_retention | number |
Number of daily backups to retain, must be between 7-9999. Required if backup_frequency is Daily | n/a | Optional |
| weekly_backups_retention | number |
Number of weekly backups to retain, must be between 1-9999 | n/a | Optional |
| weekdays | list(string) |
The day in the week of backups to retain. Used for weekly retention. E.g. "Monday" or "Friday" | n/a | Optional |
| monthly_backups_retention | number |
Number of monthly backups to retain, must be between 1-9999 | n/a | Optional |
| months_weekdays | list(string) |
The day in the week of backups to retain. Used for monthly retention configuration | n/a | Optional |
| months_weeks | list(string) |
Weeks of the month to retain backup of. Must be First, Second, Third or Last. Used for monthly retention configuration | n/a | Optional |
| months_days | list(number) |
The days in the month to retain backups of. Must be between 1-31. Used for monthly retention configuration | n/a | Optional |
| months_include_last_days | bool |
Whether to include last day of month, used if either months_weekdays, months_weeks or months_days is set | false | Optional |
| yearly_backups_retention | number |
Number of yearly backups to retain, must be between 1-9999 | n/a | Optional |
| yearly_months | list(string) |
The months of the year to retain backups of. Values most be names of the month with capital case. Used for yearly retention configuration | n/a | Optional |
| yearly_weekdays | list(string)) |
The day in the week of backups to retain. Used for yearly retention configuration | n/a | Optional |
| yearly_weeks | list(string) |
Weeks of the month to retain backup of. Must be First, Second, Third or Last. Used for yearly retention configuration | n/a | Optional |
| yearly_days | list(number) |
The days in the month to retain backups of. Must be between 1-31. Used for monthly retention configuration | n/a | Optional |
| yearly_include_last_days | bool |
Whether to include last day of month, used if either months_weekdays, months_weeks or months_days is set | ||