Impossible to create an azurerm_data_protection_backup_instance_blob_storage

[zadigus]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.5

AzureRM Provider Version

4.4.0

Affected Resource(s)/Data Source(s)

azurerm_data_protection_backup_instance_blob_storage

Terraform Configuration Files

resource "azurerm_data_protection_backup_vault" "long-time-retention" {
  name                       = "${var.resource_name}-backup"
  resource_group_name        = var.resource_group_name
  location                   = var.location
  datastore_type             = "VaultStore"
  redundancy                 = "ZoneRedundant"
  soft_delete                = "On"
  retention_duration_in_days = 180

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_role_assignment" "backup-vault-reader" {
  scope                = var.resource_group_id
  role_definition_name = "Reader"
  principal_id         = azurerm_data_protection_backup_vault.long-time-retention.identity.0.principal_id
}

resource "azurerm_role_assignment" "storage-long-term-retention" {
  scope                = var.storage_account_id
  role_definition_name = "Storage Account Backup Contributor"
  principal_id         = azurerm_data_protection_backup_vault.long-time-retention.identity[0].principal_id
}

resource "azurerm_data_protection_backup_policy_blob_storage" "long-term-retention" {
  depends_on = [
    azurerm_role_assignment.backup-vault-reader,
    azurerm_role_assignment.storage-long-term-retention
  ]

  name                                   = "${var.resource_name}-storage-backup-policy"
  vault_id                               = azurerm_data_protection_backup_vault.long-time-retention.id
  backup_repeating_time_intervals = ["R/2024-10-13T02:30:00+00:00/P1W"]
  operational_default_retention_duration = var.storage_operation_retention_duration
  vault_default_retention_duration       = var.storage_vault_retention_duration
}

resource "azurerm_data_protection_backup_instance_blob_storage" "long-term-retention" {
  name               = "${var.resource_name}-backup-instance-blob"
  vault_id           = azurerm_data_protection_backup_vault.long-time-retention.id
  location           = var.location
  storage_account_id = var.storage_account_id
  backup_policy_id   = azurerm_data_protection_backup_policy_blob_storage.long-term-retention.id
}

Debug Output/Panic Output

12:34:28   ╷
12:34:28   │ Error: waiting for Backup Instance (Subscription: "50adbdb5-3292-4995-aaf8-21d7469b3d1b"
12:34:28   │ Resource Group Name: "vb-p-master-eastus-backup"
12:34:28   │ Backup Vault Name: "vbpbackupmastereus-backup"
12:34:28   │ Backup Instance Name: "vbpbackupmastereus-backup-instance-psql") to become available: unexpected state 'ProtectionError', wanted target 'ProtectionConfigured'. last error: %!s(<nil>)
12:34:28   │ 
12:34:28   │   with module.vaulted_backup.azurerm_data_protection_backup_instance_postgresql_flexible_server.long-term-retention,
12:34:28   │   on ../../modules/backup/vaulted-backup/main.tf line 66, in resource "azurerm_data_protection_backup_instance_postgresql_flexible_server" "long-term-retention":
12:34:28   │   66: resource "azurerm_data_protection_backup_instance_postgresql_flexible_server" "long-term-retention" {
12:34:28   │ 
12:34:28   │ waiting for Backup Instance (Subscription:
12:34:28   │ "50adbdb5-3292-4995-aaf8-21d7469b3d1b"
12:34:28   │ Resource Group Name: "vb-p-master-eastus-backup"
12:34:28   │ Backup Vault Name: "vbpbackupmastereus-backup"
12:34:28   │ Backup Instance Name: "vbpbackupmastereus-backup-instance-psql") to become
12:34:28   │ available: unexpected state 'ProtectionError', wanted target
12:34:28   │ 'ProtectionConfigured'. last error: %!s(<nil>)
12:34:28   ╵
12:34:28   ╷
12:34:28   │ Error: waiting for BackupInstance("Backup Instance (Subscription: \"50adbdb5-3292-4995-aaf8-21d7469b3d1b\"\nResource Group Name: \"vb-p-master-eastus-backup\"\nBackup Vault Name: \"vbpbackupmastereus-backup\"\nBackup Instance Name: \"vbpbackupmastereus-backup-instance-blob\")") policy protection to be completed: unexpected state 'ProtectionError', wanted target 'ProtectionConfigured'. last error: %!s(<nil>)
12:34:28   │ 
12:34:28   │   with module.vaulted_backup.azurerm_data_protection_backup_instance_blob_storage.long-term-retention,
12:34:28   │   on ../../modules/backup/vaulted-backup/main.tf line 74, in resource "azurerm_data_protection_backup_instance_blob_storage" "long-term-retention":
12:34:28   │   74: resource "azurerm_data_protection_backup_instance_blob_storage" "long-term-retention" {
12:34:28   │

Expected Behaviour

Should activate the protection with success.

Actual Behaviour

Protection fails.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[zadigus]

Converting the above config to azapi works:

resource "azapi_resource" "blob-long-term-retention" {
  type      = "Microsoft.DataProtection/backupVaults/backupInstances@2022-11-01-preview"
  name      = "${var.resource_name}-backup-instance-blob"
  parent_id = azurerm_data_protection_backup_vault.long-time-retention.id
  tags      = var.tags
  body = {
    properties = {
      dataSourceInfo = {
        resourceID = var.storage_account_id
        resourceUri = var.storage_account_id
        datasourceType = "Microsoft.Storage/storageAccounts/blobServices"
        resourceName = var.storage_account_name
        resourceType = "Microsoft.Storage/storageAccounts"
        resourceLocation = var.location
        objectType = "Datasource"
      }
      dataSourceSetInfo = {
        resourceID = var.storage_account_id
        resourceUri = var.storage_account_id
        datasourceType = "Microsoft.Storage/storageAccounts/blobServices"
        resourceName = var.storage_account_name
        resourceType = "Microsoft.Storage/storageAccounts"
        resourceLocation = var.location
        objectType = "DatasourceSet"
      }
      objectType = "BackupInstance"
      policyInfo = {
        policyId = azurerm_data_protection_backup_policy_blob_storage.long-term-retention.id
        policyParameters = {
          backupDatasourceParametersList = [
            {
              objectType = "BlobBackupDatasourceParameters"
              containersList = ["dummy"]
            }
          ]
        }
      }
    }
  }
}

The main difference between the two is that in the case of azapi, I need to specify the list of containers, while in the case of azurerm, I specify nothing. I thought it would take all containers by default, but apparently it just fails.