Recovery Services Vault vs Backup Vault using Terraform

JohanAutomation / Backup1 Comment
Tweet
Share
Share
Pin
0 Shares

Data protection is very important whether you are working on-premise or in Azure. In this blog I’ll show you to deploy both of them using Terraform.

In Azure you have 2 options that you can use. An Recovery Services Vault or a Backup Vault. Both of these vault are different in what they can backup.

The Terraform script I use does all the following:

  • Import the existing Log Analytics Workspace
  • Create Resource Groups for recovery service vault
  • Create Instant Restore Point Resource Group
  • Create Recovery Services Vault and Backup Vault
  • Enable all diagnostic settings for a backup

To see what the differences are go to Backup Center and click on +Vault

The next screen will appear to ask you what kind of vault you want to create.

Recovery Services Vault

The first option that you have is the Recovery Services Vault. You can use this vault for both backup of resources but also for ASR. In this blog I’ll focus on the normal backup.

Import the existing Log Analytics Workspace

data "azurerm_log_analytics_workspace" "law" {
  name = "law-hub-jvn-01"
  resource_group_name = "rg-hub-jvn-law-01"
  
}

Create resource groups

We need 2 resource groups. One resource group for the 2 vaults and one for the instant restore points. The reason why I create one for IRP is that otherwise it doesn’t follow your naming convention.

resource "azurerm_resource_group" "rsv-rg-prod" {
  name     = "rg-prod-${var.prefix}-backup-01"
  location = var.location
  tags = {
    "Costcenter" = "IT"
    "Location" = "Weu"
    "Critical" = "Yes"
    "Environment" = "Production"
    "Solution" = "Backup"
  }
}
resource "azurerm_resource_group" "rsv-rg-prod-irp" {
  name     = "rg-prod-${var.prefix}-backup-irp-01"
  location = var.location
  tags = {
    "Costcenter" = "IT"
    "Location" = "Weu"
    "Critical" = "Yes"
    "Environment" = "Production"
    "Solution" = "Backup-irp"
  }
}

Create Recovery Services Vault and Backup Vault

The below code is to create both vaults for production workloads. 

resource "azurerm_recovery_services_vault" "rsv-prod" {
  name                = "rsv-prod-${var.prefix}-01"
  location            = azurerm_resource_group.rsv-rg-prod.location
  resource_group_name = azurerm_resource_group.rsv-rg-prod.name
  sku                 = "Standard"
  soft_delete_enabled = true
   tags = {
    "Costcenter" = "IT"
    "Location" = "Weu"
    "Critical" = "Yes"
    "Environment" = "Production"
    "Solution" = "Backup"
  }
}

With Terraform there is currently no option to change the “Storage Replication Type”. To change this you can use the following Powershell command. Remember that this can’t be changed if you already used the vault. The default setting is Geo-Redundant.

Set-AzRecoveryServicesBackupProperty -Vault $Vault01 -BackupStorageRedundancy ZoneRedundant

resource "azurerm_data_protection_backup_vault" "backup-vault" {
  name                = "vault-prod-${var.prefix}-01"
  resource_group_name = azurerm_resource_group.rsv-rg-prod.name
  location            = azurerm_resource_group.rsv-rg-prod.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant" #changing this value will create a new vault / GeoRedundant
  tags = {
    "Costcenter" = "IT"
    "Location" = "Weu"
    "Critical" = "Yes"
    "Environment" = "Production"
    "Solution" = "Backup"
  }
}

The redundancy of the Backup Vault can’t be changed after you created it.

Enable all diagnostic settings for a backup

One the Recovery Services Vault there is the option to enable the diagnostic settings. In this case I only activate the settings for backup since I’m only gonna use this vault for backups and not for ASR.

resource "azurerm_monitor_diagnostic_setting" "rsv-prod-diag" {
  name               = "diag-prod-${var.prefix}-rsv"
  target_resource_id = azurerm_recovery_services_vault.rsv-prod.id
  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.law.id
  
  log {
    category = "AzureBackupReport"
    enabled  = true

    retention_policy {
      enabled = true
    }
  }
  log {
    category = "CoreAzureBackup"
    enabled  = true

    retention_policy {
      enabled = true
    }
  }
  log {
    category = "AddonAzureBackupJobs"
    enabled  = true

    retention_policy {
      enabled = true
    }
  }
  log {
    category = "AddonAzureBackupAlerts"
    enabled  = true

    retention_policy {
      enabled = true
    }
  }
  log {
    category = "AddonAzureBackupPolicy"
    enabled  = true

    retention_policy {
      enabled = true
    }
  }
  log {
    category = "AddonAzureBackupStorage"
    enabled  = true

    retention_policy {
      enabled = true
    }
  }
  log {
    category = "AddonAzureBackupProtectedInstance"
    enabled  = true

    retention_policy {
      enabled = true
    }
  }

  metric {
    category = "AllMetrics"

    retention_policy {
      enabled = true
    }
  }
}

Now that you have the vaults it’s time to do some backups. You can view the entire code on my Github. I hope this script can be useful for you. If you have any questions feel free to reach out.

Post Views: 1,311
Tweet
Share
Share
Pin
0 Shares

Leave a Reply

Your email address will not be published. Required fields are marked *