Support for Immutable vaults in Azure Backup Vault

[mfatbmw]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Azure Backup provides an option to ensure that recovery points that are once created cannot be deleted before their intended expiry time. Azure Backup does this by preventing any operations which could lead to loss of backup data. Hence, this helps you protect backups against threats like ransomware attacks and malicious actors by disallowing operations such as deleting backups or reducing retention in backup policies.

New or Affected Resource(s)/Data Source(s)

azurerm_data_protection_backup_vault

Potential Terraform Configuration

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_data_protection_backup_vault" "example" {
  name                = "example-backup-vault"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  immutability        = "Locked" or "Unlocked" or "Disabled"

}

References

https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=backup-vault

[RSwarnkar]

@mfatbmw Yes, this needs to be there !! Also please note I coud not find any doc for enable_soft_delete and retention_period_days? Am I mssing something ? I believe those are in preview feature as per the ARM Template Resource definition.

[pkosiol-cc]

@mfatbmw - I'm expiancing an error regarding immutability of an recovery service vault and the corrisponding backup policy. The scenario is as following:

• Immuability is enabled but unlocked
• Daily retention is set to 7 days
• Increasing the retention time via the portal is working
• Decreasing the retention time via the portal is denied (as it should be)

I get the following error when I want to increase the retention time from 7 to 8 days:

Backup Policy Name: "StandardVMBackupPolicy"): protectionpolicies.ProtectionPoliciesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="UserErrorModifyPolicyOrProtectionWithReducedRetentionNotSupported" Message="Reduction in retention during Policy/Protection modification is not allowed since the selected vault is immutable. Kindly ensure that the policy/protection modification involves only same retention or retention increase for an immutable vault."

[giovannifl]

Any update on this topic ?

[frazhamid]

Any update?

[Pree-Y]

@mfatbmw Hi, I'm trying from azurerm version "3.112.0". Getting error for enabling immutability property from terraform.

[rdvansloten]

Any news on this? This feature is still not in the azurerm_data_protection_backup_vault and we have to manually set this every time. Feels weird that such a basic feature is overlooked for over a year.

[Skyb0rg]

We need immutability support for backup vault!!!

[BenoitNgs]

Hello, in effect, we need immutability support for backup vault.

It's possible to use azapi until this feature is not available:

resource "azapi_update_resource" "main_immutability" {
  resource_id = azurerm_data_protection_backup_vault.main.id
  type        = "Microsoft.DataProtection/backupVaults@2024-04-01"
  body = {
    properties = {
      securitySettings = {
        immutabilitySettings = {
          state = "Unlocked"
        }
      }
    }
  }
}

[Skyb0rg]

Thank You @BenoitNgs !!! Works perfect for the moment.