Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for azurerm_data_protection_backup_vault -> add ability turn off cross subsription restore #26512

Open
1 task done
bossbast1 opened this issue Jul 1, 2024 · 0 comments
Open
1 task done

Support for azurerm_data_protection_backup_vault -> add ability turn off cross subsription restore #26512

bossbast1 opened this issue Jul 1, 2024 · 0 comments
Labels
enhancement service/data-protection

Comments

@bossbast1
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Hello,

would it be possible to add new field/argument that would configure cross-subscription-restore-state on the backup?
This is required by our security not to leak the data to other subscription. We have created a 'hack' to set it, but it would be much nicer if it is officially supported.

Thank you for your help

Best regards

Sebastian

New or Affected Resource(s)/Data Source(s)

azurerm_data_protection_backup_vault

Potential Terraform Configuration

# storageAccountApp backup
resource "azurerm_data_protection_backup_vault" "backup_vlt" {
  name                = "vlt-${var.subConfig.appName}-${var.subConfig.postFix}"
  resource_group_name = azurerm_resource_group.main_rg.name
  location            = azurerm_resource_group.main_rg.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"
 
  identity {
    type = "SystemAssigned"
  }
}
 
# Fix policy - turn off cross subsription restore
resource "null_resource" "disable-cross-subscription-restore" {
  triggers = {
    timestamp           = timestamp()
    location            = azurerm_resource_group.main_rg.location
    name                = "vlt-${var.subConfig.appName}-${var.subConfig.postFix}"
    resource_group_name = azurerm_resource_group.main_rg.name
  }
 
  provisioner "local-exec" {
    when        = create
    interpreter = ["pwsh", "-NoLogo", "-NoProfile", "-NonInteractive", "-command"]
    command     = <<-EOC
      if ($null -ne $Env:SYSTEM_JOBID -And $null -ne $Env:ARM_CLIENT_SECRET) {
        $subscriptionId = $Env:ARM_SUBSCRIPTION_ID
        $tenantId = $Env:ARM_TENANT_ID
        $clientId = $Env:ARM_CLIENT_ID
        $secret = $Env:ARM_CLIENT_SECRET
 
        az login --service-principal --username $clientId -p="$secret" --tenant $tenantId --output none
        az account set -s $subscriptionId
      }
      az dataprotection backup-vault update --vault-name ${self.triggers.name} --resource-group ${self.triggers.resource_group_name} --cross-subscription-restore-state Disabled
    EOC
  }
  depends_on = [azurerm_data_protection_backup_vault.backup_vlt]
}

References

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement service/data-protection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bossbast1 @rcskosir