Merge branch 'sschne-feature/backup-vault'

aztfmod · May 5, 2022 · d8fa284 · d8fa284
2 parents 7072d51 + 9aca1dd
commit d8fa284
Show file tree

Hide file tree

Showing 30 changed files with 642 additions and 3 deletions.
diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json
@@ -82,6 +82,8 @@
     "data_factory/114-data_factory_integration_runtime_self_hosted",
     "data_factory/115-data_factory_runtime_self_hoste_databricks",
     "data_factory/116-data_factory_linked_service_azure_databricks",
+    "data_protection/100-backup-vault-blob-storage",
+    "data_protection/101-backup-vault-disk",
     "database_migration_services/100-dms",
     "databricks/100-standard-databricks-no-vnet",
     "databricks/101-standard-databricks-vnet",

diff --git a/backup_vaults.tf b/backup_vaults.tf
@@ -0,0 +1,90 @@
+module "backup_vaults" {
+  source   = "./modules/backup_vault"
+  for_each = local.data_protection.backup_vaults
+
+  global_settings     = local.global_settings
+  client_config       = local.client_config
+  settings            = each.value
+  storage_accounts    = local.combined_objects_storage_accounts
+  diagnostics         = local.combined_diagnostics
+  identity            = try(each.value.identity, {})
+  resource_groups     = local.combined_objects_resource_groups
+  location            = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
+  resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)].name
+  base_tags           = try(local.global_settings.inherit_tags, false) ? try(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].tags, {}) : {}
+}
+
+output "backup_vaults" {
+  value = module.backup_vaults
+}
+
+module "backup_vault_policies_blob_storage" {
+  source = "./modules/backup_vault/backup_vault_policy_blob_storage"
+  for_each = {
+    for key, value in local.data_protection.backup_vault_policies : key => value
+    if value.type == "blob_storage"
+  }
+
+  global_settings = local.global_settings
+  settings        = each.value
+  vault_id        = can(each.value.backup_vault.id) || can(each.value.backup_vault_key) == false ? try(each.value.backup_vault.id, null) : local.combined_objects_backup_vaults[try(each.value.backup_vault.lz_key, local.client_config.landingzone_key)][try(each.value.backup_vault_key, each.value.backup_vault.key)].id
+}
+
+module "backup_vault_policies_disk" {
+  source = "./modules/backup_vault/backup_vault_policy_disk"
+  for_each = {
+    for key, value in local.data_protection.backup_vault_policies : key => value
+    if value.type == "disk"
+  }
+
+  global_settings = local.global_settings
+  settings        = each.value
+  vault_id        = can(each.value.backup_vault.id) || can(each.value.backup_vault_key) == false ? try(each.value.backup_vault.id, null) : local.combined_objects_backup_vaults[try(each.value.backup_vault.lz_key, local.client_config.landingzone_key)][try(each.value.backup_vault_key, each.value.backup_vault.key)].id
+}
+
+locals {
+  backup_vault_policies = merge(module.backup_vault_policies_blob_storage, module.backup_vault_policies_disk)
+}
+
+output "backup_vault_policies" {
+  value = local.backup_vault_policies
+}
+
+module "backup_vault_instances_blob_storage" {
+  source     = "./modules/backup_vault/backup_vault_instance_blob_storage"
+  depends_on = [azurerm_role_assignment.for]
+  for_each = {
+    for key, value in local.data_protection.backup_vault_instances : key => value
+    if value.type == "blob_storage"
+  }
+
+  settings           = each.value
+  vault_id           = can(each.value.backup_vault.id) ? each.value.backup_vault.id : local.combined_objects_backup_vaults[try(each.value.backup_vault.lz_key, local.client_config.landingzone_key)][try(each.value.backup_vault_key, each.value.backup_vault.key)].id
+  location           = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
+  storage_account_id = can(each.value.storage_account.id) ? each.value.storage_account.id : local.combined_objects_storage_accounts[try(each.value.storage_account.lz_key, local.client_config.landingzone_key)][try(each.value.storage_account_key, each.value.storage_account.key)].id
+  backup_policy_id   = can(each.value.backup_vault_policy.id) ? each.value.backup_vault_policy.id : local.combined_objects_backup_vault_policies[try(each.value.backup_vault_policy.lz_key, local.client_config.landingzone_key)][try(each.value.backup_vault_policy_key, each.value.backup_vault_policy.key)].id
+}
+
+module "backup_vault_instances_disk" {
+  source     = "./modules/backup_vault/backup_vault_instance_disk"
+  depends_on = [azurerm_role_assignment.for]
+  for_each = {
+    for key, value in local.data_protection.backup_vault_instances : key => value
+    if value.type == "disk"
+  }
+
+  settings                     = each.value
+  vault_id                     = can(each.value.backup_vault.id) ? each.value.backup_vault.id : local.combined_objects_backup_vaults[try(each.value.backup_vault.lz_key, local.client_config.landingzone_key)][try(each.value.backup_vault_key, each.value.backup_vault.key)].id
+  location                     = can(local.global_settings.regions[each.value.region]) ? local.global_settings.regions[each.value.region] : local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location
+  backup_policy_id             = can(each.value.backup_vault_policy.id) ? each.value.backup_vault_policy.id : local.combined_objects_backup_vault_policies[try(each.value.backup_vault_policy.lz_key, local.client_config.landingzone_key)][try(each.value.backup_vault_policy_key, each.value.backup_vault_policy.key)].id
+  snapshot_resource_group_name = can(each.value.snapshot_resource_group.name) || can(each.value.snapshot_resource_group_name) ? try(each.value.snapshot_resource_group.name, each.value.snapshot_resource_group_name) : local.combined_objects_resource_groups[try(each.value.snapshot_resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.snapshot_resource_group_key, each.value.snapshot_resource_group.key)].name
+  disk_id                      = try(each.value.disk.os_disk, false) == true ? try(local.combined_objects_virtual_machines[try(each.value.disk.lz_key, local.client_config.landingzone_key)][each.value.disk.vm_key].os_disk_id) : try(local.combined_objects_virtual_machines[try(each.value.disk.lz_key, local.client_config.landingzone_key)][each.value.disk.vm_key].data_disks[each.value.disk.disk_key])
+}
+
+locals {
+  backup_vault_instances = merge(module.backup_vault_instances_blob_storage, module.backup_vault_instances_disk)
+}
+
+output "backup_vault_instances" {
+  value = local.backup_vault_instances
+}
diff --git a/examples/data_protection/100-backup-vault-blob-storage/configuration.tfvars b/examples/data_protection/100-backup-vault-blob-storage/configuration.tfvars
@@ -0,0 +1,68 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "australiaeast"
+  }
+}
+
+resource_groups = {
+  bv = {
+    name   = "bv"
+    region = "region1"
+  }
+}
+
+storage_accounts = {
+  bv_st1 = {
+    name               = "bv-st1"
+    resource_group_key = "bv"
+  }
+}
+
+backup_vaults = {
+  bv0 = {
+    backup_vault_name  = "bckp-level0"
+    resource_group_key = "bv"
+    datastore_type     = "SnapshotStore" #Proper type of vault for storage blob backup
+    redundancy         = "LocallyRedundant"
+    region             = "region1"
+    #Next block enables System Assigned managed identity
+    enable_identity = {
+      type = "SystemAssigned"
+    }
+  }
+}
+
+role_mapping = {
+  built_in_role_mapping = {
+    storage_accounts = {
+      bv_st1 = {
+        "Storage Account Backup Contributor" = {
+          backup_vaults = {
+            keys = ["bv0"]
+          }
+        }
+      }
+    }
+  }
+}
+
+backup_vault_policies = {
+  policy0 = {
+    type               = "blob_storage" # policy type, blob_storage and disk supported
+    backup_vault_key   = "bv0"
+    policy_name        = "backup-policy-lvl0"
+    retention_duration = "P50D" #Specific ISO 8601 format
+  }
+}
+
+backup_vault_instances = {
+  instance0 = {
+    type                    = "blob_storage" # instance type, blob_storage and disk supported
+    instance_name           = "instancebkp0"
+    region                  = "region1"
+    backup_vault_key        = "bv0"
+    backup_vault_policy_key = "policy0"
+    storage_account_key     = "bv_st1"
+  }
+}
diff --git a/examples/data_protection/101-backup-vault-disk/configuration.tfvars b/examples/data_protection/101-backup-vault-disk/configuration.tfvars
@@ -0,0 +1,194 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "australiaeast"
+  }
+}
+
+resource_groups = {
+  bv = {
+    name   = "bv"
+    region = "region1"
+  }
+}
+
+backup_vaults = {
+  bv0 = {
+    backup_vault_name  = "bckp-level0"
+    resource_group_key = "bv"
+    datastore_type     = "VaultStore" #Proper type of vault for storage blob backup
+    redundancy         = "LocallyRedundant"
+    region             = "region1"
+    #Next block enables System Assigned managed identity
+    enable_identity = {
+      type = "SystemAssigned"
+    }
+  }
+}
+
+role_mapping = {
+  built_in_role_mapping = {
+    resource_groups = {
+      bv = {
+        "Disk Snapshot Contributor" = {
+          backup_vaults = {
+            keys = ["bv0"]
+          }
+        }
+        "Disk Backup Reader" = {
+          backup_vaults = {
+            keys = ["bv0"]
+          }
+        }
+      }
+    }
+  }
+}
+
+backup_vault_policies = {
+  policy0 = {
+    type                            = "disk"
+    backup_vault_key                = "bv0"
+    policy_name                     = "backup-policy-lvl0"
+    retention_duration              = "P7D"                                #Specific ISO 8601 format
+    backup_repeating_time_intervals = ["R/2022-04-20T00:00:00+00:00/PT4H"] # ISO 8601 repeating time interval
+    retention_rules = {
+      Daily = {
+        name              = "Daily"
+        duration          = "P7D"
+        priority          = 25
+        absolute_criteria = "FirstOfDay"
+      }
+    }
+  }
+}
+
+backup_vault_instances = {
+  data_disk = {
+    type                    = "disk"
+    instance_name           = "datadisk"
+    region                  = "region1"
+    backup_vault_key        = "bv0"
+    backup_vault_policy_key = "policy0"
+    snapshot_resource_group = {
+      key = "bv"
+    }
+    disk = {
+      vm_key   = "example_vm1"
+      disk_key = "data1"
+    }
+  }
+  os_disk = {
+    type                    = "disk"
+    instance_name           = "osdisk"
+    region                  = "region1"
+    backup_vault_key        = "bv0"
+    backup_vault_policy_key = "policy0"
+    snapshot_resource_group = {
+      key = "bv"
+    }
+    disk = {
+      vm_key  = "example_vm1"
+      os_disk = true
+    }
+  }
+}
+
+keyvaults = {
+  example_vm_rg1 = {
+    name                        = "vmlinuxakv"
+    resource_group_key          = "bv"
+    sku_name                    = "standard"
+    soft_delete_enabled         = true
+    purge_protection_enabled    = true
+    enabled_for_disk_encryption = true
+    tags = {
+      env = "Standalone"
+    }
+    creation_policies = {
+      logged_in_user = {
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
+        key_permissions    = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"]
+      }
+    }
+  }
+}
+
+vnets = {
+  vnet_region1 = {
+    resource_group_key = "bv"
+    vnet = {
+      name          = "virtual_machines"
+      address_space = ["10.100.100.0/24"]
+    }
+    specialsubnets = {}
+    subnets = {
+      example = {
+        name = "examples"
+        cidr = ["10.100.100.0/29"]
+      }
+    }
+
+  }
+}
+
+virtual_machines = {
+  example_vm1 = {
+    resource_group_key = "bv"
+    os_type            = "linux"
+
+    keyvault_key = "example_vm_rg1"
+
+    networking_interfaces = {
+      nic0 = {
+        vnet_key                = "vnet_region1"
+        subnet_key              = "example"
+        primary                 = true
+        name                    = "0"
+        enable_ip_forwarding    = false
+        internal_dns_name_label = "nic0"
+      }
+    }
+
+    virtual_machine_settings = {
+      linux = {
+        name                            = "example_vm1"
+        size                            = "Standard_F2"
+        admin_username                  = "adminuser"
+        disable_password_authentication = true
+
+        # Spot VM to save money
+        priority        = "Spot"
+        eviction_policy = "Deallocate"
+
+        network_interface_keys = ["nic0"]
+
+        os_disk = {
+          name                    = "example_vm1-os"
+          caching                 = "ReadWrite"
+          storage_account_type    = "Standard_LRS"
+          disk_encryption_set_key = "set1"
+        }
+        identity = {
+          type = "SystemAssigned"
+        }
+        source_image_reference = {
+          publisher = "Canonical"
+          offer     = "UbuntuServer"
+          sku       = "18.04-LTS"
+          version   = "latest"
+        }
+      }
+    }
+    data_disks = {
+      data1 = {
+        name                 = "server1-data1"
+        storage_account_type = "Standard_LRS"
+        create_option        = "Empty"
+        disk_size_gb         = "10"
+        lun                  = 1
+        zones                = ["1"]
+      }
+    }
+  }
+}
diff --git a/examples/module.tf b/examples/module.tf
@@ -153,6 +153,11 @@ module "example" {
       kusto_iothub_data_connections          = var.kusto_iothub_data_connections
     }
   }
+  data_protection = {
+    backup_vaults          = var.backup_vaults
+    backup_vault_policies  = var.backup_vault_policies
+    backup_vault_instances = var.backup_vault_instances
+  }
   messaging = {
     signalr_services      = var.signalr_services
     servicebus_namespaces = var.servicebus_namespaces

diff --git a/examples/variables.tf b/examples/variables.tf
@@ -914,4 +914,13 @@ variable "public_ip_prefixes" {
 }
 variable "runbooks" {
   default = {}
+}
+variable "backup_vaults" {
+  default = {}
+}
+variable "backup_vault_policies" {
+  default = {}
+}
+variable "backup_vault_instances" {
+  default = {}
 }