last sync: 2025-Jul-25 17:39:48 UTC

[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag.

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag.
Id 9a021087-bba6-42fd-b535-bba75297566b
Version 1.0.0-preview
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]
Category Backup
Microsoft Learn
Description Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode Indexed
Type BuiltIn
Preview True
Deprecated False
Effect Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
RBAC role(s)
Role Name Role Id
Owner 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.KubernetesConfiguration/extensions/extensionType Microsoft.KubernetesConfiguration extensions properties.extensionType True False
Rule resource types IF (1)
THEN-Deployment (7)
Compliance Not a Compliance control
Initiatives usage none
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-05-13 17:44:58 add 9a021087-bba6-42fd-b535-bba75297566b
JSON compare n/a
JSON
api-version=2021-06-01
EPAC
{7 items
  • displayName: "[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag.",
  • policyType: "BuiltIn",
  • mode: "Indexed",
  • description: "Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale.",
  • metadata: {3 items
    • version: "1.0.0-preview",
    • category: "Backup",
    • preview: true
    },
  • parameters: {5 items
    • effect: {4 items
      • type: "String",
      • metadata: {2 items
        • displayName: "Effect",
        • description: "Enable or disable the execution of the policy"
        },
      • allowedValues: [3 items
        • "AuditIfNotExists",
        • "DeployIfNotExists",
        • "Disabled"
        ],
      • defaultValue: "DeployIfNotExists"
      },
    • location: {2 items
      • type: "String",
      • metadata: {3 items
        • displayName: "Location (Specify the location of the AKS Clusters that you want to protect)",
        • description: "Specify the location of the AKS Clusters that you want to protect. For example - CanadaCentral",
        • strongType: "location"
        }
      },
    • storageAccountId: {2 items
      • type: "String",
      • metadata: {3 items
        • displayName: "Storage Account (In the same location as specified above)",
        • description: "The storage account is used to store backup data within a container. Please ensure that the storage account is in the same region as the AKS cluster to be backed up.",
        • strongType: "Microsoft.Storage/storageAccounts"
        }
      },
    • exclusionTagName: {2 items
      • type: "String",
      • metadata: {2 items
        • displayName: "Exclusion Tag Name",
        • description: "Name of the tag to use for excluding AKS Clusters from the scope of this policy. This should be used along with the Exclusion Tag Values parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies"
        }
      },
    • exclusionTagValues: {2 items
      • type: "Array",
      • metadata: {2 items
        • displayName: "Exclusion Tag Values",
        • description: "Value of the tag to use for excluding AKS Clusters from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies."
        }
      }
    },
  • policyRule: {2 items
    • if: {1 item
      • allOf: [3 items
        • {2 items
          • field: "type",
          • equals: "Microsoft.ContainerService/managedClusters"
          },
        • {1 item
          • anyOf: [3 items
            • {1 item
              • not: {2 items
                • field: 🔍"[ concat( 'tags[ ', parameters('exclusionTagName'), ' ]' ) ]",
                • in: "[parameters('exclusionTagValues')]"
                }
              },
            • {2 items
              • value: 🔍"[ empty( parameters('exclusionTagValues') ) ]",
              • equals: "true"
              },
            • {2 items
              • value: 🔍"[ empty( parameters('exclusionTagName') ) ]",
              • equals: "true"
              }
            ]
          },
        • {2 items
          • field: "location",
          • equals: "[parameters('location')]"
          }
        ]
      },
    • then: {2 items
      • effect: "[parameters('effect')]",
      • details: {5 items
        • type: "Microsoft.KubernetesConfiguration/extensions",
        • evaluationDelay: "PT30M",
        • existenceCondition: {2 items
          • field: "Microsoft.KubernetesConfiguration/extensions/extensionType",
          • equals: "microsoft.dataprotection.kubernetes"
          },
        • roleDefinitionIds: [1 item
          • "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" Owner
          ],
        • deployment: {1 item
          • properties: {3 items
            • parameters: {6 items},
            • mode: "incremental",
            • template: {5 items
              • parameters: {8 items},
              • variables: {4 items
                • blobContainer: 🔍"[ take( concat( 'azure-aks-backup-', parameters('clusterName') ), 63 ) ]",
                • storageBlobDataContributorRoleDefinitionId: 🔍"[ subscriptionResourceId( 'Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' ) ]",
                • extensionName: "azure-aks-backup",
                • storageAccountContainerDeploymentName: 🔍"[ guid( resourceId( 'Microsoft.Storage/storageAccounts', parameters('storageAccount') ) ) ]"
                },
              • contentVersion: "1.0.0.0",
              • resources: [2 items
                • {8 items
                  • type: "Microsoft.Resources/deployments",
                  • apiVersion: "2021-04-01",
                  • name: "[variables('storageAccountContainerDeploymentName')]",
                  • subscriptionId: "[parameters('storageAccountSubscriptionId')]",
                  • resourceGroup: "[parameters('storageAccountResourceGroup')]",
                  • parameters: {},
                  • dependsOn: [1 item
                    • 🔍"[ extensionResourceId( resourceId( 'Microsoft.ContainerService/managedClusters', parameters('clusterName') ), 'Microsoft.KubernetesConfiguration/extensions', variables( 'extensionName' ) ) ]"
                    ],
                  • properties: {2 items
                    • mode: "incremental",
                    • template: {4 items
                      • $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                      • contentVersion: "1.0.0.0",
                      • parameters: {},
                      • resources: [2 items
                        • {4 items
                          • type: "Microsoft.Storage/storageAccounts/blobServices/containers",
                          • apiVersion: "2022-05-01",
                          • name: 🔍"[ format( '{ 0 }/default/{ 1 }', parameters('storageAccount'), variables( 'blobContainer' ) ) ]",
                          • dependsOn: []
                          },
                        • {5 items
                          • type: "Microsoft.Authorization/roleAssignments",
                          • apiVersion: "2020-10-01-preview",
                          • scope: 🔍"[ format( 'Microsoft.Storage/storageAccounts/{ 0 }', parameters('storageAccount') ) ]",
                          • name: 🔍"[ guid( resourceId( 'Microsoft.Storage/storageAccounts', parameters('storageAccount') ), resourceId( 'Microsoft.ContainerService/managedClusters', parameters('clusterName') ), variables( 'storageBlobDataContributorRoleDefinitionId' ) ) ]",
                          • properties: {3 items
                            • roleDefinitionId: "[variables('storageBlobDataContributorRoleDefinitionId')]",
                            • principalId: 🔍"[ reference( extensionResourceId( resourceId( 'Microsoft.ContainerService/managedClusters', parameters('clusterName') ), 'Microsoft.KubernetesConfiguration/extensions', variables( 'extensionName' ) ), '2021-09-01' ).aksAssignedIdentity.principalId ]",
                            • principalType: "ServicePrincipal"
                            }
                          }
                        ]
                      }
                    }
                  },
                • {6 items
                  • type: "Microsoft.KubernetesConfiguration/extensions",
                  • name: "[variables('extensionName')]",
                  • properties: {4 items
                    • autoUpgradeMinorVersion: "true",
                    • extensionType: "microsoft.dataprotection.kubernetes",
                    • releaseTrain: "[parameters('releaseTrain')]",
                    • configurationSettings: {7 items
                      • configuration.backupStorageLocation.bucket: "[variables('blobContainer')]",
                      • configuration.backupStorageLocation.config.resourceGroup: "[parameters('storageAccountResourceGroup')]",
                      • configuration.backupStorageLocation.config.subscriptionId: "[parameters('storageAccountSubscriptionId')]",
                      • configuration.backupStorageLocation.config.storageAccount: "[parameters('storageAccount')]",
                      • credentials.tenantId: "[parameters('tenantId')]",
                      • configuration.backupStorageLocation.config.useAAD: "[parameters('useAAD')]",
                      • configuration.backupStorageLocation.config.storageAccountURI: 🔍"[ reference( parameters('storageAccountId'), '2021-04-01' ).primaryEndpoints.blob ]"
                      }
                    },
                  • scope: 🔍"[ concat( 'Microsoft.ContainerService/managedClusters/', parameters('clusterName') ) ]",
                  • apiVersion: "2022-03-01",
                  • comments: "Install the Backup Extension in the managed (AKS) cluster."
                  }
                ],
              • $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#"
              }
            }
          }
        }
      }
    }
}