JSON
api-version=2021-06-01 Copy definition Copy definition 4 EPAC EPAC
{ 7 items displayName: "[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag." , policyType: "BuiltIn" , mode: "Indexed" , description: "Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale." , metadata: { 3 items version: "1.0.0-preview" , category: "Backup" , preview: true } , parameters: { 5 items effect: { 4 items type: "String" , metadata: { 2 items displayName: "Effect" , description: "Enable or disable the execution of the policy" } , allowedValues: [ 3 items "AuditIfNotExists" , "DeployIfNotExists" , "Disabled" ] , defaultValue: "DeployIfNotExists" } , location: { 2 items type: "String" , metadata: { 3 items displayName: "Location (Specify the location of the AKS Clusters that you want to protect)" , description: "Specify the location of the AKS Clusters that you want to protect. For example - CanadaCentral" , strongType: "location" } } , storageAccountId: { 2 items type: "String" , metadata: { 3 items displayName: "Storage Account (In the same location as specified above)" , description: "The storage account is used to store backup data within a container. Please ensure that the storage account is in the same region as the AKS cluster to be backed up." , strongType: "Microsoft.Storage/storageAccounts" } } , exclusionTagName: { 2 items type: "String" , metadata: { 2 items displayName: "Exclusion Tag Name" , description: "Name of the tag to use for excluding AKS Clusters from the scope of this policy. This should be used along with the Exclusion Tag Values parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies" } } , exclusionTagValues: { 2 items type: "Array" , metadata: { 2 items displayName: "Exclusion Tag Values" , description: "Value of the tag to use for excluding AKS Clusters from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies." } } } , policyRule: { 2 items if: { 1 item allOf: [ 3 items { 2 items field: "type" , equals: "Microsoft.ContainerService/managedClusters" } , { 1 item anyOf: [ 3 items { 1 item not: { 2 items field: 🔍 "[
concat(
'tags[
',
parameters('exclusionTagName'),
'
]'
)
]", in: "[parameters('exclusionTagValues')]" } } , { 2 items value: 🔍 "[
empty(
parameters('exclusionTagValues')
)
]", equals: "true" } , { 2 items value: 🔍 "[
empty(
parameters('exclusionTagName')
)
]", equals: "true" } ] } , { 2 items field: "location" , equals: "[parameters('location')]" } ] } , then: { 2 items effect: "[parameters('effect')]" , details: { 5 items type: "Microsoft.KubernetesConfiguration/extensions" , evaluationDelay: "PT30M" , existenceCondition: { 2 items field: "Microsoft.KubernetesConfiguration/extensions/extensionType" , equals: "microsoft.dataprotection.kubernetes" } , roleDefinitionIds: [ 1 item "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" Owner ] , deployment: { 1 item properties: { 3 items parameters: { 6 items clusterName: { 1 item } , storageAccountId: { 1 item value: "[parameters('storageAccountId')]" } , storageAccountResourceGroup: { 1 item value: 🔍 "[
first(
skip(
split(
parameters('storageAccountId'),
'/'
),
4
)
)
]" } , storageAccountSubscriptionId: { 1 item value: 🔍 "[
first(
skip(
split(
parameters('storageAccountId'),
'/'
),
2
)
)
]" } , storageAccount: { 1 item value: 🔍 "[
first(
skip(
split(
parameters('storageAccountId'),
'/'
),
8
)
)
]" } , tenantId: { 1 item value: "[subscription().tenantId]" } } , mode: "incremental" , template: { 5 items parameters: { 8 items } , variables: { 4 items blobContainer: 🔍 "[
take(
concat(
'azure-aks-backup-',
parameters('clusterName')
),
63
)
]", storageBlobDataContributorRoleDefinitionId: 🔍 "[
subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
)
]", extensionName: "azure-aks-backup" , storageAccountContainerDeploymentName: 🔍 "[
guid(
resourceId(
'Microsoft.Storage/storageAccounts',
parameters('storageAccount')
)
)
]" } , contentVersion: "1.0.0.0" , resources: [ 2 items { 8 items type: "Microsoft.Resources/deployments" , apiVersion: "2021-04-01" , name: "[variables('storageAccountContainerDeploymentName')]" , subscriptionId: "[parameters('storageAccountSubscriptionId')]" , resourceGroup: "[parameters('storageAccountResourceGroup')]" , parameters : {} , dependsOn: [ 1 item 🔍 "[
extensionResourceId(
resourceId(
'Microsoft.ContainerService/managedClusters',
parameters('clusterName')
),
'Microsoft.KubernetesConfiguration/extensions',
variables(
'extensionName'
)
)
]"] , properties: { 2 items mode: "incremental" , template: { 4 items $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#" , contentVersion: "1.0.0.0" , parameters : {} , resources: [ 2 items { 4 items type: "Microsoft.Storage/storageAccounts/blobServices/containers" , apiVersion: "2022-05-01" , name: 🔍 "[
format(
'{
0
}/default/{
1
}',
parameters('storageAccount'),
variables(
'blobContainer'
)
)
]", dependsOn : [] } , { 5 items type: "Microsoft.Authorization/roleAssignments" , apiVersion: "2020-10-01-preview" , scope: 🔍 "[
format(
'Microsoft.Storage/storageAccounts/{
0
}',
parameters('storageAccount')
)
]", name: 🔍 "[
guid(
resourceId(
'Microsoft.Storage/storageAccounts',
parameters('storageAccount')
),
resourceId(
'Microsoft.ContainerService/managedClusters',
parameters('clusterName')
),
variables(
'storageBlobDataContributorRoleDefinitionId'
)
)
]", properties: { 3 items roleDefinitionId: "[variables('storageBlobDataContributorRoleDefinitionId')]" , principalId: 🔍 "[
reference(
extensionResourceId(
resourceId(
'Microsoft.ContainerService/managedClusters',
parameters('clusterName')
),
'Microsoft.KubernetesConfiguration/extensions',
variables(
'extensionName'
)
),
'2021-09-01'
).aksAssignedIdentity.principalId
]", principalType: "ServicePrincipal" } } ] } } } , { 6 items type: "Microsoft.KubernetesConfiguration/extensions" , name: "[variables('extensionName')]" , properties: { 4 items autoUpgradeMinorVersion: "true" , extensionType: "microsoft.dataprotection.kubernetes" , releaseTrain: "[parameters('releaseTrain')]" , configurationSettings: { 7 items configuration.backupStorageLocation.bucket: "[variables('blobContainer')]" , configuration.backupStorageLocation.config.resourceGroup: "[parameters('storageAccountResourceGroup')]" , configuration.backupStorageLocation.config.subscriptionId: "[parameters('storageAccountSubscriptionId')]" , configuration.backupStorageLocation.config.storageAccount: "[parameters('storageAccount')]" , credentials.tenantId: "[parameters('tenantId')]" , configuration.backupStorageLocation.config.useAAD: "[parameters('useAAD')]" , configuration.backupStorageLocation.config.storageAccountURI: 🔍 "[
reference(
parameters('storageAccountId'),
'2021-04-01'
).primaryEndpoints.blob
]" } } , scope: 🔍 "[
concat(
'Microsoft.ContainerService/managedClusters/',
parameters('clusterName')
)
]", apiVersion: "2022-03-01" , comments: "Install the Backup Extension in the managed (AKS) cluster." } ] , $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#" } } } } } } }