AKS support for Backup Extension

mkemmerz commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues
https://github.com/Azure/AKS/issues/3356

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AKS should support the installation and configuration of the new Backup Extension: https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-manage-backups#backup-extension-related-operations

Docs to the backup feature: https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-backup

Extenstion installation command:

It should support the configuration mentioned in the installation command: az k8s-extension create --name azure-aks-backup --extension-type Microsoft.DataProtection.Kubernetes --scope cluster --cluster-type managedClusters --cluster-name aksclustername --resource-group aksclusterrg --release-train stable --configuration-settings blobContainer=containername storageAccount=storageaccountname storageAccountResourceGroup=storageaccountrg storageAccountSubscriptionId=subscriptionid

The extension is required to be able to automate the whole AKS backup feature in the future.

The managed identity that is created during the installation should be exported as output variable too (at least client id), as we need to grant permissions to it for the feature.

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster" "example" {
  ...

  backup {
    name          = "foo"
    release-train = "stable"

    blob {
      container_name                      = "mycontainer"
      storage_account_name                = "mystorage"
      storage_account_resource_group_name = "myreg"
      subscription_id                     = "1234-5678-9999"
    }
  }

References

No response

fabian-ro commented 8 months ago

The backup extension and the necessary role assignments can be created with the azurerm provider:

resource "azurerm_kubernetes_cluster_extension" "aks_backup" {
  name           = "backup"
  cluster_id     = azurerm_kubernetes_cluster.this.id
  extension_type = "microsoft.dataprotection.kubernetes"
  release_train  = "stable"

  configuration_settings = {
    "credentials.tenantId"                                      = data.azurerm_client_config.this.tenant_id
    "configuration.backupStorageLocation.config.subscriptionId" = data.azurerm_client_config.this.subscription_id
    "configuration.backupStorageLocation.config.resourceGroup"  = azurerm_storage_account.aks_backup.resource_group_name
    "configuration.backupStorageLocation.config.storageAccount" = azurerm_storage_account.aks_backup.name
    "configuration.backupStorageLocation.bucket"                = azurerm_storage_container.aks_backup.name
  }
}

However, the backup policy and backup configuration are not yet supported. Something like azurerm_data_protection_backup_policy_kubernetes and azurerm_data_protection_backup_instance_kubernetes would be nice. In the meantime, the azapi Provider is an option to manage these resources.

jkroepke commented 8 months ago

In the meantime, the azapi Provider is an option to manage these resources.

@fabian-ro Do you have an example to share?

fabian-ro commented 7 months ago

@jkroepke I created a Gist with some example code.

antoineozenne-at-leocare commented 7 months ago

Thank you @fabian-ro. Just for information, according to my tests, azurerm_kubernetes_cluster_extension.name must be azure-aks-backup for the extension to be displayed in the Azure Portal in the Backup menu (However, I tried without any backup_configuration).

antoineozenne-at-leocare commented 5 months ago

The resource azurerm_data_protection_backup_policy_kubernetes_cluster is now available in the version 3.91.0. All that remains is to implement azurerm_data_protection_backup_instance_kubernetes.

antoineozenne-at-leocare commented 4 months ago

The resource azurerm_data_protection_backup_instance_kubernetes_cluster is now available in the version 3.95.0 with a great and complete example.

Please, is it possible to implement the data source of these two resources now?

hashicorp / terraform-provider-azurerm