JSON
api-version=2021-06-01 Copy definition Copy definition 4 EPAC EPAC
{ 7 items displayName: "[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag." , policyType: "BuiltIn" , mode: "Indexed" , description: "Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale." , metadata: { 3 items version: "1.0.0-preview" , category: "Backup" , preview: true } , parameters: { 5 items effect: { 4 items type: "String" , metadata: { 2 items displayName: "Effect" , description: "Enable or disable the execution of the policy" } , allowedValues: [ 3 items "AuditIfNotExists" , "DeployIfNotExists" , "Disabled" ] , defaultValue: "DeployIfNotExists" } , location: { 2 items type: "String" , metadata: { 3 items displayName: "Location (Specify the location of the AKS Clusters that you want to protect)" , description: "Specify the location of the AKS Clusters that you want to protect. For example - CanadaCentral" , strongType: "location" } } , storageAccountId: { 2 items type: "String" , metadata: { 3 items displayName: "Storage Account (In the same location as specified above)" , description: "The storage account is used to store backup data within a container. Please ensure that the storage account is in the same region as the AKS cluster to be backed up." , strongType: "Microsoft.Storage/storageAccounts" } } , inclusionTagName: { 2 items type: "String" , metadata: { 2 items displayName: "Inclusion Tag Name" , description: "Name of the tag to use for including AKS Clusters in the scope of this policy. This should be used along with the Inclusion Tag Value parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies" } } , inclusionTagValues: { 2 items type: "Array" , metadata: { 2 items displayName: "Inclusion Tag Values" , description: "Value of the tag to use for including AKS Clusters in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Inclusion Tag Name parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies." } } } , policyRule: { 2 items if: { 1 item allOf: [ 3 items { 2 items field: "type" , equals: "Microsoft.ContainerService/managedClusters" } , { 2 items field: 🔍 "[
concat(
'tags[
',
parameters('inclusionTagName'),
'
]'
)
]", in: "[parameters('inclusionTagValues')]" } , { 2 items field: "location" , equals: "[parameters('location')]" } ] } , then: { 2 items effect: "[parameters('effect')]" , details: { 5 items type: "Microsoft.KubernetesConfiguration/extensions" , evaluationDelay: "PT30M" , existenceCondition: { 2 items field: "Microsoft.KubernetesConfiguration/extensions/extensionType" , equals: "microsoft.dataprotection.kubernetes" } , roleDefinitionIds: [ 1 item "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" Owner ] , deployment: { 1 item properties: { 3 items parameters: { 6 items clusterName: { 1 item } , storageAccountId: { 1 item value: "[parameters('storageAccountId')]" } , storageAccountResourceGroup: { 1 item value: 🔍 "[
first(
skip(
split(
parameters('storageAccountId'),
'/'
),
4
)
)
]" } , storageAccountSubscriptionId: { 1 item value: 🔍 "[
first(
skip(
split(
parameters('storageAccountId'),
'/'
),
2
)
)
]" } , storageAccount: { 1 item value: 🔍 "[
first(
skip(
split(
parameters('storageAccountId'),
'/'
),
8
)
)
]" } , tenantId: { 1 item value: "[subscription().tenantId]" } } , mode: "incremental" , template: { 5 items parameters: { 8 items } , variables: { 4 items blobContainer: 🔍 "[
take(
concat(
'azure-aks-backup-',
parameters('clusterName')
),
63
)
]", storageBlobDataContributorRoleDefinitionId: 🔍 "[
subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
)
]", extensionName: "azure-aks-backup" , storageAccountContainerDeploymentName: 🔍 "[
guid(
resourceId(
'Microsoft.Storage/storageAccounts',
parameters('storageAccount')
)
)
]" } , contentVersion: "1.0.0.0" , resources: [ 2 items { 8 items type: "Microsoft.Resources/deployments" , apiVersion: "2021-04-01" , name: "[variables('storageAccountContainerDeploymentName')]" , subscriptionId: "[parameters('storageAccountSubscriptionId')]" , resourceGroup: "[parameters('storageAccountResourceGroup')]" , parameters : {} , dependsOn: [ 1 item 🔍 "[
extensionResourceId(
resourceId(
'Microsoft.ContainerService/managedClusters',
parameters('clusterName')
),
'Microsoft.KubernetesConfiguration/extensions',
variables(
'extensionName'
)
)
]"] , properties: { 2 items mode: "incremental" , template: { 4 items $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#" , contentVersion: "1.0.0.0" , parameters : {} , resources: [ 2 items { 4 items type: "Microsoft.Storage/storageAccounts/blobServices/containers" , apiVersion: "2022-05-01" , name: 🔍 "[
format(
'{
0
}/default/{
1
}',
parameters('storageAccount'),
variables(
'blobContainer'
)
)
]", dependsOn : [] } , { 5 items type: "Microsoft.Authorization/roleAssignments" , apiVersion: "2020-10-01-preview" , scope: 🔍 "[
format(
'Microsoft.Storage/storageAccounts/{
0
}',
parameters('storageAccount')
)
]", name: 🔍 "[
guid(
resourceId(
'Microsoft.Storage/storageAccounts',
parameters('storageAccount')
),
resourceId(
'Microsoft.ContainerService/managedClusters',
parameters('clusterName')
),
variables(
'storageBlobDataContributorRoleDefinitionId'
)
)
]", properties: { 3 items roleDefinitionId: "[variables('storageBlobDataContributorRoleDefinitionId')]" , principalId: 🔍 "[
reference(
extensionResourceId(
resourceId(
'Microsoft.ContainerService/managedClusters',
parameters('clusterName')
),
'Microsoft.KubernetesConfiguration/extensions',
variables(
'extensionName'
)
),
'2021-09-01'
).aksAssignedIdentity.principalId
]", principalType: "ServicePrincipal" } } ] } } } , { 6 items type: "Microsoft.KubernetesConfiguration/extensions" , name: "[variables('extensionName')]" , properties: { 4 items autoUpgradeMinorVersion: "true" , extensionType: "microsoft.dataprotection.kubernetes" , releaseTrain: "[parameters('releaseTrain')]" , configurationSettings: { 7 items configuration.backupStorageLocation.bucket: "[variables('blobContainer')]" , configuration.backupStorageLocation.config.resourceGroup: "[parameters('storageAccountResourceGroup')]" , configuration.backupStorageLocation.config.subscriptionId: "[parameters('storageAccountSubscriptionId')]" , configuration.backupStorageLocation.config.storageAccount: "[parameters('storageAccount')]" , credentials.tenantId: "[parameters('tenantId')]" , configuration.backupStorageLocation.config.useAAD: "[parameters('useAAD')]" , configuration.backupStorageLocation.config.storageAccountURI: 🔍 "[
reference(
parameters('storageAccountId'),
'2021-04-01'
).primaryEndpoints.blob
]" } } , scope: 🔍 "[
concat(
'Microsoft.ContainerService/managedClusters/',
parameters('clusterName')
)
]", apiVersion: "2022-03-01" , comments: "Install the Backup Extension in the managed (AKS) cluster." } ] , $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#" } } } } } } }