Support for Immutable vaults in Azure Backup Vault

mfatbmw commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Azure Backup provides an option to ensure that recovery points that are once created cannot be deleted before their intended expiry time. Azure Backup does this by preventing any operations which could lead to loss of backup data. Hence, this helps you protect backups against threats like ransomware attacks and malicious actors by disallowing operations such as deleting backups or reducing retention in backup policies.

New or Affected Resource(s)/Data Source(s)

azurerm_data_protection_backup_vault

Potential Terraform Configuration

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_data_protection_backup_vault" "example" {
  name                = "example-backup-vault"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"

  immutability        = "Locked" or "Unlocked" or "Disabled"

}

References

https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=backup-vault

RSwarnkar commented 10 months ago

@mfatbmw Yes, this needs to be there !! Also please note I coud not find any doc for enable_soft_delete and retention_period_days? Am I mssing something ? I believe those are in preview feature as per the ARM Template Resource definition.

pkosiol-cc commented 7 months ago

@mfatbmw - I'm expiancing an error regarding immutability of an recovery service vault and the corrisponding backup policy. The scenario is as following:

Immuability is enabled but unlocked
Daily retention is set to 7 days
Increasing the retention time via the portal is working
Decreasing the retention time via the portal is denied (as it should be)

I get the following error when I want to increase the retention time from 7 to 8 days:

Backup Policy Name: "StandardVMBackupPolicy"): protectionpolicies.ProtectionPoliciesClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="UserErrorModifyPolicyOrProtectionWithReducedRetentionNotSupported" Message="Reduction in retention during Policy/Protection modification is not allowed since the selected vault is immutable. Kindly ensure that the policy/protection modification involves only same retention or retention increase for an immutable vault."

giovannifl commented 6 months ago

Any update on this topic ?

frazhamid commented 3 months ago

Any update?

Pree-Y commented 1 month ago

@mfatbmw Hi, I'm trying from azurerm version "3.112.0". Getting error for enabling immutability property from terraform.

rdvansloten commented 2 weeks ago

Any news on this? This feature is still not in the azurerm_data_protection_backup_vault and we have to manually set this every time. Feels weird that such a basic feature is overlooked for over a year.

hashicorp / terraform-provider-azurerm