if (1)
• 'microsoft.storage/storageaccounts'
thenDetails (1)
• 'Microsoft.DataProtection/backupInstances'
{
"displayName": "[Preview]: Azure Backup should be enabled for Blobs in Storage Accounts",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.",
"metadata": {
"version": "1.0.0-preview",
"category": "Backup",
"preview": true
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.DataProtection/backupInstances"
}
}
}
}{"displayName":"[Preview]: Azure Backup should be enabled for Blobs in Storage Accounts","policyType":"BuiltIn","mode":"Indexed","description":"Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.","metadata":{"version":"1.0.0-preview","category":"Backup","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.DataProtection/backupInstances"}}}}if (1)
• 'Microsoft.Storage/storageAccounts/fileServices/shares'
thenDeployment (5)
• 'Microsoft.RecoveryServices/vaults'
• 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers'
• 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems'
• 'Microsoft.RecoveryServices/vaults/backupPolicies'
• 'microsoft.storage/storageaccounts'
thenExistenceCondition (1)
• 'Microsoft.RecoveryServices/backupprotecteditems'
{
"displayName": "[Preview]: Configure backup for Azure Files Shares with a given tag to a new recovery services vault with a new policy",
"policyType": "BuiltIn",
"mode": "All",
"description": "Enforce backup for all Azure Files by deploying a recovery services vault in the same location and resource group as the storage account. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include Azure Files in storage accounts containing a specified tag to control the scope of assignment.",
"metadata": {
"version": "1.0.0-preview",
"preview": true,
"category": "Backup"
},
"parameters": {
"vaultName": {
"type": "String",
"metadata": {
"displayName": "Vault Name",
"description": "Name of the Recovery Services Vault where backups should be registered."
}
},
"vaultLocation": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the location of the FileShares that you want to protect)",
"description": "Location of the FileShares. The FileShares should be in the same location as the vault."
}
},
"policyName": {
"type": "String",
"metadata": {
"displayName": "Backup Policy Name",
"description": "Name of the Azure Backup Policy to be created for Azure File Shares in the specified vault."
},
"defaultValue": "DefaultBackupPolicy"
},
"inclusionTagName": {
"type": "String",
"metadata": {
"displayName": "Inclusion Tag Name",
"description": "Name of the tag to use for including FileShares in the scope of this policy. This should be used along with the Inclusion Tag Value parameter."
},
"defaultValue": ""
},
"inclusionTagValues": {
"type": "Array",
"metadata": {
"displayName": "Inclusion Tag Values",
"description": "Value of the tag to use for including FileShares in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Inclusion Tag Name parameter."
},
"defaultValue": []
},
"registerStorageAccount": {
"type": "Boolean",
"metadata": {
"displayName": "Register Storage Account",
"description": "Set to true if the existing Storage Account has to be registered to the Recovery Services Vault; set to false otherwise."
},
"defaultValue": true
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/fileServices/shares"
},
{
"field": "location",
"equals": "[parameters('vaultLocation')]"
},
{
"anyOf": [
{
"field": "[concat('tags[', parameters('inclusionTagName'), ']')]",
"in": "[parameters('inclusionTagValues')]"
},
{
"value": "[empty(parameters('inclusionTagValues'))]",
"equals": "true"
},
{
"value": "[empty(parameters('inclusionTagName'))]",
"equals": "true"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.RecoveryServices/backupprotecteditems",
"existenceCondition": {
"field": "type",
"equals": "Microsoft.RecoveryServices/backupprotecteditems"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string"
},
"vaultLocation": {
"type": "string"
},
"policyName": {
"type": "string",
"defaultValue": "DefaultBackupPolicy"
},
"existingStorageAccountName": {
"type": "string"
},
"existingFileShareName": {
"type": "string"
},
"existingResourceGroupName": {
"type": "string"
},
"registerStorageAccount": {
"type": "bool",
"defaultValue": "true"
},
"schedule": {
"type": "object",
"defaultValue": {
"schedulePolicyType": "SimpleSchedulePolicy",
"scheduleRunFrequency": "Daily",
"scheduleRunDays": null,
"scheduleRunTimes": [
"2025-04-04T08:00:00Z"
]
}
},
"timeZone": {
"type": "string",
"defaultValue": "UTC"
},
"retention": {
"type": "object",
"defaultValue": {
"snapshotRetentionInDays": 5,
"vaultRetention": {
"retentionPolicyType": "LongTermRetentionPolicy",
"dailySchedule": {
"retentionTimes": [
"2025-04-04T08:00:00Z"
],
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
},
"weeklySchedule": null,
"monthlySchedule": null,
"yearlySchedule": null
}
}
}
},
"variables": {
"backupFabric": "Azure",
"backupManagementType": "AzureStorage",
"containerName": "[concat('storagecontainer;Storage;', parameters('existingResourceGroupName'), ';', parameters('existingStorageAccountName'))]",
"protectedItemName": "[concat('AzureFileShare;', parameters('existingFileShareName'))]"
},
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-06-01",
"name": "[parameters('vaultName')]",
"location": "[parameters('vaultLocation')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicNetworkAccess": "Enabled"
}
},
{
"type": "Microsoft.RecoveryServices/vaults/backupPolicies",
"apiVersion": "2016-06-01",
"name": "[concat(parameters('vaultName'), '/', parameters('policyName'))]",
"properties": {
"backupManagementType": "[variables('backupManagementType')]",
"workLoadType": "AzureFileShare",
"schedulePolicy": "[parameters('schedule')]",
"timeZone": "[parameters('timeZone')]",
"vaultretentionPolicy": "[parameters('retention')]"
},
"dependsOn": [
"[resourceId('Microsoft.RecoveryServices/vaults', parameters('vaultName'))]"
]
},
{
"type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers",
"apiVersion": "2023-06-01",
"name": "[concat(parameters('vaultName'), '/', variables('backupFabric'), '/', variables('containerName'))]",
"properties": {
"backupManagementType": "[variables('backupManagementType')]",
"containerType": "StorageContainer",
"sourceResourceId": "[resourceId(parameters('existingResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('existingStorageAccountName'))]"
},
"condition": "[parameters('registerStorageAccount')]",
"dependsOn": [
"[resourceId('Microsoft.RecoveryServices/vaults', parameters('vaultName'))]"
]
},
{
"type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
"apiVersion": "2023-06-01",
"name": "[concat(parameters('vaultName'), '/', variables('backupFabric'), '/', variables('containerName'), '/', variables('protectedItemName'))]",
"properties": {
"protectedItemType": "AzureFileShareProtectedItem",
"sourceResourceId": "[resourceId(parameters('existingResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('existingStorageAccountName'))]",
"policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('vaultName'), parameters('policyName'))]"
},
"condition": "[parameters('registerStorageAccount')]",
"dependsOn": [
"[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers', parameters('vaultName'), variables('backupFabric'), variables('containerName'))]",
"[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('vaultName'), parameters('policyName'))]"
]
}
]
},
"parameters": {
"vaultName": {
"value": "[parameters('vaultName')]"
},
"vaultLocation": {
"value": "[parameters('vaultLocation')]"
},
"policyName": {
"value": "[parameters('policyName')]"
},
"existingStorageAccountName": {
"value": "[first(skip(split(field('id'), '/'), 8))]"
},
"existingFileShareName": {
"value": "[field('name')]"
},
"existingResourceGroupName": {
"value": "[resourceGroup().name]"
},
"registerStorageAccount": {
"value": "[parameters('registerStorageAccount')]"
},
"schedule": {
"value": {
"schedulePolicyType": "SimpleSchedulePolicy",
"scheduleRunFrequency": "Daily",
"scheduleRunDays": null,
"scheduleRunTimes": [
"2025-04-04T08:00:00Z"
]
}
},
"timeZone": {
"value": "UTC"
},
"retention": {
"value": {
"snapshotRetentionInDays": 5,
"vaultRetention": {
"retentionPolicyType": "LongTermRetentionPolicy",
"dailySchedule": {
"retentionTimes": [
"2025-04-04T08:00:00Z"
],
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
},
"weeklySchedule": null,
"monthlySchedule": null,
"yearlySchedule": null
}
}
}
}
}
}
}
}
}
}{"displayName":"[Preview]: Configure backup for Azure Files Shares with a given tag to a new recovery services vault with a new policy","policyType":"BuiltIn","mode":"All","description":"Enforce backup for all Azure Files by deploying a recovery services vault in the same location and resource group as the storage account. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include Azure Files in storage accounts containing a specified tag to control the scope of assignment.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Backup"},"parameters":{"vaultName":{"type":"String","metadata":{"displayName":"Vault Name","description":"Name of the Recovery Services Vault where backups should be registered."}},"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the FileShares that you want to protect)","description":"Location of the FileShares. The FileShares should be in the same location as the vault."}},"policyName":{"type":"String","metadata":{"displayName":"Backup Policy Name","description":"Name of the Azure Backup Policy to be created for Azure File Shares in the specified vault."},"defaultValue":"DefaultBackupPolicy"},"inclusionTagName":{"type":"String","metadata":{"displayName":"Inclusion Tag Name","description":"Name of the tag to use for including FileShares in the scope of this policy. This should be used along with the Inclusion Tag Value parameter."},"defaultValue":""},"inclusionTagValues":{"type":"Array","metadata":{"displayName":"Inclusion Tag Values","description":"Value of the tag to use for including FileShares in the scope of this policy (in case of multiple values,use a comma-separated list). This should be used along with the Inclusion Tag Name parameter."},"defaultValue":[]},"registerStorageAccount":{"type":"Boolean","metadata":{"displayName":"Register Storage Account","description":"Set to true if the existing Storage Account has to be registered to the Recovery Services Vault; set to false otherwise."},"defaultValue":true},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts/fileServices/shares"},{"field":"location","equals":"[parameters('vaultLocation')]"},{"anyOf":[{"field":"[concat('tags[',parameters('inclusionTagName'),']')]","in":"[parameters('inclusionTagValues')]"},{"value":"[empty(parameters('inclusionTagValues'))]","equals":"true"},{"value":"[empty(parameters('inclusionTagName'))]","equals":"true"}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems","existenceCondition":{"field":"type","equals":"Microsoft.RecoveryServices/backupprotecteditems"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab","/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vaultName":{"type":"string"},"vaultLocation":{"type":"string"},"policyName":{"type":"string","defaultValue":"DefaultBackupPolicy"},"existingStorageAccountName":{"type":"string"},"existingFileShareName":{"type":"string"},"existingResourceGroupName":{"type":"string"},"registerStorageAccount":{"type":"bool","defaultValue":"true"},"schedule":{"type":"object","defaultValue":{"schedulePolicyType":"SimpleSchedulePolicy","scheduleRunFrequency":"Daily","scheduleRunDays":null,"scheduleRunTimes":["2025-04-04T08:00:00Z"]}},"timeZone":{"type":"string","defaultValue":"UTC"},"retention":{"type":"object","defaultValue":{"snapshotRetentionInDays":5,"vaultRetention":{"retentionPolicyType":"LongTermRetentionPolicy","dailySchedule":{"retentionTimes":["2025-04-04T08:00:00Z"],"retentionDuration":{"count":30,"durationType":"Days"}},"weeklySchedule":null,"monthlySchedule":null,"yearlySchedule":null}}}},"variables":{"backupFabric":"Azure","backupManagementType":"AzureStorage","containerName":"[concat('storagecontainer;Storage;',parameters('existingResourceGroupName'),';',parameters('existingStorageAccountName'))]","protectedItemName":"[concat('AzureFileShare;',parameters('existingFileShareName'))]"},"resources":[{"type":"Microsoft.RecoveryServices/vaults","apiVersion":"2023-06-01","name":"[parameters('vaultName')]","location":"[parameters('vaultLocation')]","sku":{"name":"Standard"},"properties":{"publicNetworkAccess":"Enabled"}},{"type":"Microsoft.RecoveryServices/vaults/backupPolicies","apiVersion":"2016-06-01","name":"[concat(parameters('vaultName'),'/',parameters('policyName'))]","properties":{"backupManagementType":"[variables('backupManagementType')]","workLoadType":"AzureFileShare","schedulePolicy":"[parameters('schedule')]","timeZone":"[parameters('timeZone')]","vaultretentionPolicy":"[parameters('retention')]"},"dependsOn":["[resourceId('Microsoft.RecoveryServices/vaults',parameters('vaultName'))]"]},{"type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers","apiVersion":"2023-06-01","name":"[concat(parameters('vaultName'),'/',variables('backupFabric'),'/',variables('containerName'))]","properties":{"backupManagementType":"[variables('backupManagementType')]","containerType":"StorageContainer","sourceResourceId":"[resourceId(parameters('existingResourceGroupName'),'Microsoft.Storage/storageAccounts',parameters('existingStorageAccountName'))]"},"condition":"[parameters('registerStorageAccount')]","dependsOn":["[resourceId('Microsoft.RecoveryServices/vaults',parameters('vaultName'))]"]},{"type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems","apiVersion":"2023-06-01","name":"[concat(parameters('vaultName'),'/',variables('backupFabric'),'/',variables('containerName'),'/',variables('protectedItemName'))]","properties":{"protectedItemType":"AzureFileShareProtectedItem","sourceResourceId":"[resourceId(parameters('existingResourceGroupName'),'Microsoft.Storage/storageAccounts',parameters('existingStorageAccountName'))]","policyId":"[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies',parameters('vaultName'),parameters('policyName'))]"},"condition":"[parameters('registerStorageAccount')]","dependsOn":["[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers',parameters('vaultName'),variables('backupFabric'),variables('containerName'))]","[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies',parameters('vaultName'),parameters('policyName'))]"]}]},"parameters":{"vaultName":{"value":"[parameters('vaultName')]"},"vaultLocation":{"value":"[parameters('vaultLocation')]"},"policyName":{"value":"[parameters('policyName')]"},"existingStorageAccountName":{"value":"[first(skip(split(field('id'),'/'),8))]"},"existingFileShareName":{"value":"[field('name')]"},"existingResourceGroupName":{"value":"[resourceGroup().name]"},"registerStorageAccount":{"value":"[parameters('registerStorageAccount')]"},"schedule":{"value":{"schedulePolicyType":"SimpleSchedulePolicy","scheduleRunFrequency":"Daily","scheduleRunDays":null,"scheduleRunTimes":["2025-04-04T08:00:00Z"]}},"timeZone":{"value":"UTC"},"retention":{"value":{"snapshotRetentionInDays":5,"vaultRetention":{"retentionPolicyType":"LongTermRetentionPolicy","dailySchedule":{"retentionTimes":["2025-04-04T08:00:00Z"],"retentionDuration":{"count":30,"durationType":"Days"}},"weeklySchedule":null,"monthlySchedule":null,"yearlySchedule":null}}}}}}}}}}if (1)
• 'Microsoft.Storage/storageAccounts/fileServices/shares'
thenDeployment (5)
• 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers'
• 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems'
• 'Microsoft.RecoveryServices/vaults/backupPolicies'
• 'Microsoft.Resources/deployments'
• 'microsoft.storage/storageaccounts'
{
"displayName": "[Preview]: Configure backup for Azure Files Shares with a given tag to an existing recovery services vault in the same location",
"policyType": "BuiltIn",
"mode": "All",
"description": "Enforce backup for all Azure Files by backing them up to an existing central recovery services vault in the same location and subscription as the storage account. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include Azure Files in storage accounts containing a specified tag to control the scope of assignment.",
"metadata": {
"version": "1.0.0-preview",
"preview": true,
"category": "Backup"
},
"parameters": {
"registerStorageAccount": {
"type": "Boolean",
"metadata": {
"displayName": "Register Storage Account",
"description": "Set to true if the existing Storage Account has to be registered to the Recovery Services Vault; set to false otherwise."
},
"defaultValue": false
},
"vaultName": {
"type": "String",
"metadata": {
"displayName": "Vault Name",
"description": "Name of the Recovery Services Vault where backups should be registered."
}
},
"vaultLocation": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the location of the FileShares that you want to protect)",
"description": "Location of the FileShares. The FileShares should be in the same location as the vault."
}
},
"backupPolicyName": {
"type": "String",
"metadata": {
"displayName": "Backup Policy (of type Azure FileShare from a vault in the location chosen above)",
"description": "Specify the Name of the Azure Backup policy to configure backup of the file shares. The selected Azure Backup policy should be of type Azure File Share. This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/"
}
},
"inclusionTagName": {
"type": "String",
"metadata": {
"displayName": "Inclusion Tag Name",
"description": "Name of the tag to use for including FileShares in the scope of this policy. This should be used along with the Inclusion Tag Value parameter."
},
"defaultValue": ""
},
"inclusionTagValues": {
"type": "Array",
"metadata": {
"displayName": "Inclusion Tag Values",
"description": "Value of the tag to use for including FileShares in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Inclusion Tag Name parameter."
},
"defaultValue": []
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/fileServices/shares"
},
{
"field": "location",
"equals": "[parameters('vaultLocation')]"
},
{
"anyOf": [
{
"field": "[concat('tags[', parameters('inclusionTagName'), ']')]",
"in": "[parameters('inclusionTagValues')]"
},
{
"value": "[empty(parameters('inclusionTagValues'))]",
"equals": "true"
},
{
"value": "[empty(parameters('inclusionTagName'))]",
"equals": "true"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.RecoveryServices/backupprotecteditems",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"registerStorageAccount": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Set to true if the existing Storage Account needs to be registered to the Recovery Services Vault; set to false otherwise."
}
},
"vaultName": {
"type": "string",
"metadata": {
"description": "Vault name to register backup."
}
},
"existingResourceGroupName": {
"type": "string",
"metadata": {
"description": "Existing Resource Group Name."
}
},
"existingFileShareName": {
"type": "string",
"metadata": {
"description": "Existing File Share Name."
}
},
"backupPolicyName": {
"type": "string",
"metadata": {
"description": "Backup Policy Name."
}
},
"existingStorageAccountName": {
"type": "string",
"metadata": {
"description": "ResourceId of the Storage Account."
}
},
"location": {
"type": "string",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"existingStorageAccountName": "[parameters('existingStorageAccountName')]",
"existingResourceGroupName": "[parameters('existingResourceGroupName')]",
"existingFileShareName": "[parameters('existingFileShareName')]",
"backupPolicyName": "[parameters('backupPolicyName')]",
"vaultName": "[parameters('vaultName')]",
"backupFabric": "Azure",
"backupManagementType": "AzureStorage"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"resourceGroup": "[variables('existingResourceGroupName')]",
"name": "[concat('DeployProtection-', uniqueString(variables('existingStorageAccountName')))]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"condition": "[parameters('registerStorageAccount')]",
"type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers",
"apiVersion": "2021-12-01",
"name": "[format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName'))]",
"properties": {
"backupManagementType": "[variables('backupManagementType')]",
"containerType": "StorageContainer",
"sourceResourceId": "[resourceId(parameters('existingResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('existingStorageAccountName'))]"
}
},
{
"type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
"apiVersion": "2021-12-01",
"name": "[format('{0}/{1}/{2}/{3}', split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[0], split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[1], split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[2], format('AzureFileShare;{0}', parameters('existingFileShareName')))]",
"properties": {
"protectedItemType": "AzureFileShareProtectedItem",
"sourceResourceId": "[resourceId(parameters('existingResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('existingStorageAccountName'))]",
"policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('vaultName'), parameters('backupPolicyName'))]",
"isInlineInquiry": true
},
"dependsOn": [
"[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers', split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[0], split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[1], split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[2])]"
]
}
]
}
}
}
]
},
"parameters": {
"existingStorageAccountName": {
"value": "[first(skip(split(field('id'), '/'), 8))]"
},
"existingFileShareName": {
"value": "[field('name')]"
},
"existingResourceGroupName": {
"value": "[resourceGroup().name]"
},
"registerStorageAccount": {
"value": "[parameters('registerStorageAccount')]"
},
"vaultName": {
"value": "[parameters('vaultName')]"
},
"backupPolicyName": {
"value": "[parameters('backupPolicyName')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
} {"displayName":"[Preview]: Configure backup for Azure Files Shares with a given tag to an existing recovery services vault in the same location","policyType":"BuiltIn","mode":"All","description":"Enforce backup for all Azure Files by backing them up to an existing central recovery services vault in the same location and subscription as the storage account. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include Azure Files in storage accounts containing a specified tag to control the scope of assignment.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Backup"},"parameters":{"registerStorageAccount":{"type":"Boolean","metadata":{"displayName":"Register Storage Account","description":"Set to true if the existing Storage Account has to be registered to the Recovery Services Vault; set to false otherwise."},"defaultValue":false},"vaultName":{"type":"String","metadata":{"displayName":"Vault Name","description":"Name of the Recovery Services Vault where backups should be registered."}},"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the FileShares that you want to protect)","description":"Location of the FileShares. The FileShares should be in the same location as the vault."}},"backupPolicyName":{"type":"String","metadata":{"displayName":"Backup Policy (of type Azure FileShare from a vault in the location chosen above)","description":"Specify the Name of the Azure Backup policy to configure backup of the file shares. The selected Azure Backup policy should be of type Azure File Share. This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/"}},"inclusionTagName":{"type":"String","metadata":{"displayName":"Inclusion Tag Name","description":"Name of the tag to use for including FileShares in the scope of this policy. This should be used along with the Inclusion Tag Value parameter."},"defaultValue":""},"inclusionTagValues":{"type":"Array","metadata":{"displayName":"Inclusion Tag Values","description":"Value of the tag to use for including FileShares in the scope of this policy (in case of multiple values,use a comma-separated list). This should be used along with the Inclusion Tag Name parameter."},"defaultValue":[]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts/fileServices/shares"},{"field":"location","equals":"[parameters('vaultLocation')]"},{"anyOf":[{"field":"[concat('tags[',parameters('inclusionTagName'),']')]","in":"[parameters('inclusionTagValues')]"},{"value":"[empty(parameters('inclusionTagValues'))]","equals":"true"},{"value":"[empty(parameters('inclusionTagName'))]","equals":"true"}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab","/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"registerStorageAccount":{"type":"bool","defaultValue":false,"metadata":{"description":"Set to true if the existing Storage Account needs to be registered to the Recovery Services Vault; set to false otherwise."}},"vaultName":{"type":"string","metadata":{"description":"Vault name to register backup."}},"existingResourceGroupName":{"type":"string","metadata":{"description":"Existing Resource Group Name."}},"existingFileShareName":{"type":"string","metadata":{"description":"Existing File Share Name."}},"backupPolicyName":{"type":"string","metadata":{"description":"Backup Policy Name."}},"existingStorageAccountName":{"type":"string","metadata":{"description":"ResourceId of the Storage Account."}},"location":{"type":"string","metadata":{"description":"Location for all resources."}}},"variables":{"existingStorageAccountName":"[parameters('existingStorageAccountName')]","existingResourceGroupName":"[parameters('existingResourceGroupName')]","existingFileShareName":"[parameters('existingFileShareName')]","backupPolicyName":"[parameters('backupPolicyName')]","vaultName":"[parameters('vaultName')]","backupFabric":"Azure","backupManagementType":"AzureStorage"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2021-04-01","resourceGroup":"[variables('existingResourceGroupName')]","name":"[concat('DeployProtection-',uniqueString(variables('existingStorageAccountName')))]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{},"resources":[{"condition":"[parameters('registerStorageAccount')]","type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers","apiVersion":"2021-12-01","name":"[format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName'))]","properties":{"backupManagementType":"[variables('backupManagementType')]","containerType":"StorageContainer","sourceResourceId":"[resourceId(parameters('existingResourceGroupName'),'Microsoft.Storage/storageAccounts',parameters('existingStorageAccountName'))]"}},{"type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems","apiVersion":"2021-12-01","name":"[format('{0}/{1}/{2}/{3}',split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[0],split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[1],split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[2],format('AzureFileShare;{0}',parameters('existingFileShareName')))]","properties":{"protectedItemType":"AzureFileShareProtectedItem","sourceResourceId":"[resourceId(parameters('existingResourceGroupName'),'Microsoft.Storage/storageAccounts',parameters('existingStorageAccountName'))]","policyId":"[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies',parameters('vaultName'),parameters('backupPolicyName'))]","isInlineInquiry":true},"dependsOn":["[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers',split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[0],split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[1],split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[2])]"]}]}}}]},"parameters":{"existingStorageAccountName":{"value":"[first(skip(split(field('id'),'/'),8))]"},"existingFileShareName":{"value":"[field('name')]"},"existingResourceGroupName":{"value":"[resourceGroup().name]"},"registerStorageAccount":{"value":"[parameters('registerStorageAccount')]"},"vaultName":{"value":"[parameters('vaultName')]"},"backupPolicyName":{"value":"[parameters('backupPolicyName')]"},"location":{"value":"[field('location')]"}}}}}}}} if (1)
• 'Microsoft.Storage/storageAccounts/fileServices/shares'
thenDeployment (5)
• 'Microsoft.RecoveryServices/vaults'
• 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers'
• 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems'
• 'Microsoft.RecoveryServices/vaults/backupPolicies'
• 'microsoft.storage/storageaccounts'
thenExistenceCondition (1)
• 'Microsoft.RecoveryServices/backupprotecteditems'
{
"displayName": "[Preview]: Configure backup for Azure Files Shares without a given tag to a new recovery services vault with a new policy",
"policyType": "BuiltIn",
"mode": "All",
"description": "Enforce backup for all Azure Files by deploying a recovery services vault in the same location and resource group as the storage account. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude Azure Files in storage accounts containing a specified tag to control the scope of assignment.",
"metadata": {
"version": "1.0.0-preview",
"preview": true,
"category": "Backup"
},
"parameters": {
"vaultName": {
"type": "String",
"metadata": {
"displayName": "Vault Name",
"description": "Name of the Recovery Services Vault where backups should be registered."
}
},
"vaultLocation": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the location of the FileShares that you want to protect)",
"description": "Location of the FileShares. The FileShares should be in the same location as the vault."
}
},
"policyName": {
"type": "String",
"metadata": {
"displayName": "Backup Policy Name",
"description": "Name of the Azure Backup Policy to be created for Azure File Shares in the specified vault."
},
"defaultValue": "DefaultBackupPolicy"
},
"exclusionTagName": {
"type": "String",
"metadata": {
"displayName": "Exclusion Tag Name",
"description": "Name of the tag to use for excluding FileShares from the scope of this policy. This should be used along with the Exclusion Tag Value parameter."
},
"defaultValue": ""
},
"exclusionTagValue": {
"type": "Array",
"metadata": {
"displayName": "Exclusion Tag Values",
"description": "Value of the tag to use for excluding FileShares from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter."
},
"defaultValue": []
},
"registerStorageAccount": {
"type": "Boolean",
"metadata": {
"displayName": "Register Storage Account",
"description": "Set to true if the existing Storage Account has to be registered to the Recovery Services Vault; set to false otherwise."
},
"defaultValue": true
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/fileServices/shares"
},
{
"field": "location",
"equals": "[parameters('vaultLocation')]"
},
{
"anyOf": [
{
"not": {
"field": "[concat('tags[', parameters('exclusionTagName'), ']')]",
"in": "[parameters('exclusionTagValue')]"
}
},
{
"value": "[empty(parameters('exclusionTagValue'))]",
"equals": "true"
},
{
"value": "[empty(parameters('exclusionTagName'))]",
"equals": "true"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.RecoveryServices/backupprotecteditems",
"existenceCondition": {
"field": "type",
"equals": "Microsoft.RecoveryServices/backupprotecteditems"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string"
},
"vaultLocation": {
"type": "string"
},
"policyName": {
"type": "string",
"defaultValue": "DefaultBackupPolicy"
},
"existingStorageAccountName": {
"type": "string"
},
"existingFileShareName": {
"type": "string"
},
"existingResourceGroupName": {
"type": "string"
},
"registerStorageAccount": {
"type": "bool",
"defaultValue": "true"
},
"schedule": {
"type": "object",
"defaultValue": {
"schedulePolicyType": "SimpleSchedulePolicy",
"scheduleRunFrequency": "Daily",
"scheduleRunDays": null,
"scheduleRunTimes": [
"2025-04-04T08:00:00Z"
]
}
},
"timeZone": {
"type": "string",
"defaultValue": "UTC"
},
"retention": {
"type": "object",
"defaultValue": {
"snapshotRetentionInDays": 5,
"vaultRetention": {
"retentionPolicyType": "LongTermRetentionPolicy",
"dailySchedule": {
"retentionTimes": [
"2025-04-04T08:00:00Z"
],
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
},
"weeklySchedule": null,
"monthlySchedule": null,
"yearlySchedule": null
}
}
}
},
"variables": {
"backupFabric": "Azure",
"backupManagementType": "AzureStorage",
"containerName": "[concat('storagecontainer;Storage;', parameters('existingResourceGroupName'), ';', parameters('existingStorageAccountName'))]",
"protectedItemName": "[concat('AzureFileShare;', parameters('existingFileShareName'))]"
},
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-06-01",
"name": "[parameters('vaultName')]",
"location": "[parameters('vaultLocation')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicNetworkAccess": "Enabled"
}
},
{
"type": "Microsoft.RecoveryServices/vaults/backupPolicies",
"apiVersion": "2016-06-01",
"name": "[concat(parameters('vaultName'), '/', parameters('policyName'))]",
"properties": {
"backupManagementType": "[variables('backupManagementType')]",
"workLoadType": "AzureFileShare",
"schedulePolicy": "[parameters('schedule')]",
"timeZone": "[parameters('timeZone')]",
"vaultretentionPolicy": "[parameters('retention')]"
},
"dependsOn": [
"[resourceId('Microsoft.RecoveryServices/vaults', parameters('vaultName'))]"
]
},
{
"type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers",
"apiVersion": "2023-06-01",
"name": "[concat(parameters('vaultName'), '/', variables('backupFabric'), '/', variables('containerName'))]",
"properties": {
"backupManagementType": "[variables('backupManagementType')]",
"containerType": "StorageContainer",
"sourceResourceId": "[resourceId(parameters('existingResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('existingStorageAccountName'))]"
},
"condition": "[parameters('registerStorageAccount')]",
"dependsOn": [
"[resourceId('Microsoft.RecoveryServices/vaults', parameters('vaultName'))]"
]
},
{
"type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
"apiVersion": "2023-06-01",
"name": "[concat(parameters('vaultName'), '/', variables('backupFabric'), '/', variables('containerName'), '/', variables('protectedItemName'))]",
"properties": {
"protectedItemType": "AzureFileShareProtectedItem",
"sourceResourceId": "[resourceId(parameters('existingResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('existingStorageAccountName'))]",
"policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('vaultName'), parameters('policyName'))]"
},
"condition": "[parameters('registerStorageAccount')]",
"dependsOn": [
"[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers', parameters('vaultName'), variables('backupFabric'), variables('containerName'))]",
"[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('vaultName'), parameters('policyName'))]"
]
}
]
},
"parameters": {
"vaultName": {
"value": "[parameters('vaultName')]"
},
"vaultLocation": {
"value": "[parameters('vaultLocation')]"
},
"policyName": {
"value": "[parameters('policyName')]"
},
"existingStorageAccountName": {
"value": "[first(skip(split(field('id'), '/'), 8))]"
},
"existingFileShareName": {
"value": "[field('name')]"
},
"existingResourceGroupName": {
"value": "[resourceGroup().name]"
},
"registerStorageAccount": {
"value": "[parameters('registerStorageAccount')]"
},
"schedule": {
"value": {
"schedulePolicyType": "SimpleSchedulePolicy",
"scheduleRunFrequency": "Daily",
"scheduleRunDays": null,
"scheduleRunTimes": [
"2025-04-04T08:00:00Z"
]
}
},
"timeZone": {
"value": "UTC"
},
"retention": {
"value": {
"snapshotRetentionInDays": 5,
"vaultRetention": {
"retentionPolicyType": "LongTermRetentionPolicy",
"dailySchedule": {
"retentionTimes": [
"2025-04-04T08:00:00Z"
],
"retentionDuration": {
"count": 30,
"durationType": "Days"
}
},
"weeklySchedule": null,
"monthlySchedule": null,
"yearlySchedule": null
}
}
}
}
}
}
}
}
}
}{"displayName":"[Preview]: Configure backup for Azure Files Shares without a given tag to a new recovery services vault with a new policy","policyType":"BuiltIn","mode":"All","description":"Enforce backup for all Azure Files by deploying a recovery services vault in the same location and resource group as the storage account. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude Azure Files in storage accounts containing a specified tag to control the scope of assignment.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Backup"},"parameters":{"vaultName":{"type":"String","metadata":{"displayName":"Vault Name","description":"Name of the Recovery Services Vault where backups should be registered."}},"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the FileShares that you want to protect)","description":"Location of the FileShares. The FileShares should be in the same location as the vault."}},"policyName":{"type":"String","metadata":{"displayName":"Backup Policy Name","description":"Name of the Azure Backup Policy to be created for Azure File Shares in the specified vault."},"defaultValue":"DefaultBackupPolicy"},"exclusionTagName":{"type":"String","metadata":{"displayName":"Exclusion Tag Name","description":"Name of the tag to use for excluding FileShares from the scope of this policy. This should be used along with the Exclusion Tag Value parameter."},"defaultValue":""},"exclusionTagValue":{"type":"Array","metadata":{"displayName":"Exclusion Tag Values","description":"Value of the tag to use for excluding FileShares from the scope of this policy (in case of multiple values,use a comma-separated list). This should be used along with the Exclusion Tag Name parameter."},"defaultValue":[]},"registerStorageAccount":{"type":"Boolean","metadata":{"displayName":"Register Storage Account","description":"Set to true if the existing Storage Account has to be registered to the Recovery Services Vault; set to false otherwise."},"defaultValue":true},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts/fileServices/shares"},{"field":"location","equals":"[parameters('vaultLocation')]"},{"anyOf":[{"not":{"field":"[concat('tags[',parameters('exclusionTagName'),']')]","in":"[parameters('exclusionTagValue')]"}},{"value":"[empty(parameters('exclusionTagValue'))]","equals":"true"},{"value":"[empty(parameters('exclusionTagName'))]","equals":"true"}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems","existenceCondition":{"field":"type","equals":"Microsoft.RecoveryServices/backupprotecteditems"},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab","/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"vaultName":{"type":"string"},"vaultLocation":{"type":"string"},"policyName":{"type":"string","defaultValue":"DefaultBackupPolicy"},"existingStorageAccountName":{"type":"string"},"existingFileShareName":{"type":"string"},"existingResourceGroupName":{"type":"string"},"registerStorageAccount":{"type":"bool","defaultValue":"true"},"schedule":{"type":"object","defaultValue":{"schedulePolicyType":"SimpleSchedulePolicy","scheduleRunFrequency":"Daily","scheduleRunDays":null,"scheduleRunTimes":["2025-04-04T08:00:00Z"]}},"timeZone":{"type":"string","defaultValue":"UTC"},"retention":{"type":"object","defaultValue":{"snapshotRetentionInDays":5,"vaultRetention":{"retentionPolicyType":"LongTermRetentionPolicy","dailySchedule":{"retentionTimes":["2025-04-04T08:00:00Z"],"retentionDuration":{"count":30,"durationType":"Days"}},"weeklySchedule":null,"monthlySchedule":null,"yearlySchedule":null}}}},"variables":{"backupFabric":"Azure","backupManagementType":"AzureStorage","containerName":"[concat('storagecontainer;Storage;',parameters('existingResourceGroupName'),';',parameters('existingStorageAccountName'))]","protectedItemName":"[concat('AzureFileShare;',parameters('existingFileShareName'))]"},"resources":[{"type":"Microsoft.RecoveryServices/vaults","apiVersion":"2023-06-01","name":"[parameters('vaultName')]","location":"[parameters('vaultLocation')]","sku":{"name":"Standard"},"properties":{"publicNetworkAccess":"Enabled"}},{"type":"Microsoft.RecoveryServices/vaults/backupPolicies","apiVersion":"2016-06-01","name":"[concat(parameters('vaultName'),'/',parameters('policyName'))]","properties":{"backupManagementType":"[variables('backupManagementType')]","workLoadType":"AzureFileShare","schedulePolicy":"[parameters('schedule')]","timeZone":"[parameters('timeZone')]","vaultretentionPolicy":"[parameters('retention')]"},"dependsOn":["[resourceId('Microsoft.RecoveryServices/vaults',parameters('vaultName'))]"]},{"type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers","apiVersion":"2023-06-01","name":"[concat(parameters('vaultName'),'/',variables('backupFabric'),'/',variables('containerName'))]","properties":{"backupManagementType":"[variables('backupManagementType')]","containerType":"StorageContainer","sourceResourceId":"[resourceId(parameters('existingResourceGroupName'),'Microsoft.Storage/storageAccounts',parameters('existingStorageAccountName'))]"},"condition":"[parameters('registerStorageAccount')]","dependsOn":["[resourceId('Microsoft.RecoveryServices/vaults',parameters('vaultName'))]"]},{"type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems","apiVersion":"2023-06-01","name":"[concat(parameters('vaultName'),'/',variables('backupFabric'),'/',variables('containerName'),'/',variables('protectedItemName'))]","properties":{"protectedItemType":"AzureFileShareProtectedItem","sourceResourceId":"[resourceId(parameters('existingResourceGroupName'),'Microsoft.Storage/storageAccounts',parameters('existingStorageAccountName'))]","policyId":"[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies',parameters('vaultName'),parameters('policyName'))]"},"condition":"[parameters('registerStorageAccount')]","dependsOn":["[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers',parameters('vaultName'),variables('backupFabric'),variables('containerName'))]","[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies',parameters('vaultName'),parameters('policyName'))]"]}]},"parameters":{"vaultName":{"value":"[parameters('vaultName')]"},"vaultLocation":{"value":"[parameters('vaultLocation')]"},"policyName":{"value":"[parameters('policyName')]"},"existingStorageAccountName":{"value":"[first(skip(split(field('id'),'/'),8))]"},"existingFileShareName":{"value":"[field('name')]"},"existingResourceGroupName":{"value":"[resourceGroup().name]"},"registerStorageAccount":{"value":"[parameters('registerStorageAccount')]"},"schedule":{"value":{"schedulePolicyType":"SimpleSchedulePolicy","scheduleRunFrequency":"Daily","scheduleRunDays":null,"scheduleRunTimes":["2025-04-04T08:00:00Z"]}},"timeZone":{"value":"UTC"},"retention":{"value":{"snapshotRetentionInDays":5,"vaultRetention":{"retentionPolicyType":"LongTermRetentionPolicy","dailySchedule":{"retentionTimes":["2025-04-04T08:00:00Z"],"retentionDuration":{"count":30,"durationType":"Days"}},"weeklySchedule":null,"monthlySchedule":null,"yearlySchedule":null}}}}}}}}}}if (1)
• 'Microsoft.Storage/storageAccounts/fileServices/shares'
thenDeployment (5)
• 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers'
• 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems'
• 'Microsoft.RecoveryServices/vaults/backupPolicies'
• 'Microsoft.Resources/deployments'
• 'microsoft.storage/storageaccounts'
{
"displayName": "[Preview]: Configure backup for Azure Files Shares without a given tag to an existing recovery services vault in the same location",
"policyType": "BuiltIn",
"mode": "All",
"description": "Enforce backup for all Azure Files by backing them up to an existing central recovery services vault in the same location and subscription as the storage account. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude Azure Files in storage accounts containing a specified tag to control the scope of assignment.",
"metadata": {
"version": "1.0.0-preview",
"preview": true,
"category": "Backup"
},
"parameters": {
"registerStorageAccount": {
"type": "Boolean",
"metadata": {
"displayName": "Register Storage Account",
"description": "Set to true if the existing Storage Account has to be registered to the Recovery Services Vault; set to false otherwise."
},
"defaultValue": false
},
"vaultName": {
"type": "String",
"metadata": {
"displayName": "Vault Name",
"description": "Name of the Recovery Services Vault where backups should be registered."
}
},
"vaultLocation": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the location of the FileShares that you want to protect)",
"description": "Location of the FileShares. The FileShares should be in the same location as the vault."
}
},
"backupPolicyName": {
"type": "String",
"metadata": {
"displayName": "Backup Policy Name",
"description": "Specify the Name of the Azure Backup policy to configure backup of the file shares. The selected Azure Backup policy should be of type Azure File Share. This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/"
}
},
"exclusionTagName": {
"type": "String",
"metadata": {
"displayName": "Exclusion Tag Name",
"description": "Name of the tag to use for excluding FileShares in the scope of this policy. This should be used along with the Exclusion Tag Value parameter."
},
"defaultValue": ""
},
"exclusionTagValue": {
"type": "Array",
"metadata": {
"displayName": "Exclusion Tag Values",
"description": "Value of the tag to use for excluding FileShares in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter."
},
"defaultValue": []
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/fileServices/shares"
},
{
"field": "location",
"equals": "[parameters('vaultLocation')]"
},
{
"anyOf": [
{
"not": {
"field": "[concat('tags[', parameters('exclusionTagName'), ']')]",
"in": "[parameters('exclusionTagValue')]"
}
},
{
"value": "[empty(parameters('exclusionTagValue'))]",
"equals": "true"
},
{
"value": "[empty(parameters('exclusionTagName'))]",
"equals": "true"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.RecoveryServices/backupprotecteditems",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"registerStorageAccount": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Set to true if the existing Storage Account needs to be registered to the Recovery Services Vault; set to false otherwise."
}
},
"vaultName": {
"type": "string",
"metadata": {
"description": "Vault name to register backup."
}
},
"existingResourceGroupName": {
"type": "string",
"metadata": {
"description": "Existing Resource Group Name."
}
},
"existingFileShareName": {
"type": "string",
"metadata": {
"description": "Existing File Share Name."
}
},
"backupPolicyName": {
"type": "string",
"metadata": {
"description": "Backup Policy Name."
}
},
"existingStorageAccountName": {
"type": "string",
"metadata": {
"description": "ResourceId of the Storage Account."
}
},
"location": {
"type": "string",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"existingStorageAccountName": "[parameters('existingStorageAccountName')]",
"existingResourceGroupName": "[parameters('existingResourceGroupName')]",
"existingFileShareName": "[parameters('existingFileShareName')]",
"backupPolicyName": "[parameters('backupPolicyName')]",
"vaultName": "[parameters('vaultName')]",
"backupFabric": "Azure",
"backupManagementType": "AzureStorage"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"resourceGroup": "[variables('existingResourceGroupName')]",
"name": "[concat('DeployProtection-', uniqueString(variables('existingStorageAccountName')))]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"condition": "[parameters('registerStorageAccount')]",
"type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers",
"apiVersion": "2021-12-01",
"name": "[format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName'))]",
"properties": {
"backupManagementType": "[variables('backupManagementType')]",
"containerType": "StorageContainer",
"sourceResourceId": "[resourceId(parameters('existingResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('existingStorageAccountName'))]"
}
},
{
"type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
"apiVersion": "2021-12-01",
"name": "[format('{0}/{1}/{2}/{3}', split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[0], split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[1], split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[2], format('AzureFileShare;{0}', parameters('existingFileShareName')))]",
"properties": {
"protectedItemType": "AzureFileShareProtectedItem",
"sourceResourceId": "[resourceId(parameters('existingResourceGroupName'), 'Microsoft.Storage/storageAccounts', parameters('existingStorageAccountName'))]",
"policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', parameters('vaultName'), parameters('backupPolicyName'))]",
"isInlineInquiry": true
},
"dependsOn": [
"[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers', split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[0], split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[1], split(format('{0}/{1}/storagecontainer;Storage;{2};{3}', parameters('vaultName'), variables('backupFabric'), parameters('existingResourceGroupName'), parameters('existingStorageAccountName')), '/')[2])]"
]
}
]
}
}
}
]
},
"parameters": {
"existingStorageAccountName": {
"value": "[first(skip(split(field('id'), '/'), 8))]"
},
"existingFileShareName": {
"value": "[field('name')]"
},
"existingResourceGroupName": {
"value": "[resourceGroup().name]"
},
"registerStorageAccount": {
"value": "[parameters('registerStorageAccount')]"
},
"vaultName": {
"value": "[parameters('vaultName')]"
},
"backupPolicyName": {
"value": "[parameters('backupPolicyName')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
} {"displayName":"[Preview]: Configure backup for Azure Files Shares without a given tag to an existing recovery services vault in the same location","policyType":"BuiltIn","mode":"All","description":"Enforce backup for all Azure Files by backing them up to an existing central recovery services vault in the same location and subscription as the storage account. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude Azure Files in storage accounts containing a specified tag to control the scope of assignment.","metadata":{"version":"1.0.0-preview","preview":true,"category":"Backup"},"parameters":{"registerStorageAccount":{"type":"Boolean","metadata":{"displayName":"Register Storage Account","description":"Set to true if the existing Storage Account has to be registered to the Recovery Services Vault; set to false otherwise."},"defaultValue":false},"vaultName":{"type":"String","metadata":{"displayName":"Vault Name","description":"Name of the Recovery Services Vault where backups should be registered."}},"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the FileShares that you want to protect)","description":"Location of the FileShares. The FileShares should be in the same location as the vault."}},"backupPolicyName":{"type":"String","metadata":{"displayName":"Backup Policy Name","description":"Specify the Name of the Azure Backup policy to configure backup of the file shares. The selected Azure Backup policy should be of type Azure File Share. This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/"}},"exclusionTagName":{"type":"String","metadata":{"displayName":"Exclusion Tag Name","description":"Name of the tag to use for excluding FileShares in the scope of this policy. This should be used along with the Exclusion Tag Value parameter."},"defaultValue":""},"exclusionTagValue":{"type":"Array","metadata":{"displayName":"Exclusion Tag Values","description":"Value of the tag to use for excluding FileShares in the scope of this policy (in case of multiple values,use a comma-separated list). This should be used along with the Exclusion Tag Name parameter."},"defaultValue":[]},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/storageAccounts/fileServices/shares"},{"field":"location","equals":"[parameters('vaultLocation')]"},{"anyOf":[{"not":{"field":"[concat('tags[',parameters('exclusionTagName'),']')]","in":"[parameters('exclusionTagValue')]"}},{"value":"[empty(parameters('exclusionTagValue'))]","equals":"true"},{"value":"[empty(parameters('exclusionTagName'))]","equals":"true"}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.RecoveryServices/backupprotecteditems","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab","/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"registerStorageAccount":{"type":"bool","defaultValue":false,"metadata":{"description":"Set to true if the existing Storage Account needs to be registered to the Recovery Services Vault; set to false otherwise."}},"vaultName":{"type":"string","metadata":{"description":"Vault name to register backup."}},"existingResourceGroupName":{"type":"string","metadata":{"description":"Existing Resource Group Name."}},"existingFileShareName":{"type":"string","metadata":{"description":"Existing File Share Name."}},"backupPolicyName":{"type":"string","metadata":{"description":"Backup Policy Name."}},"existingStorageAccountName":{"type":"string","metadata":{"description":"ResourceId of the Storage Account."}},"location":{"type":"string","metadata":{"description":"Location for all resources."}}},"variables":{"existingStorageAccountName":"[parameters('existingStorageAccountName')]","existingResourceGroupName":"[parameters('existingResourceGroupName')]","existingFileShareName":"[parameters('existingFileShareName')]","backupPolicyName":"[parameters('backupPolicyName')]","vaultName":"[parameters('vaultName')]","backupFabric":"Azure","backupManagementType":"AzureStorage"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2021-04-01","resourceGroup":"[variables('existingResourceGroupName')]","name":"[concat('DeployProtection-',uniqueString(variables('existingStorageAccountName')))]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{},"resources":[{"condition":"[parameters('registerStorageAccount')]","type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers","apiVersion":"2021-12-01","name":"[format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName'))]","properties":{"backupManagementType":"[variables('backupManagementType')]","containerType":"StorageContainer","sourceResourceId":"[resourceId(parameters('existingResourceGroupName'),'Microsoft.Storage/storageAccounts',parameters('existingStorageAccountName'))]"}},{"type":"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems","apiVersion":"2021-12-01","name":"[format('{0}/{1}/{2}/{3}',split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[0],split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[1],split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[2],format('AzureFileShare;{0}',parameters('existingFileShareName')))]","properties":{"protectedItemType":"AzureFileShareProtectedItem","sourceResourceId":"[resourceId(parameters('existingResourceGroupName'),'Microsoft.Storage/storageAccounts',parameters('existingStorageAccountName'))]","policyId":"[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies',parameters('vaultName'),parameters('backupPolicyName'))]","isInlineInquiry":true},"dependsOn":["[resourceId('Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers',split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[0],split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[1],split(format('{0}/{1}/storagecontainer;Storage;{2};{3}',parameters('vaultName'),variables('backupFabric'),parameters('existingResourceGroupName'),parameters('existingStorageAccountName')),'/')[2])]"]}]}}}]},"parameters":{"existingStorageAccountName":{"value":"[first(skip(split(field('id'),'/'),8))]"},"existingFileShareName":{"value":"[field('name')]"},"existingResourceGroupName":{"value":"[resourceGroup().name]"},"registerStorageAccount":{"value":"[parameters('registerStorageAccount')]"},"vaultName":{"value":"[parameters('vaultName')]"},"backupPolicyName":{"value":"[parameters('backupPolicyName')]"},"location":{"value":"[field('location')]"}}}}}}}} Used in 1 Policy Set(s):
• Spain ENS (175daf90-21e1-4fec-b745-7b4c909aa94c) [Regulatory Compliance] BuiltIn
Used 1x as a control:
• CIS_Controls_v8.1_3.1 (ref)
{
"displayName": "[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies",
"metadata": {
"version": "2.0.0-preview",
"preview": true,
"category": "Backup"
},
"parameters": {
"vaultLocation": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the location of the storage accounts that you want to protect)",
"description": "Specify the location of the storage accounts that you want to protect. Blobs in the storage accounts should be backed up to a vault in the same location. For example - CanadaCentral",
"strongType": "location"
}
},
"backupPolicyId": {
"type": "String",
"metadata": {
"displayName": "Backup Policy (of type Azure Blobs (Azure Storage) from a vault in the location chosen above)",
"description": "Specify the ID of the backup policy to be used for configuring backup for blobs. The selected Azure Backup policy should be of type Azure Blobs (Azure Storage). This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.DataProtection/vaults//backupPolicies/. Also, make sure that this Backup vault's managed identity has the Storage Account Backup Contributor role assigned on the storage accounts for which backup is to be configured."
}
},
"inclusionTagName": {
"type": "String",
"metadata": {
"displayName": "Inclusion Tag Name",
"description": "Name of the tag to use for including storage accounts in the scope of this policy. This should be used along with the Inclusion Tag Value parameter. Learn more at https://aka.ms/AB-BlobBackupAzPolicies"
}
},
"inclusionTagValues": {
"type": "Array",
"metadata": {
"displayName": "Inclusion Tag Values",
"description": "Value of the tag to use for including storage accounts in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Inclusion Tag Name parameter. Learn more at https://aka.ms/AB-BlobBackupAzPolicies."
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/StorageAccounts"
},
{
"field": "[concat('tags[', parameters('inclusionTagName'), ']')]",
"in": "[parameters('inclusionTagValues')]"
},
{
"field": "kind",
"equals": "StorageV2"
},
{
"field": "Microsoft.Storage/storageAccounts/sku.name",
"contains": "Standard"
},
{
"field": "Microsoft.Storage/storageAccounts/isHnsEnabled",
"notEquals": "true"
},
{
"field": "Microsoft.Storage/storageAccounts/isNfsV3Enabled",
"notEquals": "true"
},
{
"field": "location",
"equals": "[parameters('vaultLocation')]"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"name": "default",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled",
"equals": true
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"backupPolicyId": {
"type": "string",
"metadata": {
"description": "Backup Policy Id"
}
},
"storageAccountResourceId": {
"type": "string",
"metadata": {
"description": "ResourceId of the Storage Account"
}
},
"location": {
"type": "string",
"metadata": {
"description": "Location for all resources"
}
}
},
"variables": {
"storageAccountName": "[first(skip(split(parameters('storageAccountResourceId'), '/'), 8))]",
"dataSourceType": "Microsoft.Storage/storageAccounts/blobServices",
"resourceType": "Microsoft.Storage/storageAccounts",
"backupPolicyName": "[first(skip(split(parameters('backupPolicyId'), '/'), 10))]",
"vaultName": "[first(skip(split(parameters('backupPolicyId'), '/'), 8))]",
"vaultResourceGroup": "[first(skip(split(parameters('backupPolicyId'), '/'), 4))]",
"vaultSubscriptionId": "[first(skip(split(parameters('backupPolicyId'), '/'), 2))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"resourceGroup": "[variables('vaultResourceGroup')]",
"subscriptionId": "[variables('vaultSubscriptionId')]",
"name": "[concat('DeployProtection-',uniqueString(variables('storageAccountName')))]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.DataProtection/backupvaults/backupInstances",
"apiVersion": "2021-01-01",
"name": "[concat(variables('vaultName'), '/', variables('storageAccountName'))]",
"properties": {
"objectType": "BackupInstance",
"dataSourceInfo": {
"objectType": "Datasource",
"resourceID": "[parameters('storageAccountResourceId')]",
"resourceName": "[variables('storageAccountName')]",
"resourceType": "[variables('resourceType')]",
"resourceUri": "[parameters('storageAccountResourceId')]",
"resourceLocation": "[parameters('location')]",
"datasourceType": "[variables('dataSourceType')]"
},
"policyInfo": {
"policyId": "[parameters('backupPolicyId')]",
"name": "[variables('backupPolicyName')]"
}
}
}
]
}
}
}
]
},
"parameters": {
"storageAccountResourceId": {
"value": "[field('id')]"
},
"backupPolicyId": {
"value": "[parameters('backupPolicyId')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
} {"displayName":"[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region","policyType":"BuiltIn","mode":"Indexed","description":"Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details,refer to https://aka.ms/AB-BlobBackupAzPolicies","metadata":{"version":"2.0.0-preview","preview":true,"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the storage accounts that you want to protect)","description":"Specify the location of the storage accounts that you want to protect. Blobs in the storage accounts should be backed up to a vault in the same location. For example - CanadaCentral","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup Policy (of type Azure Blobs (Azure Storage) from a vault in the location chosen above)","description":"Specify the ID of the backup policy to be used for configuring backup for blobs. The selected Azure Backup policy should be of type Azure Blobs (Azure Storage). This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.DataProtection/vaults//backupPolicies/. Also,make sure that this Backup vault's managed identity has the Storage Account Backup Contributor role assigned on the storage accounts for which backup is to be configured."}},"inclusionTagName":{"type":"String","metadata":{"displayName":"Inclusion Tag Name","description":"Name of the tag to use for including storage accounts in the scope of this policy. This should be used along with the Inclusion Tag Value parameter. Learn more at https://aka.ms/AB-BlobBackupAzPolicies"}},"inclusionTagValues":{"type":"Array","metadata":{"displayName":"Inclusion Tag Values","description":"Value of the tag to use for including storage accounts in the scope of this policy (in case of multiple values,use a comma-separated list). This should be used along with the Inclusion Tag Name parameter. Learn more at https://aka.ms/AB-BlobBackupAzPolicies."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","AuditIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/StorageAccounts"},{"field":"[concat('tags[',parameters('inclusionTagName'),']')]","in":"[parameters('inclusionTagValues')]"},{"field":"kind","equals":"StorageV2"},{"field":"Microsoft.Storage/storageAccounts/sku.name","contains":"Standard"},{"field":"Microsoft.Storage/storageAccounts/isHnsEnabled","notEquals":"true"},{"field":"Microsoft.Storage/storageAccounts/isNfsV3Enabled","notEquals":"true"},{"field":"location","equals":"[parameters('vaultLocation')]"}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Storage/storageAccounts/blobServices","name":"default","existenceCondition":{"field":"Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled","equals":true},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"backupPolicyId":{"type":"string","metadata":{"description":"Backup Policy Id"}},"storageAccountResourceId":{"type":"string","metadata":{"description":"ResourceId of the Storage Account"}},"location":{"type":"string","metadata":{"description":"Location for all resources"}}},"variables":{"storageAccountName":"[first(skip(split(parameters('storageAccountResourceId'),'/'),8))]","dataSourceType":"Microsoft.Storage/storageAccounts/blobServices","resourceType":"Microsoft.Storage/storageAccounts","backupPolicyName":"[first(skip(split(parameters('backupPolicyId'),'/'),10))]","vaultName":"[first(skip(split(parameters('backupPolicyId'),'/'),8))]","vaultResourceGroup":"[first(skip(split(parameters('backupPolicyId'),'/'),4))]","vaultSubscriptionId":"[first(skip(split(parameters('backupPolicyId'),'/'),2))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2021-04-01","resourceGroup":"[variables('vaultResourceGroup')]","subscriptionId":"[variables('vaultSubscriptionId')]","name":"[concat('DeployProtection-',uniqueString(variables('storageAccountName')))]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{},"resources":[{"type":"Microsoft.DataProtection/backupvaults/backupInstances","apiVersion":"2021-01-01","name":"[concat(variables('vaultName'),'/',variables('storageAccountName'))]","properties":{"objectType":"BackupInstance","dataSourceInfo":{"objectType":"Datasource","resourceID":"[parameters('storageAccountResourceId')]","resourceName":"[variables('storageAccountName')]","resourceType":"[variables('resourceType')]","resourceUri":"[parameters('storageAccountResourceId')]","resourceLocation":"[parameters('location')]","datasourceType":"[variables('dataSourceType')]"},"policyInfo":{"policyId":"[parameters('backupPolicyId')]","name":"[variables('backupPolicyName')]"}}}]}}}]},"parameters":{"storageAccountResourceId":{"value":"[field('id')]"},"backupPolicyId":{"value":"[parameters('backupPolicyId')]"},"location":{"value":"[field('location')]"}}}}}}}} Used in 1 Policy Set(s):
• Spain ENS (175daf90-21e1-4fec-b745-7b4c909aa94c) [Regulatory Compliance] BuiltIn
Used 1x as a control:
• CIS_Controls_v8.1_3.1 (ref)
{
"displayName": "[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies",
"metadata": {
"version": "2.0.0-preview",
"preview": true,
"category": "Backup"
},
"parameters": {
"vaultLocation": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the location of the storage accounts that you want to protect)",
"description": "Specify the location of the storage accounts that you want to protect. Blobs in the storage accounts should be backed up to a vault in the same location. For example - CanadaCentral",
"strongType": "location"
}
},
"backupPolicyId": {
"type": "String",
"metadata": {
"displayName": "Backup Policy (of type Azure Blobs (Azure Storage) from a vault in the location chosen above)",
"description": "Specify the ID of the backup policy to be used for configuring backup for blobs. The selected Azure Backup policy should be of type Azure Blobs (Azure Storage). This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.DataProtection/vaults//backupPolicies/. Also, make sure that this Backup vault's managed identity has the Storage Account Backup Contributor role assigned on the storage accounts for which backup is to be configured."
}
},
"exclusionTagName": {
"type": "String",
"metadata": {
"displayName": "Exclusion Tag Name",
"description": "Name of the tag to use for excluding storage accounts in the scope of this policy. This should be used along with the Exclusion Tag Value parameter. Learn more at https://aka.ms/AB-BlobBackupAzPolicies"
}
},
"exclusionTagValues": {
"type": "Array",
"metadata": {
"displayName": "Exclusion Tag Values",
"description": "Value of the tag to use for excluding storage accounts in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. Learn more at https://aka.ms/AB-BlobBackupAzPolicies."
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/StorageAccounts"
},
{
"field": "kind",
"equals": "StorageV2"
},
{
"field": "Microsoft.Storage/storageAccounts/sku.name",
"contains": "Standard"
},
{
"field": "Microsoft.Storage/storageAccounts/isHnsEnabled",
"notEquals": "true"
},
{
"field": "Microsoft.Storage/storageAccounts/isNfsV3Enabled",
"notEquals": "true"
},
{
"field": "location",
"equals": "[parameters('vaultLocation')]"
},
{
"anyOf": [
{
"not": {
"field": "[concat('tags[', parameters('exclusionTagName'), ']')]",
"in": "[parameters('exclusionTagValues')]"
}
},
{
"value": "[empty(parameters('exclusionTagValues'))]",
"equals": "true"
},
{
"value": "[empty(parameters('exclusionTagName'))]",
"equals": "true"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"name": "default",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled",
"equals": true
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"backupPolicyId": {
"type": "string",
"metadata": {
"description": "Backup Policy Id"
}
},
"storageAccountResourceId": {
"type": "string",
"metadata": {
"description": "ResourceId of the Storage Account"
}
},
"location": {
"type": "string",
"metadata": {
"description": "Location for all resources"
}
}
},
"variables": {
"storageAccountName": "[first(skip(split(parameters('storageAccountResourceId'), '/'), 8))]",
"dataSourceType": "Microsoft.Storage/storageAccounts/blobServices",
"resourceType": "Microsoft.Storage/storageAccounts",
"backupPolicyName": "[first(skip(split(parameters('backupPolicyId'), '/'), 10))]",
"vaultName": "[first(skip(split(parameters('backupPolicyId'), '/'), 8))]",
"vaultResourceGroup": "[first(skip(split(parameters('backupPolicyId'), '/'), 4))]",
"vaultSubscriptionId": "[first(skip(split(parameters('backupPolicyId'), '/'), 2))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"resourceGroup": "[variables('vaultResourceGroup')]",
"subscriptionId": "[variables('vaultSubscriptionId')]",
"name": "[concat('DeployProtection-',uniqueString(variables('storageAccountName')))]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.DataProtection/backupvaults/backupInstances",
"apiVersion": "2021-01-01",
"name": "[concat(variables('vaultName'), '/', variables('storageAccountName'))]",
"properties": {
"objectType": "BackupInstance",
"dataSourceInfo": {
"objectType": "Datasource",
"resourceID": "[parameters('storageAccountResourceId')]",
"resourceName": "[variables('storageAccountName')]",
"resourceType": "[variables('resourceType')]",
"resourceUri": "[parameters('storageAccountResourceId')]",
"resourceLocation": "[parameters('location')]",
"datasourceType": "[variables('dataSourceType')]"
},
"policyInfo": {
"policyId": "[parameters('backupPolicyId')]",
"name": "[variables('backupPolicyName')]"
}
}
}
]
}
}
}
]
},
"parameters": {
"storageAccountResourceId": {
"value": "[field('id')]"
},
"backupPolicyId": {
"value": "[parameters('backupPolicyId')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
} {"displayName":"[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region","policyType":"BuiltIn","mode":"Indexed","description":"Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details,refer to https://aka.ms/AB-BlobBackupAzPolicies","metadata":{"version":"2.0.0-preview","preview":true,"category":"Backup"},"parameters":{"vaultLocation":{"type":"String","metadata":{"displayName":"Location (Specify the location of the storage accounts that you want to protect)","description":"Specify the location of the storage accounts that you want to protect. Blobs in the storage accounts should be backed up to a vault in the same location. For example - CanadaCentral","strongType":"location"}},"backupPolicyId":{"type":"String","metadata":{"displayName":"Backup Policy (of type Azure Blobs (Azure Storage) from a vault in the location chosen above)","description":"Specify the ID of the backup policy to be used for configuring backup for blobs. The selected Azure Backup policy should be of type Azure Blobs (Azure Storage). This policy needs to be in a vault that is present in the location chosen above. For example - /subscriptions//resourceGroups//providers/Microsoft.DataProtection/vaults//backupPolicies/. Also,make sure that this Backup vault's managed identity has the Storage Account Backup Contributor role assigned on the storage accounts for which backup is to be configured."}},"exclusionTagName":{"type":"String","metadata":{"displayName":"Exclusion Tag Name","description":"Name of the tag to use for excluding storage accounts in the scope of this policy. This should be used along with the Exclusion Tag Value parameter. Learn more at https://aka.ms/AB-BlobBackupAzPolicies"}},"exclusionTagValues":{"type":"Array","metadata":{"displayName":"Exclusion Tag Values","description":"Value of the tag to use for excluding storage accounts in the scope of this policy (in case of multiple values,use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. Learn more at https://aka.ms/AB-BlobBackupAzPolicies."}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","AuditIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Storage/StorageAccounts"},{"field":"kind","equals":"StorageV2"},{"field":"Microsoft.Storage/storageAccounts/sku.name","contains":"Standard"},{"field":"Microsoft.Storage/storageAccounts/isHnsEnabled","notEquals":"true"},{"field":"Microsoft.Storage/storageAccounts/isNfsV3Enabled","notEquals":"true"},{"field":"location","equals":"[parameters('vaultLocation')]"},{"anyOf":[{"not":{"field":"[concat('tags[',parameters('exclusionTagName'),']')]","in":"[parameters('exclusionTagValues')]"}},{"value":"[empty(parameters('exclusionTagValues'))]","equals":"true"},{"value":"[empty(parameters('exclusionTagName'))]","equals":"true"}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Storage/storageAccounts/blobServices","name":"default","existenceCondition":{"field":"Microsoft.Storage/storageAccounts/blobServices/default.restorePolicy.enabled","equals":true},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"backupPolicyId":{"type":"string","metadata":{"description":"Backup Policy Id"}},"storageAccountResourceId":{"type":"string","metadata":{"description":"ResourceId of the Storage Account"}},"location":{"type":"string","metadata":{"description":"Location for all resources"}}},"variables":{"storageAccountName":"[first(skip(split(parameters('storageAccountResourceId'),'/'),8))]","dataSourceType":"Microsoft.Storage/storageAccounts/blobServices","resourceType":"Microsoft.Storage/storageAccounts","backupPolicyName":"[first(skip(split(parameters('backupPolicyId'),'/'),10))]","vaultName":"[first(skip(split(parameters('backupPolicyId'),'/'),8))]","vaultResourceGroup":"[first(skip(split(parameters('backupPolicyId'),'/'),4))]","vaultSubscriptionId":"[first(skip(split(parameters('backupPolicyId'),'/'),2))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2021-04-01","resourceGroup":"[variables('vaultResourceGroup')]","subscriptionId":"[variables('vaultSubscriptionId')]","name":"[concat('DeployProtection-',uniqueString(variables('storageAccountName')))]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{},"resources":[{"type":"Microsoft.DataProtection/backupvaults/backupInstances","apiVersion":"2021-01-01","name":"[concat(variables('vaultName'),'/',variables('storageAccountName'))]","properties":{"objectType":"BackupInstance","dataSourceInfo":{"objectType":"Datasource","resourceID":"[parameters('storageAccountResourceId')]","resourceName":"[variables('storageAccountName')]","resourceType":"[variables('resourceType')]","resourceUri":"[parameters('storageAccountResourceId')]","resourceLocation":"[parameters('location')]","datasourceType":"[variables('dataSourceType')]"},"policyInfo":{"policyId":"[parameters('backupPolicyId')]","name":"[variables('backupPolicyName')]"}}}]}}}]},"parameters":{"storageAccountResourceId":{"value":"[field('id')]"},"backupPolicyId":{"value":"[parameters('backupPolicyId')]"},"location":{"value":"[field('location')]"}}}}}}}} thenExistenceCondition (1)
• 'Microsoft.KubernetesConfiguration/extensions/extensionType' (ref)
if (1)
• 'Microsoft.ContainerService/managedClusters'
thenDeployment (7)
• 'Microsoft.Authorization/roleAssignments'
• 'Microsoft.Authorization/roleDefinitions'
• 'Microsoft.ContainerService/managedClusters'
• 'Microsoft.KubernetesConfiguration/extensions'
• 'Microsoft.Resources/deployments'
• 'microsoft.storage/storageaccounts'
• 'Microsoft.Storage/storageAccounts/blobServices/containers'
{
"displayName": "[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag.",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale.",
"metadata": {
"version": "1.0.0-preview",
"category": "Backup",
"preview": true
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"location": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the location of the AKS Clusters that you want to protect)",
"description": "Specify the location of the AKS Clusters that you want to protect. For example - CanadaCentral",
"strongType": "location"
}
},
"storageAccountId": {
"type": "String",
"metadata": {
"displayName": "Storage Account (In the same location as specified above)",
"description": "The storage account is used to store backup data within a container. Please ensure that the storage account is in the same region as the AKS cluster to be backed up.",
"strongType": "Microsoft.Storage/storageAccounts"
}
},
"inclusionTagName": {
"type": "String",
"metadata": {
"displayName": "Inclusion Tag Name",
"description": "Name of the tag to use for including AKS Clusters in the scope of this policy. This should be used along with the Inclusion Tag Value parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies"
}
},
"inclusionTagValues": {
"type": "Array",
"metadata": {
"displayName": "Inclusion Tag Values",
"description": "Value of the tag to use for including AKS Clusters in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Inclusion Tag Name parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies."
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
{
"field": "[concat('tags[', parameters('inclusionTagName'), ']')]",
"in": "[parameters('inclusionTagValues')]"
},
{
"field": "location",
"equals": "[parameters('location')]"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.KubernetesConfiguration/extensions",
"evaluationDelay": "PT30M",
"existenceCondition": {
"field": "Microsoft.KubernetesConfiguration/extensions/extensionType",
"equals": "microsoft.dataprotection.kubernetes"
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"deployment": {
"properties": {
"parameters": {
"clusterName": {
"value": "[field('name')]"
},
"storageAccountId": {
"value": "[parameters('storageAccountId')]"
},
"storageAccountResourceGroup": {
"value": "[first(skip(split(parameters('storageAccountId'), '/'), 4))]"
},
"storageAccountSubscriptionId": {
"value": "[first(skip(split(parameters('storageAccountId'), '/'), 2))]"
},
"storageAccount": {
"value": "[first(skip(split(parameters('storageAccountId'), '/'), 8))]"
},
"tenantId": {
"value": "[subscription().tenantId]"
}
},
"mode": "incremental",
"template": {
"parameters": {
"clusterName": {
"type": "string"
},
"releaseTrain": {
"type": "string",
"defaultValue": "stable"
},
"storageAccountResourceGroup": {
"type": "string"
},
"storageAccountSubscriptionId": {
"type": "string"
},
"storageAccountId": {
"type": "string"
},
"storageAccount": {
"type": "string"
},
"tenantId": {
"type": "string"
},
"useAAD": {
"type": "string",
"defaultValue": "true"
}
},
"variables": {
"blobContainer": "[take(concat('azure-aks-backup-', parameters('clusterName')), 63)]",
"storageBlobDataContributorRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"extensionName": "azure-aks-backup",
"storageAccountContainerDeploymentName": "[guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccount')))]"
},
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "[variables('storageAccountContainerDeploymentName')]",
"subscriptionId": "[parameters('storageAccountSubscriptionId')]",
"resourceGroup": "[parameters('storageAccountResourceGroup')]",
"parameters": {},
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', variables('extensionName'))]"
],
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2022-05-01",
"name": "[format('{0}/default/{1}', parameters('storageAccount'), variables('blobContainer'))]",
"dependsOn": []
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-10-01-preview",
"scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccount'))]",
"name": "[guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccount')), resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), variables('storageBlobDataContributorRoleDefinitionId'))]",
"properties": {
"roleDefinitionId": "[variables('storageBlobDataContributorRoleDefinitionId')]",
"principalId": "[reference(extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', variables('extensionName')), '2021-09-01').aksAssignedIdentity.principalId]",
"principalType": "ServicePrincipal"
}
}
]
}
}
},
{
"type": "Microsoft.KubernetesConfiguration/extensions",
"name": "[variables('extensionName')]",
"properties": {
"autoUpgradeMinorVersion": "true",
"extensionType": "microsoft.dataprotection.kubernetes",
"releaseTrain": "[parameters('releaseTrain')]",
"configurationSettings": {
"configuration.backupStorageLocation.bucket": "[variables('blobContainer')]",
"configuration.backupStorageLocation.config.resourceGroup": "[parameters('storageAccountResourceGroup')]",
"configuration.backupStorageLocation.config.subscriptionId": "[parameters('storageAccountSubscriptionId')]",
"configuration.backupStorageLocation.config.storageAccount": "[parameters('storageAccount')]",
"credentials.tenantId": "[parameters('tenantId')]",
"configuration.backupStorageLocation.config.useAAD": "[parameters('useAAD')]",
"configuration.backupStorageLocation.config.storageAccountURI": "[reference(parameters('storageAccountId'), '2021-04-01').primaryEndpoints.blob]"
}
},
"scope": "[concat('Microsoft.ContainerService/managedClusters/',parameters('clusterName'))]",
"apiVersion": "2022-03-01",
"comments": "Install the Backup Extension in the managed (AKS) cluster."
}
],
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#"
}
}
}
}
}
}
}{"displayName":"[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag.","policyType":"BuiltIn","mode":"Indexed","description":"Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale.","metadata":{"version":"1.0.0-preview","category":"Backup","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"location":{"type":"String","metadata":{"displayName":"Location (Specify the location of the AKS Clusters that you want to protect)","description":"Specify the location of the AKS Clusters that you want to protect. For example - CanadaCentral","strongType":"location"}},"storageAccountId":{"type":"String","metadata":{"displayName":"Storage Account (In the same location as specified above)","description":"The storage account is used to store backup data within a container. Please ensure that the storage account is in the same region as the AKS cluster to be backed up.","strongType":"Microsoft.Storage/storageAccounts"}},"inclusionTagName":{"type":"String","metadata":{"displayName":"Inclusion Tag Name","description":"Name of the tag to use for including AKS Clusters in the scope of this policy. This should be used along with the Inclusion Tag Value parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies"}},"inclusionTagValues":{"type":"Array","metadata":{"displayName":"Inclusion Tag Values","description":"Value of the tag to use for including AKS Clusters in the scope of this policy (in case of multiple values,use a comma-separated list). This should be used along with the Inclusion Tag Name parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"field":"[concat('tags[',parameters('inclusionTagName'),']')]","in":"[parameters('inclusionTagValues')]"},{"field":"location","equals":"[parameters('location')]"}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.KubernetesConfiguration/extensions","evaluationDelay":"PT30M","existenceCondition":{"field":"Microsoft.KubernetesConfiguration/extensions/extensionType","equals":"microsoft.dataprotection.kubernetes"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"],"deployment":{"properties":{"parameters":{"clusterName":{"value":"[field('name')]"},"storageAccountId":{"value":"[parameters('storageAccountId')]"},"storageAccountResourceGroup":{"value":"[first(skip(split(parameters('storageAccountId'),'/'),4))]"},"storageAccountSubscriptionId":{"value":"[first(skip(split(parameters('storageAccountId'),'/'),2))]"},"storageAccount":{"value":"[first(skip(split(parameters('storageAccountId'),'/'),8))]"},"tenantId":{"value":"[subscription().tenantId]"}},"mode":"incremental","template":{"parameters":{"clusterName":{"type":"string"},"releaseTrain":{"type":"string","defaultValue":"stable"},"storageAccountResourceGroup":{"type":"string"},"storageAccountSubscriptionId":{"type":"string"},"storageAccountId":{"type":"string"},"storageAccount":{"type":"string"},"tenantId":{"type":"string"},"useAAD":{"type":"string","defaultValue":"true"}},"variables":{"blobContainer":"[take(concat('azure-aks-backup-',parameters('clusterName')),63)]","storageBlobDataContributorRoleDefinitionId":"[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ba92f5b4-2d11-453d-a403-e96b0029c9fe')]","extensionName":"azure-aks-backup","storageAccountContainerDeploymentName":"[guid(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccount')))]"},"contentVersion":"1.0.0.0","resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2021-04-01","name":"[variables('storageAccountContainerDeploymentName')]","subscriptionId":"[parameters('storageAccountSubscriptionId')]","resourceGroup":"[parameters('storageAccountResourceGroup')]","parameters":{},"dependsOn":["[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters',parameters('clusterName')),'Microsoft.KubernetesConfiguration/extensions',variables('extensionName'))]"],"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{},"resources":[{"type":"Microsoft.Storage/storageAccounts/blobServices/containers","apiVersion":"2022-05-01","name":"[format('{0}/default/{1}',parameters('storageAccount'),variables('blobContainer'))]","dependsOn":[]},{"type":"Microsoft.Authorization/roleAssignments","apiVersion":"2020-10-01-preview","scope":"[format('Microsoft.Storage/storageAccounts/{0}',parameters('storageAccount'))]","name":"[guid(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccount')),resourceId('Microsoft.ContainerService/managedClusters',parameters('clusterName')),variables('storageBlobDataContributorRoleDefinitionId'))]","properties":{"roleDefinitionId":"[variables('storageBlobDataContributorRoleDefinitionId')]","principalId":"[reference(extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters',parameters('clusterName')),'Microsoft.KubernetesConfiguration/extensions',variables('extensionName')),'2021-09-01').aksAssignedIdentity.principalId]","principalType":"ServicePrincipal"}}]}}},{"type":"Microsoft.KubernetesConfiguration/extensions","name":"[variables('extensionName')]","properties":{"autoUpgradeMinorVersion":"true","extensionType":"microsoft.dataprotection.kubernetes","releaseTrain":"[parameters('releaseTrain')]","configurationSettings":{"configuration.backupStorageLocation.bucket":"[variables('blobContainer')]","configuration.backupStorageLocation.config.resourceGroup":"[parameters('storageAccountResourceGroup')]","configuration.backupStorageLocation.config.subscriptionId":"[parameters('storageAccountSubscriptionId')]","configuration.backupStorageLocation.config.storageAccount":"[parameters('storageAccount')]","credentials.tenantId":"[parameters('tenantId')]","configuration.backupStorageLocation.config.useAAD":"[parameters('useAAD')]","configuration.backupStorageLocation.config.storageAccountURI":"[reference(parameters('storageAccountId'),'2021-04-01').primaryEndpoints.blob]"}},"scope":"[concat('Microsoft.ContainerService/managedClusters/',parameters('clusterName'))]","apiVersion":"2022-03-01","comments":"Install the Backup Extension in the managed (AKS) cluster."}],"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#"}}}}}}}thenExistenceCondition (1)
• 'Microsoft.KubernetesConfiguration/extensions/extensionType' (ref)
if (1)
• 'Microsoft.ContainerService/managedClusters'
thenDeployment (7)
• 'Microsoft.Authorization/roleAssignments'
• 'Microsoft.Authorization/roleDefinitions'
• 'Microsoft.ContainerService/managedClusters'
• 'Microsoft.KubernetesConfiguration/extensions'
• 'Microsoft.Resources/deployments'
• 'microsoft.storage/storageaccounts'
• 'Microsoft.Storage/storageAccounts/blobServices/containers'
{
"displayName": "[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag.",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale.",
"metadata": {
"version": "1.0.0-preview",
"category": "Backup",
"preview": true
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"location": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the location of the AKS Clusters that you want to protect)",
"description": "Specify the location of the AKS Clusters that you want to protect. For example - CanadaCentral",
"strongType": "location"
}
},
"storageAccountId": {
"type": "String",
"metadata": {
"displayName": "Storage Account (In the same location as specified above)",
"description": "The storage account is used to store backup data within a container. Please ensure that the storage account is in the same region as the AKS cluster to be backed up.",
"strongType": "Microsoft.Storage/storageAccounts"
}
},
"exclusionTagName": {
"type": "String",
"metadata": {
"displayName": "Exclusion Tag Name",
"description": "Name of the tag to use for excluding AKS Clusters from the scope of this policy. This should be used along with the Exclusion Tag Values parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies"
}
},
"exclusionTagValues": {
"type": "Array",
"metadata": {
"displayName": "Exclusion Tag Values",
"description": "Value of the tag to use for excluding AKS Clusters from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies."
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
{
"anyOf": [
{
"not": {
"field": "[concat('tags[', parameters('exclusionTagName'), ']')]",
"in": "[parameters('exclusionTagValues')]"
}
},
{
"value": "[empty(parameters('exclusionTagValues'))]",
"equals": "true"
},
{
"value": "[empty(parameters('exclusionTagName'))]",
"equals": "true"
}
]
},
{
"field": "location",
"equals": "[parameters('location')]"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.KubernetesConfiguration/extensions",
"evaluationDelay": "PT30M",
"existenceCondition": {
"field": "Microsoft.KubernetesConfiguration/extensions/extensionType",
"equals": "microsoft.dataprotection.kubernetes"
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"deployment": {
"properties": {
"parameters": {
"clusterName": {
"value": "[field('name')]"
},
"storageAccountId": {
"value": "[parameters('storageAccountId')]"
},
"storageAccountResourceGroup": {
"value": "[first(skip(split(parameters('storageAccountId'), '/'), 4))]"
},
"storageAccountSubscriptionId": {
"value": "[first(skip(split(parameters('storageAccountId'), '/'), 2))]"
},
"storageAccount": {
"value": "[first(skip(split(parameters('storageAccountId'), '/'), 8))]"
},
"tenantId": {
"value": "[subscription().tenantId]"
}
},
"mode": "incremental",
"template": {
"parameters": {
"clusterName": {
"type": "string"
},
"releaseTrain": {
"type": "string",
"defaultValue": "stable"
},
"storageAccountResourceGroup": {
"type": "string"
},
"storageAccountSubscriptionId": {
"type": "string"
},
"storageAccountId": {
"type": "string"
},
"storageAccount": {
"type": "string"
},
"tenantId": {
"type": "string"
},
"useAAD": {
"type": "string",
"defaultValue": "true"
}
},
"variables": {
"blobContainer": "[take(concat('azure-aks-backup-', parameters('clusterName')), 63)]",
"storageBlobDataContributorRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
"extensionName": "azure-aks-backup",
"storageAccountContainerDeploymentName": "[guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccount')))]"
},
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2021-04-01",
"name": "[variables('storageAccountContainerDeploymentName')]",
"subscriptionId": "[parameters('storageAccountSubscriptionId')]",
"resourceGroup": "[parameters('storageAccountResourceGroup')]",
"parameters": {},
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', variables('extensionName'))]"
],
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2022-05-01",
"name": "[format('{0}/default/{1}', parameters('storageAccount'), variables('blobContainer'))]",
"dependsOn": []
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-10-01-preview",
"scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('storageAccount'))]",
"name": "[guid(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccount')), resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), variables('storageBlobDataContributorRoleDefinitionId'))]",
"properties": {
"roleDefinitionId": "[variables('storageBlobDataContributorRoleDefinitionId')]",
"principalId": "[reference(extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), 'Microsoft.KubernetesConfiguration/extensions', variables('extensionName')), '2021-09-01').aksAssignedIdentity.principalId]",
"principalType": "ServicePrincipal"
}
}
]
}
}
},
{
"type": "Microsoft.KubernetesConfiguration/extensions",
"name": "[variables('extensionName')]",
"properties": {
"autoUpgradeMinorVersion": "true",
"extensionType": "microsoft.dataprotection.kubernetes",
"releaseTrain": "[parameters('releaseTrain')]",
"configurationSettings": {
"configuration.backupStorageLocation.bucket": "[variables('blobContainer')]",
"configuration.backupStorageLocation.config.resourceGroup": "[parameters('storageAccountResourceGroup')]",
"configuration.backupStorageLocation.config.subscriptionId": "[parameters('storageAccountSubscriptionId')]",
"configuration.backupStorageLocation.config.storageAccount": "[parameters('storageAccount')]",
"credentials.tenantId": "[parameters('tenantId')]",
"configuration.backupStorageLocation.config.useAAD": "[parameters('useAAD')]",
"configuration.backupStorageLocation.config.storageAccountURI": "[reference(parameters('storageAccountId'), '2021-04-01').primaryEndpoints.blob]"
}
},
"scope": "[concat('Microsoft.ContainerService/managedClusters/',parameters('clusterName'))]",
"apiVersion": "2022-03-01",
"comments": "Install the Backup Extension in the managed (AKS) cluster."
}
],
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#"
}
}
}
}
}
}
}{"displayName":"[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag.","policyType":"BuiltIn","mode":"Indexed","description":"Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale.","metadata":{"version":"1.0.0-preview","category":"Backup","preview":true},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"location":{"type":"String","metadata":{"displayName":"Location (Specify the location of the AKS Clusters that you want to protect)","description":"Specify the location of the AKS Clusters that you want to protect. For example - CanadaCentral","strongType":"location"}},"storageAccountId":{"type":"String","metadata":{"displayName":"Storage Account (In the same location as specified above)","description":"The storage account is used to store backup data within a container. Please ensure that the storage account is in the same region as the AKS cluster to be backed up.","strongType":"Microsoft.Storage/storageAccounts"}},"exclusionTagName":{"type":"String","metadata":{"displayName":"Exclusion Tag Name","description":"Name of the tag to use for excluding AKS Clusters from the scope of this policy. This should be used along with the Exclusion Tag Values parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies"}},"exclusionTagValues":{"type":"Array","metadata":{"displayName":"Exclusion Tag Values","description":"Value of the tag to use for excluding AKS Clusters from the scope of this policy (in case of multiple values,use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. Learn more at https://aka.ms/AB-AksBackupAzPolicies."}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.ContainerService/managedClusters"},{"anyOf":[{"not":{"field":"[concat('tags[',parameters('exclusionTagName'),']')]","in":"[parameters('exclusionTagValues')]"}},{"value":"[empty(parameters('exclusionTagValues'))]","equals":"true"},{"value":"[empty(parameters('exclusionTagName'))]","equals":"true"}]},{"field":"location","equals":"[parameters('location')]"}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.KubernetesConfiguration/extensions","evaluationDelay":"PT30M","existenceCondition":{"field":"Microsoft.KubernetesConfiguration/extensions/extensionType","equals":"microsoft.dataprotection.kubernetes"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"],"deployment":{"properties":{"parameters":{"clusterName":{"value":"[field('name')]"},"storageAccountId":{"value":"[parameters('storageAccountId')]"},"storageAccountResourceGroup":{"value":"[first(skip(split(parameters('storageAccountId'),'/'),4))]"},"storageAccountSubscriptionId":{"value":"[first(skip(split(parameters('storageAccountId'),'/'),2))]"},"storageAccount":{"value":"[first(skip(split(parameters('storageAccountId'),'/'),8))]"},"tenantId":{"value":"[subscription().tenantId]"}},"mode":"incremental","template":{"parameters":{"clusterName":{"type":"string"},"releaseTrain":{"type":"string","defaultValue":"stable"},"storageAccountResourceGroup":{"type":"string"},"storageAccountSubscriptionId":{"type":"string"},"storageAccountId":{"type":"string"},"storageAccount":{"type":"string"},"tenantId":{"type":"string"},"useAAD":{"type":"string","defaultValue":"true"}},"variables":{"blobContainer":"[take(concat('azure-aks-backup-',parameters('clusterName')),63)]","storageBlobDataContributorRoleDefinitionId":"[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ba92f5b4-2d11-453d-a403-e96b0029c9fe')]","extensionName":"azure-aks-backup","storageAccountContainerDeploymentName":"[guid(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccount')))]"},"contentVersion":"1.0.0.0","resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2021-04-01","name":"[variables('storageAccountContainerDeploymentName')]","subscriptionId":"[parameters('storageAccountSubscriptionId')]","resourceGroup":"[parameters('storageAccountResourceGroup')]","parameters":{},"dependsOn":["[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters',parameters('clusterName')),'Microsoft.KubernetesConfiguration/extensions',variables('extensionName'))]"],"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{},"resources":[{"type":"Microsoft.Storage/storageAccounts/blobServices/containers","apiVersion":"2022-05-01","name":"[format('{0}/default/{1}',parameters('storageAccount'),variables('blobContainer'))]","dependsOn":[]},{"type":"Microsoft.Authorization/roleAssignments","apiVersion":"2020-10-01-preview","scope":"[format('Microsoft.Storage/storageAccounts/{0}',parameters('storageAccount'))]","name":"[guid(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccount')),resourceId('Microsoft.ContainerService/managedClusters',parameters('clusterName')),variables('storageBlobDataContributorRoleDefinitionId'))]","properties":{"roleDefinitionId":"[variables('storageBlobDataContributorRoleDefinitionId')]","principalId":"[reference(extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters',parameters('clusterName')),'Microsoft.KubernetesConfiguration/extensions',variables('extensionName')),'2021-09-01').aksAssignedIdentity.principalId]","principalType":"ServicePrincipal"}}]}}},{"type":"Microsoft.KubernetesConfiguration/extensions","name":"[variables('extensionName')]","properties":{"autoUpgradeMinorVersion":"true","extensionType":"microsoft.dataprotection.kubernetes","releaseTrain":"[parameters('releaseTrain')]","configurationSettings":{"configuration.backupStorageLocation.bucket":"[variables('blobContainer')]","configuration.backupStorageLocation.config.resourceGroup":"[parameters('storageAccountResourceGroup')]","configuration.backupStorageLocation.config.subscriptionId":"[parameters('storageAccountSubscriptionId')]","configuration.backupStorageLocation.config.storageAccount":"[parameters('storageAccount')]","credentials.tenantId":"[parameters('tenantId')]","configuration.backupStorageLocation.config.useAAD":"[parameters('useAAD')]","configuration.backupStorageLocation.config.storageAccountURI":"[reference(parameters('storageAccountId'),'2021-04-01').primaryEndpoints.blob]"}},"scope":"[concat('Microsoft.ContainerService/managedClusters/',parameters('clusterName'))]","apiVersion":"2022-03-01","comments":"Install the Backup Extension in the managed (AKS) cluster."}],"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#"}}}}}}}thenExistenceCondition (1)
• 'Microsoft.Resources/links/targetId' (ref)
if (1)
• 'Microsoft.Compute/virtualMachines'
thenDeployment (8)
• 'Microsoft.Compute/availabilitySets'
• 'Microsoft.Compute/proximityPlacementGroups'
• 'Microsoft.Network/virtualNetworks'
• 'Microsoft.RecoveryServices/replicationEligibilityResults'
• 'Microsoft.RecoveryServices/vaults'
• 'Microsoft.RecoveryServices/vaults/replicationProtectionIntents'
• 'Microsoft.Resources/deployments'
• 'microsoft.storage/storageaccounts'
{
"displayName": "Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc.",
"metadata": {
"version": "2.1.1",
"category": "Compute"
},
"parameters": {
"sourceRegion": {
"type": "String",
"metadata": {
"displayName": "Source Region",
"description": "Region in which the source virtual machine is deployed",
"strongType": "location",
"serviceName": "ASR"
}
},
"targetRegion": {
"type": "String",
"metadata": {
"displayName": "Target Region",
"description": "Region to be used to deploy the virtual machine in case of a disaster",
"strongType": "location",
"serviceName": "ASR"
}
},
"targetResourceGroupId": {
"type": "String",
"metadata": {
"displayName": "Target Resource Group",
"description": "Resource group to be used to create the virtual machine in the target region",
"strongType": "existingResourceGroups",
"assignPermissions": true,
"serviceName": "ASR"
}
},
"vaultResourceGroupId": {
"type": "String",
"metadata": {
"displayName": "Vault Resource Group",
"description": "The resource group containing the recovery services vault used for disaster recovery configurations",
"strongType": "existingResourceGroups",
"assignPermissions": true,
"serviceName": "ASR"
}
},
"vaultId": {
"type": "String",
"metadata": {
"displayName": "Recovery Services Vault",
"description": "Recovery services vault to be used for disaster recovery configurations",
"strongType": "Microsoft.RecoveryServices/vaults",
"serviceName": "ASR"
}
},
"recoveryNetworkId": {
"type": "String",
"metadata": {
"displayName": "Recovery Virtual Network",
"description": "Id of an existing virtual network in the target region or name of the virtual network to be created in target region",
"strongType": "Microsoft.Network/virtualNetworks",
"serviceName": "ASR"
},
"defaultValue": ""
},
"targetZone": {
"type": "String",
"metadata": {
"displayName": "Target Availability Zone",
"description": "Availability zone in the designated target region to be used by virtual machines during disaster"
},
"defaultValue": ""
},
"cacheStorageAccountId": {
"type": "String",
"metadata": {
"displayName": "Cache storage account",
"description": "Existing cache storage account ID or prefix for the cache storage account name to be created in source region.",
"strongType": "Microsoft.Storage/storageAccounts",
"serviceName": "ASR"
},
"defaultValue": ""
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag to use for including or excluding VMs in the scope of this policy. This should be used along with the tag value parameter.",
"serviceName": "ASR"
},
"defaultValue": ""
},
"tagValue": {
"type": "Array",
"metadata": {
"displayName": "Tag Values",
"description": "Values of the tag to use for including or excluding VMs in the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the tag name parameter.",
"serviceName": "ASR"
},
"defaultValue": []
},
"tagType": {
"type": "String",
"metadata": {
"displayName": "Tag Type",
"description": "Tag type can be either Inclusion Tag or Exclusion Tag. Inclusion tag type will make sure VMs with tag name and tag value are included in replication, Exclusion tag type will make sure VMs with tag name and tag value are excluded from replication.",
"serviceName": "ASR"
},
"allowedValues": [
"Inclusion",
"Exclusion",
""
],
"defaultValue": ""
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "location",
"equals": "[parameters('sourceRegion')]"
},
{
"anyOf": [
{
"allOf": [
{
"value": "[parameters('tagType')]",
"equals": "Inclusion"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"in": "[parameters('tagValue')]"
}
]
},
{
"allOf": [
{
"value": "[parameters('tagType')]",
"equals": "Exclusion"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notIn": "[parameters('tagValue')]"
}
]
},
{
"anyOf": [
{
"value": "[empty(parameters('tagName'))]",
"equals": "true"
},
{
"value": "[empty(parameters('tagValue'))]",
"equals": "true"
},
{
"value": "[empty(parameters('tagType'))]",
"equals": "true"
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Resources/links",
"evaluationDelay": "PT15M",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "name",
"like": "ASR-Policy-Protect-*"
},
{
"field": "Microsoft.Resources/links/targetId",
"contains": "/replicationProtectedItems/"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"apiVersion": {
"type": "String"
},
"avSetId": {
"type": "String"
},
"dataDiskIds": {
"type": "object"
},
"dataDisks": {
"type": "object"
},
"osDiskId": {
"type": "String"
},
"ppgId": {
"type": "String"
},
"recoveryNetworkId": {
"type": "String"
},
"recoverySubscriptionId": {
"type": "String"
},
"sourceRegion": {
"type": "String"
},
"sourceResourceGroupName": {
"type": "String"
},
"targetRegion": {
"type": "String"
},
"targetResourceGroupName": {
"type": "String"
},
"targetZone": {
"type": "String"
},
"vaultName": {
"type": "String"
},
"vaultResourceGroupName": {
"type": "String"
},
"vmId": {
"type": "String"
},
"vmZones": {
"type": "Object"
},
"cacheStorageAccountId": {
"type": "String"
}
},
"variables": {
"avSetApiVersion": "2019-03-01",
"deploymentApiVersion": "2017-05-10",
"vmApiVersion": "2019-07-01",
"ppgApiVersion": "2019-12-01",
"storageAccountApiVersion": "2018-07-01",
"portalLinkPrefix": "https://portal.azure.com/#@microsoft.onmicrosoft.com/resource",
"schemaLink": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"defaultAvSet": "defaultAvSet-asr",
"defaultPPG": "defaultPPG-asr",
"eligibilityResultsDefault": "default",
"protectedItemSuffix": "-policy",
"recoveryAvSetPrefix": "RecoveryAvSet-",
"recoveryPPGPrefix": "RecoveryPPG-",
"storagePrefix": "Storage-",
"avSetType": "Microsoft.Compute/availabilitySets",
"deploymentType": "Microsoft.Resources/deployments",
"networkType": "Microsoft.Network/virtualNetworks",
"ppgType": "Microsoft.Compute/proximityPlacementGroups",
"replicationEligibilityResultsType": "Microsoft.RecoveryServices/replicationEligibilityResults",
"storageType": "Microsoft.Storage/storageAccounts",
"vaultType": "Microsoft.RecoveryServices/vaults",
"avSetTemplateName": "[concat(variables('recoveryAvSetPrefix'), last(split(parameters('vmId'), '/')))]",
"avSetTemplateName64": "[if(greater(length(variables('avSetTemplateName')), 64), substring(variables('avSetTemplateName'), 0, 64), variables('avSetTemplateName'))]",
"ppgTemplateName": "[concat(variables('recoveryPPGPrefix'), last(split(parameters('vmId'), '/')))]",
"ppgTemplateName64": "[if(greater(length(variables('ppgTemplateName')), 64), substring(variables('ppgTemplateName'), 0, 64), variables('ppgTemplateName'))]",
"storageAccountTemplateName": "[concat(variables('storagePrefix'), last(split(parameters('vmId'), '/')))]",
"storageAccountTemplateName64": "[concat(variables('storagePrefix'), uniqueString(variables('storageAccountTemplateName')))]",
"replicationProtectedIntentTemplateName": "[concat('ASR-', parameters('sourceResourceGroupName'), '-', last(split(parameters('vmId'), '/')))]",
"replicationProtectedIntentTemplateName64": "[if(greater(length(variables('replicationProtectedIntentTemplateName')), 64), substring(variables('replicationProtectedIntentTemplateName'), 0, 64), variables('replicationProtectedIntentTemplateName'))]",
"vmDataDiskIds": "[array(parameters('dataDiskIds').rawValue)]",
"vmDiskCount": "[add(length(array(parameters('dataDisks').rawValue)), int(1))]",
"diskIds": "[concat(array(parameters('osDiskId')), array(parameters('dataDiskIds').rawValue))]",
"vaultId": "[resourceId(parameters('vaultResourceGroupName'), variables('vaultType'), parameters('vaultName'))]",
"eligibilityResultsId": "[extensionResourceId(parameters('vmId'), variables('replicationEligibilityResultsType'), variables('eligibilityResultsDefault'))]",
"protectedIntentName": "[concat(parameters('vaultName'), '/', guid(resourceGroup().id, last(split(parameters('vmId'), '/'))), variables('protectedItemSuffix'))]",
"recoveryAvSetName": "[if(empty(parameters('avSetId')), variables('defaultAvSet'), concat(last(split(parameters('avSetId'), '/')), '-asr'))]",
"recoveryAvSetId": "[if(empty(parameters('avSetId')), '', resourceId(parameters('targetResourceGroupName'), variables('avSetType'), variables('recoveryAvSetName')))]",
"recoveryAvType": "[if(not(empty(parameters('avSetId'))), 'AvailabilitySet', if(not(empty(parameters('targetZone'))), 'AvailabilityZone', 'Single'))]",
"recoveryAvZone": "[parameters('targetZone')]",
"recoveryPPGName": "[if(empty(parameters('ppgId')), variables('defaultPPG'), concat(last(split(parameters('ppgId'), '/')), '-asr'))]",
"recoveryPPGId": "[if(empty(parameters('ppgId')), '', resourceId(parameters('targetResourceGroupName'), variables('ppgType'), variables('recoveryPPGName')))]",
"targetResourceGroupId": "[concat('/subscriptions/', parameters('recoverySubscriptionId'), '/resourceGroups/', parameters('targetResourceGroupName'))]",
"storageAccountSKUName": "Standard_LRS",
"storageAccountKind": "Storage",
"cacheStorageAccountArmId": "[if(empty(parameters('cacheStorageAccountId')),'',if(contains(parameters('cacheStorageAccountId'),'/'),parameters('cacheStorageAccountId'),resourceId(parameters('vaultResourceGroupName'), variables('storageType'), parameters('cacheStorageAccountId'))))]"
},
"resources": [
{
"condition": "[not(empty(parameters('ppgId')))]",
"apiVersion": "[variables('deploymentApiVersion')]",
"name": "[variables('ppgTemplateName64')]",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[parameters('targetResourceGroupName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "[variables('schemaLink')]",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"condition": "[not(empty(parameters('ppgId')))]",
"type": "[variables('ppgType')]",
"name": "[variables('recoveryPPGName')]",
"apiVersion": "[variables('ppgApiVersion')]",
"location": "[parameters('targetRegion')]",
"properties": {
"proximityPlacementGroupType": "[if(empty(parameters('ppgId')), 'Standard', reference(parameters('ppgId'), variables('ppgApiVersion')).proximityPlacementGroupType)]"
}
}
]
},
"parameters": {}
}
},
{
"condition": "[not(empty(parameters('avSetId')))]",
"apiVersion": "[variables('deploymentApiVersion')]",
"name": "[variables('avSetTemplateName64')]",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[parameters('targetResourceGroupName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "[variables('schemaLink')]",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"condition": "[not(empty(parameters('avSetId')))]",
"type": "[variables('avSetType')]",
"sku": {
"name": "[if(empty(parameters('avSetId')), 'Aligned', reference(parameters('avSetId'), variables('avSetApiVersion'), 'Full').sku.name)]"
},
"name": "[variables('recoveryAvSetName')]",
"apiVersion": "[variables('avSetApiVersion')]",
"location": "[parameters('targetRegion')]",
"tags": {},
"properties": {
"platformUpdateDomainCount": "[if(empty(parameters('avSetId')), '5', reference(parameters('avSetId'), variables('avSetApiVersion')).platformUpdateDomainCount)]",
"platformFaultDomainCount": "[if(empty(parameters('avSetId')), '2', reference(parameters('avSetId'), variables('avSetApiVersion')).platformFaultDomainCount)]",
"proximityPlacementGroup": "[if(empty(parameters('ppgId')), json('null'), json(concat('{', '\"id\"', ':', '\"', variables('recoveryPPGId'), '\"', '}')))]"
}
}
]
},
"parameters": {}
},
"dependsOn": [
"[variables('ppgTemplateName64')]"
]
},
{
"condition": "[and(not(empty(parameters('cacheStorageAccountId'))), not(contains(parameters('cacheStorageAccountId'), '/')))]",
"apiVersion": "[variables('deploymentApiVersion')]",
"name": "[variables('storageAccountTemplateName64')]",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[parameters('vaultResourceGroupName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "[variables('schemaLink')]",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"condition": "[and(not(empty(parameters('cacheStorageAccountId'))), not(contains(parameters('cacheStorageAccountId'), '/')))]",
"type": "[variables('storageType')]",
"name": "[parameters('cacheStorageAccountId')]",
"apiVersion": "[variables('storageAccountApiVersion')]",
"location": "[parameters('sourceRegion')]",
"sku": {
"name": "[variables('storageAccountSKUName')]"
},
"kind": "[variables('storageAccountKind')]",
"properties": {
"supportsHttpsTrafficOnly": true
}
}
]
},
"parameters": {}
}
},
{
"apiVersion": "[variables('deploymentApiVersion')]",
"name": "[variables('replicationProtectedIntentTemplateName64')]",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[parameters('vaultResourceGroupName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "[variables('schemaLink')]",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"condition": "[lessOrEquals(length(reference(variables('eligibilityResultsId'), '2018-07-10').errors), int('0'))]",
"type": "Microsoft.RecoveryServices/vaults/replicationProtectionIntents",
"name": "[variables('protectedIntentName')]",
"apiVersion": "[parameters('apiVersion')]",
"properties": {
"providerSpecificDetails": {
"instanceType": "A2A",
"fabricObjectId": "[parameters('vmId')]",
"primaryLocation": "[parameters('sourceRegion')]",
"recoveryLocation": "[parameters('targetRegion')]",
"recoverySubscriptionId": "[parameters('recoverySubscriptionId')]",
"recoveryAvailabilityType": "[variables('recoveryAvType')]",
"recoveryAvailabilityZone": "[variables('recoveryAvZone')]",
"recoveryResourceGroupId": "[variables('targetResourceGroupId')]",
"recoveryAvailabilitySetCustomInput": "[if(empty(parameters('avSetId')), json('null'), json(concat('{', '\"resourceType\"', ':', '\"Existing\",', '\"recoveryAvailabilitySetId\"', ':', '\"', variables('recoveryAvSetId'), '\"', '}')))]",
"recoveryProximityPlacementGroupCustomInput": "[if(empty(parameters('ppgId')), json('null'), json(concat('{', '\"resourceType\"', ':', '\"Existing\",', '\"recoveryProximityPlacementGroupId\"', ':', '\"', variables('recoveryPPGId'), '\"', '}')))]",
"recoveryVirtualNetworkCustomInput": "[if(contains(parameters('recoveryNetworkId'), '/'), json(concat('{', '\"resourceType\"', ':', '\"Existing\",', '\"recoveryVirtualNetworkId\"', ':', '\"', parameters('recoveryNetworkId'), '\"', '}')),if(empty(parameters('recoveryNetworkId')), json('null'), json(concat('{', '\"resourceType\"', ':', '\"New\",', '\"recoveryVirtualNetworkName\"', ':', '\"', parameters('recoveryNetworkId'), '\"', '}'))))]",
"primaryStagingStorageAccountCustomInput": "[if(empty(variables('cacheStorageAccountArmId')),json('null'),json(concat('{', '\"resourceType\"', ':', '\"Existing\",', '\"azureStorageAccountId\"', ':', '\"', variables('cacheStorageAccountArmId'), '\"', '}')))]",
"vmDisks": [],
"copy": [
{
"name": "vmManagedDisks",
"count": "[variables('vmDiskCount')]",
"input": {
"diskId": "[if(equals(copyIndex('vmManagedDisks'), int(0)), reference(parameters('vmId'), variables('vmApiVersion')).storageProfile.osDisk.managedDisk.Id, reference(parameters('vmId'), variables('vmApiVersion')).storageProfile.dataDisks[sub(copyIndex('vmManagedDisks'), int(1))].managedDisk.id)]",
"recoveryResourceGroupCustomInput": {
"resourceType": "Existing",
"recoveryResourceGroupId": "[variables('targetResourceGroupId')]"
}
}
}
]
}
}
}
],
"outputs": {
"vmName": {
"value": "[last(split(parameters('vmId'), '/'))]",
"type": "string"
},
"availabilitySetUrl": {
"value": "[if(empty(parameters('avSetId')), '', concat(variables('portalLinkPrefix'), variables('recoveryAvSetId')))]",
"type": "string"
},
"proximityPlacementGroupUrl": {
"value": "[if(empty(parameters('ppgId')), '', concat(variables('portalLinkPrefix'), variables('recoveryPPGId')))]",
"type": "string"
},
"replicationEligibilityResults": {
"value": "[reference(variables('eligibilityResultsId'), parameters('apiVersion'))]",
"type": "Object"
}
}
},
"parameters": {}
},
"dependsOn": [
"[variables('ppgTemplateName64')]",
"[variables('avSetTemplateName64')]",
"[variables('storageAccountTemplateName64')]"
]
}
],
"outputs": {}
},
"parameters": {
"apiVersion": {
"value": "2018-07-10"
},
"avSetId": {
"value": "[field('Microsoft.Compute/virtualMachines/availabilitySet.id')]"
},
"dataDiskIds": {
"value": {
"rawValue": "[field('Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id')]",
"emptyArray": []
}
},
"dataDisks": {
"value": {
"rawValue": "[field('Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*]')]"
}
},
"osDiskId": {
"value": "[field('Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.id')]"
},
"ppgId": {
"value": "[field('Microsoft.Compute/virtualMachines/proximityPlacementGroup.id')]"
},
"recoveryNetworkId": {
"value": "[parameters('recoveryNetworkId')]"
},
"recoverySubscriptionId": {
"value": "[subscription().subscriptionId]"
},
"sourceRegion": {
"value": "[parameters('sourceRegion')]"
},
"sourceResourceGroupName": {
"value": "[resourcegroup().Name]"
},
"targetRegion": {
"value": "[parameters('targetRegion')]"
},
"targetResourceGroupName": {
"value": "[last(split(parameters('targetResourceGroupId'), '/'))]"
},
"targetZone": {
"value": "[parameters('targetZone')]"
},
"vaultName": {
"value": "[last(split(parameters('vaultId'), '/'))]"
},
"vaultResourceGroupName": {
"value": "[last(split(parameters('vaultResourceGroupId'), '/'))]"
},
"vmId": {
"value": "[field('id')]"
},
"vmZones": {
"value": {
"rawValue": "[field('Microsoft.Compute/virtualMachines/zones')]",
"emptyArray": []
}
},
"cacheStorageAccountId": {
"value": "[parameters('cacheStorageAccountId')]"
}
}
}
}
}
}
}
}{"displayName":"Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery","policyType":"BuiltIn","mode":"Indexed","description":"Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured,this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery,visit https://aka.ms/asr-doc.","metadata":{"version":"2.1.1","category":"Compute"},"parameters":{"sourceRegion":{"type":"String","metadata":{"displayName":"Source Region","description":"Region in which the source virtual machine is deployed","strongType":"location","serviceName":"ASR"}},"targetRegion":{"type":"String","metadata":{"displayName":"Target Region","description":"Region to be used to deploy the virtual machine in case of a disaster","strongType":"location","serviceName":"ASR"}},"targetResourceGroupId":{"type":"String","metadata":{"displayName":"Target Resource Group","description":"Resource group to be used to create the virtual machine in the target region","strongType":"existingResourceGroups","assignPermissions":true,"serviceName":"ASR"}},"vaultResourceGroupId":{"type":"String","metadata":{"displayName":"Vault Resource Group","description":"The resource group containing the recovery services vault used for disaster recovery configurations","strongType":"existingResourceGroups","assignPermissions":true,"serviceName":"ASR"}},"vaultId":{"type":"String","metadata":{"displayName":"Recovery Services Vault","description":"Recovery services vault to be used for disaster recovery configurations","strongType":"Microsoft.RecoveryServices/vaults","serviceName":"ASR"}},"recoveryNetworkId":{"type":"String","metadata":{"displayName":"Recovery Virtual Network","description":"Id of an existing virtual network in the target region or name of the virtual network to be created in target region","strongType":"Microsoft.Network/virtualNetworks","serviceName":"ASR"},"defaultValue":""},"targetZone":{"type":"String","metadata":{"displayName":"Target Availability Zone","description":"Availability zone in the designated target region to be used by virtual machines during disaster"},"defaultValue":""},"cacheStorageAccountId":{"type":"String","metadata":{"displayName":"Cache storage account","description":"Existing cache storage account ID or prefix for the cache storage account name to be created in source region.","strongType":"Microsoft.Storage/storageAccounts","serviceName":"ASR"},"defaultValue":""},"tagName":{"type":"String","metadata":{"displayName":"Tag Name","description":"Name of the tag to use for including or excluding VMs in the scope of this policy. This should be used along with the tag value parameter.","serviceName":"ASR"},"defaultValue":""},"tagValue":{"type":"Array","metadata":{"displayName":"Tag Values","description":"Values of the tag to use for including or excluding VMs in the scope of this policy (in case of multiple values,use a comma-separated list). This should be used along with the tag name parameter.","serviceName":"ASR"},"defaultValue":[]},"tagType":{"type":"String","metadata":{"displayName":"Tag Type","description":"Tag type can be either Inclusion Tag or Exclusion Tag. Inclusion tag type will make sure VMs with tag name and tag value are included in replication,Exclusion tag type will make sure VMs with tag name and tag value are excluded from replication.","serviceName":"ASR"},"allowedValues":["Inclusion","Exclusion",""],"defaultValue":""},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"location","equals":"[parameters('sourceRegion')]"},{"anyOf":[{"allOf":[{"value":"[parameters('tagType')]","equals":"Inclusion"},{"field":"[concat('tags[',parameters('tagName'),']')]","in":"[parameters('tagValue')]"}]},{"allOf":[{"value":"[parameters('tagType')]","equals":"Exclusion"},{"field":"[concat('tags[',parameters('tagName'),']')]","notIn":"[parameters('tagValue')]"}]},{"anyOf":[{"value":"[empty(parameters('tagName'))]","equals":"true"},{"value":"[empty(parameters('tagValue'))]","equals":"true"},{"value":"[empty(parameters('tagType'))]","equals":"true"}]}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Resources/links","evaluationDelay":"PT15M","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"],"existenceCondition":{"allOf":[{"field":"name","like":"ASR-Policy-Protect-*"},{"field":"Microsoft.Resources/links/targetId","contains":"/replicationProtectedItems/"}]},"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"apiVersion":{"type":"String"},"avSetId":{"type":"String"},"dataDiskIds":{"type":"object"},"dataDisks":{"type":"object"},"osDiskId":{"type":"String"},"ppgId":{"type":"String"},"recoveryNetworkId":{"type":"String"},"recoverySubscriptionId":{"type":"String"},"sourceRegion":{"type":"String"},"sourceResourceGroupName":{"type":"String"},"targetRegion":{"type":"String"},"targetResourceGroupName":{"type":"String"},"targetZone":{"type":"String"},"vaultName":{"type":"String"},"vaultResourceGroupName":{"type":"String"},"vmId":{"type":"String"},"vmZones":{"type":"Object"},"cacheStorageAccountId":{"type":"String"}},"variables":{"avSetApiVersion":"2019-03-01","deploymentApiVersion":"2017-05-10","vmApiVersion":"2019-07-01","ppgApiVersion":"2019-12-01","storageAccountApiVersion":"2018-07-01","portalLinkPrefix":"https://portal.azure.com/#@microsoft.onmicrosoft.com/resource","schemaLink":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","defaultAvSet":"defaultAvSet-asr","defaultPPG":"defaultPPG-asr","eligibilityResultsDefault":"default","protectedItemSuffix":"-policy","recoveryAvSetPrefix":"RecoveryAvSet-","recoveryPPGPrefix":"RecoveryPPG-","storagePrefix":"Storage-","avSetType":"Microsoft.Compute/availabilitySets","deploymentType":"Microsoft.Resources/deployments","networkType":"Microsoft.Network/virtualNetworks","ppgType":"Microsoft.Compute/proximityPlacementGroups","replicationEligibilityResultsType":"Microsoft.RecoveryServices/replicationEligibilityResults","storageType":"Microsoft.Storage/storageAccounts","vaultType":"Microsoft.RecoveryServices/vaults","avSetTemplateName":"[concat(variables('recoveryAvSetPrefix'),last(split(parameters('vmId'),'/')))]","avSetTemplateName64":"[if(greater(length(variables('avSetTemplateName')),64),substring(variables('avSetTemplateName'),0,64),variables('avSetTemplateName'))]","ppgTemplateName":"[concat(variables('recoveryPPGPrefix'),last(split(parameters('vmId'),'/')))]","ppgTemplateName64":"[if(greater(length(variables('ppgTemplateName')),64),substring(variables('ppgTemplateName'),0,64),variables('ppgTemplateName'))]","storageAccountTemplateName":"[concat(variables('storagePrefix'),last(split(parameters('vmId'),'/')))]","storageAccountTemplateName64":"[concat(variables('storagePrefix'),uniqueString(variables('storageAccountTemplateName')))]","replicationProtectedIntentTemplateName":"[concat('ASR-',parameters('sourceResourceGroupName'),'-',last(split(parameters('vmId'),'/')))]","replicationProtectedIntentTemplateName64":"[if(greater(length(variables('replicationProtectedIntentTemplateName')),64),substring(variables('replicationProtectedIntentTemplateName'),0,64),variables('replicationProtectedIntentTemplateName'))]","vmDataDiskIds":"[array(parameters('dataDiskIds').rawValue)]","vmDiskCount":"[add(length(array(parameters('dataDisks').rawValue)),int(1))]","diskIds":"[concat(array(parameters('osDiskId')),array(parameters('dataDiskIds').rawValue))]","vaultId":"[resourceId(parameters('vaultResourceGroupName'),variables('vaultType'),parameters('vaultName'))]","eligibilityResultsId":"[extensionResourceId(parameters('vmId'),variables('replicationEligibilityResultsType'),variables('eligibilityResultsDefault'))]","protectedIntentName":"[concat(parameters('vaultName'),'/',guid(resourceGroup().id,last(split(parameters('vmId'),'/'))),variables('protectedItemSuffix'))]","recoveryAvSetName":"[if(empty(parameters('avSetId')),variables('defaultAvSet'),concat(last(split(parameters('avSetId'),'/')),'-asr'))]","recoveryAvSetId":"[if(empty(parameters('avSetId')),'',resourceId(parameters('targetResourceGroupName'),variables('avSetType'),variables('recoveryAvSetName')))]","recoveryAvType":"[if(not(empty(parameters('avSetId'))),'AvailabilitySet',if(not(empty(parameters('targetZone'))),'AvailabilityZone','Single'))]","recoveryAvZone":"[parameters('targetZone')]","recoveryPPGName":"[if(empty(parameters('ppgId')),variables('defaultPPG'),concat(last(split(parameters('ppgId'),'/')),'-asr'))]","recoveryPPGId":"[if(empty(parameters('ppgId')),'',resourceId(parameters('targetResourceGroupName'),variables('ppgType'),variables('recoveryPPGName')))]","targetResourceGroupId":"[concat('/subscriptions/',parameters('recoverySubscriptionId'),'/resourceGroups/',parameters('targetResourceGroupName'))]","storageAccountSKUName":"Standard_LRS","storageAccountKind":"Storage","cacheStorageAccountArmId":"[if(empty(parameters('cacheStorageAccountId')),'',if(contains(parameters('cacheStorageAccountId'),'/'),parameters('cacheStorageAccountId'),resourceId(parameters('vaultResourceGroupName'),variables('storageType'),parameters('cacheStorageAccountId'))))]"},"resources":[{"condition":"[not(empty(parameters('ppgId')))]","apiVersion":"[variables('deploymentApiVersion')]","name":"[variables('ppgTemplateName64')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters('targetResourceGroupName')]","properties":{"mode":"Incremental","template":{"$schema":"[variables('schemaLink')]","contentVersion":"1.0.0.0","parameters":{},"variables":{},"resources":[{"condition":"[not(empty(parameters('ppgId')))]","type":"[variables('ppgType')]","name":"[variables('recoveryPPGName')]","apiVersion":"[variables('ppgApiVersion')]","location":"[parameters('targetRegion')]","properties":{"proximityPlacementGroupType":"[if(empty(parameters('ppgId')),'Standard',reference(parameters('ppgId'),variables('ppgApiVersion')).proximityPlacementGroupType)]"}}]},"parameters":{}}},{"condition":"[not(empty(parameters('avSetId')))]","apiVersion":"[variables('deploymentApiVersion')]","name":"[variables('avSetTemplateName64')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters('targetResourceGroupName')]","properties":{"mode":"Incremental","template":{"$schema":"[variables('schemaLink')]","contentVersion":"1.0.0.0","parameters":{},"variables":{},"resources":[{"condition":"[not(empty(parameters('avSetId')))]","type":"[variables('avSetType')]","sku":{"name":"[if(empty(parameters('avSetId')),'Aligned',reference(parameters('avSetId'),variables('avSetApiVersion'),'Full').sku.name)]"},"name":"[variables('recoveryAvSetName')]","apiVersion":"[variables('avSetApiVersion')]","location":"[parameters('targetRegion')]","tags":{},"properties":{"platformUpdateDomainCount":"[if(empty(parameters('avSetId')),'5',reference(parameters('avSetId'),variables('avSetApiVersion')).platformUpdateDomainCount)]","platformFaultDomainCount":"[if(empty(parameters('avSetId')),'2',reference(parameters('avSetId'),variables('avSetApiVersion')).platformFaultDomainCount)]","proximityPlacementGroup":"[if(empty(parameters('ppgId')),json('null'),json(concat('{','\"id\"',':','\"',variables('recoveryPPGId'),'\"','}')))]"}}]},"parameters":{}},"dependsOn":["[variables('ppgTemplateName64')]"]},{"condition":"[and(not(empty(parameters('cacheStorageAccountId'))),not(contains(parameters('cacheStorageAccountId'),'/')))]","apiVersion":"[variables('deploymentApiVersion')]","name":"[variables('storageAccountTemplateName64')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters('vaultResourceGroupName')]","properties":{"mode":"Incremental","template":{"$schema":"[variables('schemaLink')]","contentVersion":"1.0.0.0","parameters":{},"variables":{},"resources":[{"condition":"[and(not(empty(parameters('cacheStorageAccountId'))),not(contains(parameters('cacheStorageAccountId'),'/')))]","type":"[variables('storageType')]","name":"[parameters('cacheStorageAccountId')]","apiVersion":"[variables('storageAccountApiVersion')]","location":"[parameters('sourceRegion')]","sku":{"name":"[variables('storageAccountSKUName')]"},"kind":"[variables('storageAccountKind')]","properties":{"supportsHttpsTrafficOnly":true}}]},"parameters":{}}},{"apiVersion":"[variables('deploymentApiVersion')]","name":"[variables('replicationProtectedIntentTemplateName64')]","type":"Microsoft.Resources/deployments","resourceGroup":"[parameters('vaultResourceGroupName')]","properties":{"mode":"Incremental","template":{"$schema":"[variables('schemaLink')]","contentVersion":"1.0.0.0","parameters":{},"variables":{},"resources":[{"condition":"[lessOrEquals(length(reference(variables('eligibilityResultsId'),'2018-07-10').errors),int('0'))]","type":"Microsoft.RecoveryServices/vaults/replicationProtectionIntents","name":"[variables('protectedIntentName')]","apiVersion":"[parameters('apiVersion')]","properties":{"providerSpecificDetails":{"instanceType":"A2A","fabricObjectId":"[parameters('vmId')]","primaryLocation":"[parameters('sourceRegion')]","recoveryLocation":"[parameters('targetRegion')]","recoverySubscriptionId":"[parameters('recoverySubscriptionId')]","recoveryAvailabilityType":"[variables('recoveryAvType')]","recoveryAvailabilityZone":"[variables('recoveryAvZone')]","recoveryResourceGroupId":"[variables('targetResourceGroupId')]","recoveryAvailabilitySetCustomInput":"[if(empty(parameters('avSetId')),json('null'),json(concat('{','\"resourceType\"',':','\"Existing\",','\"recoveryAvailabilitySetId\"',':','\"',variables('recoveryAvSetId'),'\"','}')))]","recoveryProximityPlacementGroupCustomInput":"[if(empty(parameters('ppgId')),json('null'),json(concat('{','\"resourceType\"',':','\"Existing\",','\"recoveryProximityPlacementGroupId\"',':','\"',variables('recoveryPPGId'),'\"','}')))]","recoveryVirtualNetworkCustomInput":"[if(contains(parameters('recoveryNetworkId'),'/'),json(concat('{','\"resourceType\"',':','\"Existing\",','\"recoveryVirtualNetworkId\"',':','\"',parameters('recoveryNetworkId'),'\"','}')),if(empty(parameters('recoveryNetworkId')),json('null'),json(concat('{','\"resourceType\"',':','\"New\",','\"recoveryVirtualNetworkName\"',':','\"',parameters('recoveryNetworkId'),'\"','}'))))]","primaryStagingStorageAccountCustomInput":"[if(empty(variables('cacheStorageAccountArmId')),json('null'),json(concat('{','\"resourceType\"',':','\"Existing\",','\"azureStorageAccountId\"',':','\"',variables('cacheStorageAccountArmId'),'\"','}')))]","vmDisks":[],"copy":[{"name":"vmManagedDisks","count":"[variables('vmDiskCount')]","input":{"diskId":"[if(equals(copyIndex('vmManagedDisks'),int(0)),reference(parameters('vmId'),variables('vmApiVersion')).storageProfile.osDisk.managedDisk.Id,reference(parameters('vmId'),variables('vmApiVersion')).storageProfile.dataDisks[sub(copyIndex('vmManagedDisks'),int(1))].managedDisk.id)]","recoveryResourceGroupCustomInput":{"resourceType":"Existing","recoveryResourceGroupId":"[variables('targetResourceGroupId')]"}}}]}}}],"outputs":{"vmName":{"value":"[last(split(parameters('vmId'),'/'))]","type":"string"},"availabilitySetUrl":{"value":"[if(empty(parameters('avSetId')),'',concat(variables('portalLinkPrefix'),variables('recoveryAvSetId')))]","type":"string"},"proximityPlacementGroupUrl":{"value":"[if(empty(parameters('ppgId')),'',concat(variables('portalLinkPrefix'),variables('recoveryPPGId')))]","type":"string"},"replicationEligibilityResults":{"value":"[reference(variables('eligibilityResultsId'),parameters('apiVersion'))]","type":"Object"}}},"parameters":{}},"dependsOn":["[variables('ppgTemplateName64')]","[variables('avSetTemplateName64')]","[variables('storageAccountTemplateName64')]"]}],"outputs":{}},"parameters":{"apiVersion":{"value":"2018-07-10"},"avSetId":{"value":"[field('Microsoft.Compute/virtualMachines/availabilitySet.id')]"},"dataDiskIds":{"value":{"rawValue":"[field('Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*].managedDisk.id')]","emptyArray":[]}},"dataDisks":{"value":{"rawValue":"[field('Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*]')]"}},"osDiskId":{"value":"[field('Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.id')]"},"ppgId":{"value":"[field('Microsoft.Compute/virtualMachines/proximityPlacementGroup.id')]"},"recoveryNetworkId":{"value":"[parameters('recoveryNetworkId')]"},"recoverySubscriptionId":{"value":"[subscription().subscriptionId]"},"sourceRegion":{"value":"[parameters('sourceRegion')]"},"sourceResourceGroupName":{"value":"[resourcegroup().Name]"},"targetRegion":{"value":"[parameters('targetRegion')]"},"targetResourceGroupName":{"value":"[last(split(parameters('targetResourceGroupId'),'/'))]"},"targetZone":{"value":"[parameters('targetZone')]"},"vaultName":{"value":"[last(split(parameters('vaultId'),'/'))]"},"vaultResourceGroupName":{"value":"[last(split(parameters('vaultResourceGroupId'),'/'))]"},"vmId":{"value":"[field('id')]"},"vmZones":{"value":{"rawValue":"[field('Microsoft.Compute/virtualMachines/zones')]","emptyArray":[]}},"cacheStorageAccountId":{"value":"[parameters('cacheStorageAccountId')]"}}}}}}}}{
"policyType": "Custom",
"mode": "Indexed",
"displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics",
"description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html",
"metadata": {
"deprecated": true,
"supersededBy": "e920df7f-9a64-4066-9b58-52684c02a091",
"version": "1.1.0-deprecated",
"category": "Monitoring",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"retention": {
"type": "Integer",
"metadata": {
"displayName": "Retention"
},
"defaultValue": 5
},
"interval": {
"type": "Integer",
"metadata": {
"displayName": "Traffic Analytics processing interval mins (10/60)"
},
"defaultValue": 60
},
"workspace": {
"type": "String",
"metadata": {
"strongType": "omsWorkspace",
"displayName": "Resource ID of Log Analytics workspace",
"description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
},
"defaultValue": ""
},
"effect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Network/networkWatchers/flowlogs",
"name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
"equals": "true"
}
]
},
"existenceScope": "resourceGroup",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]",
"deploymentScope": "subscription",
"deployment": {
"location": "northeurope",
"properties": {
"mode": "Incremental",
"parameters": {
"location": {
"value": "[field('location')]"
},
"networkSecurityGroup": {
"value": "[field('id')]"
},
"workspace": {
"value": "[parameters('workspace')]"
},
"retention": {
"value": "[parameters('retention')]"
},
"interval": {
"value": "[parameters('interval')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "String"
},
"networkSecurityGroup": {
"type": "String"
},
"workspace": {
"type": "String"
},
"retention": {
"type": "int"
},
"interval": {
"type": "int"
},
"time": {
"type": "String",
"defaultValue": "[utcNow()]"
}
},
"variables": {
"resourceGroupName": "[split(parameters('networkSecurityGroup'), '/')[4]]",
"securityGroupName": "[split(parameters('networkSecurityGroup'), '/')[8]]",
"storageAccountName": "[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]"
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]",
"resourceGroup": "[variables('resourceGroupName')]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[variables('storageAccountName')]",
"location": "[parameters('location')]",
"properties": {},
"kind": "StorageV2",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
}
}
]
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]",
"resourceGroup": "NetworkWatcherRG",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/networkWatchers",
"apiVersion": "2020-05-01",
"name": "[concat('NetworkWatcher_', toLower(parameters('location')))]",
"location": "[parameters('location')]",
"properties": {},
"resources": [
{
"type": "flowLogs",
"apiVersion": "2019-11-01",
"name": "[concat(variables('securityGroupName'), '-Network-flowlog')]",
"location": "[parameters('location')]",
"properties": {
"enabled": true,
"format": {
"type": "JSON",
"version": 2
},
"retentionPolicy": {
"days": "[parameters('retention')]",
"enabled": true
},
"flowAnalyticsConfiguration": {
"networkWatcherFlowAnalyticsConfiguration": {
"enabled": true,
"trafficAnalyticsInterval": "[parameters('interval')]",
"workspaceResourceId": "[parameters('workspace')]"
}
},
"storageId": "[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
"targetResourceId": "[parameters('networkSecurityGroup')]"
},
"dependsOn": [
"[concat('NetworkWatcher_', toLower(parameters('location')))]"
]
}
]
}
]
}
},
"dependsOn": [
"[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]"
]
}
],
"outputs": {}
}
}
}
}
}
}
} {"policyType":"Custom","mode":"Indexed","displayName":"[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics","description":"[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html","metadata":{"deprecated":true,"supersededBy":"e920df7f-9a64-4066-9b58-52684c02a091","version":"1.1.0-deprecated","category":"Monitoring","source":"https://github.com/Azure/Enterprise-Scale/","alzCloudEnvironments":["AzureCloud","AzureChinaCloud","AzureUSGovernment"]},"parameters":{"retention":{"type":"Integer","metadata":{"displayName":"Retention"},"defaultValue":5},"interval":{"type":"Integer","metadata":{"displayName":"Traffic Analytics processing interval mins (10/60)"},"defaultValue":60},"workspace":{"type":"String","metadata":{"strongType":"omsWorkspace","displayName":"Resource ID of Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."},"defaultValue":""},"effect":{"type":"String","defaultValue":"DeployIfNotExists","allowedValues":["DeployIfNotExists","Disabled"],"metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.Network/networkSecurityGroups"}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Network/networkWatchers/flowlogs","name":"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))),'null/null',concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')),'/')[8],'/',split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')),'/')[10]))]","existenceCondition":{"allOf":[{"field":"Microsoft.Network/networkWatchers/flowLogs/enabled","equals":"true"}]},"existenceScope":"resourceGroup","roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7","/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12","/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab","/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"resourceGroupName":"[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))),'NetworkWatcherRG',split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')),'/')[4])]","deploymentScope":"subscription","deployment":{"location":"northeurope","properties":{"mode":"Incremental","parameters":{"location":{"value":"[field('location')]"},"networkSecurityGroup":{"value":"[field('id')]"},"workspace":{"value":"[parameters('workspace')]"},"retention":{"value":"[parameters('retention')]"},"interval":{"value":"[parameters('interval')]"}},"template":{"$schema":"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"location":{"type":"String"},"networkSecurityGroup":{"type":"String"},"workspace":{"type":"String"},"retention":{"type":"int"},"interval":{"type":"int"},"time":{"type":"String","defaultValue":"[utcNow()]"}},"variables":{"resourceGroupName":"[split(parameters('networkSecurityGroup'),'/')[4]]","securityGroupName":"[split(parameters('networkSecurityGroup'),'/')[8]]","storageAccountName":"[concat('es',uniqueString(variables('securityGroupName'),parameters('time')))]"},"resources":[{"type":"Microsoft.Resources/deployments","apiVersion":"2019-10-01","name":"[concat(variables('resourceGroupName'),'.',variables('securityGroupName'))]","resourceGroup":"[variables('resourceGroupName')]","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"Microsoft.Storage/storageAccounts","apiVersion":"2019-06-01","name":"[variables('storageAccountName')]","location":"[parameters('location')]","properties":{},"kind":"StorageV2","sku":{"name":"Standard_LRS","tier":"Standard"}}]}}},{"type":"Microsoft.Resources/deployments","apiVersion":"2019-10-01","name":"[concat('NetworkWatcherRG','.',variables('securityGroupName'))]","resourceGroup":"NetworkWatcherRG","properties":{"mode":"Incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"Microsoft.Network/networkWatchers","apiVersion":"2020-05-01","name":"[concat('NetworkWatcher_',toLower(parameters('location')))]","location":"[parameters('location')]","properties":{},"resources":[{"type":"flowLogs","apiVersion":"2019-11-01","name":"[concat(variables('securityGroupName'),'-Network-flowlog')]","location":"[parameters('location')]","properties":{"enabled":true,"format":{"type":"JSON","version":2},"retentionPolicy":{"days":"[parameters('retention')]","enabled":true},"flowAnalyticsConfiguration":{"networkWatcherFlowAnalyticsConfiguration":{"enabled":true,"trafficAnalyticsInterval":"[parameters('interval')]","workspaceResourceId":"[parameters('workspace')]"}},"storageId":"[concat(subscription().id,'/resourceGroups/',variables('resourceGroupName'),'/providers/Microsoft.Storage/storageAccounts/',variables('storageAccountName'))]","targetResourceId":"[parameters('networkSecurityGroup')]"},"dependsOn":["[concat('NetworkWatcher_',toLower(parameters('location')))]"]}]}]}},"dependsOn":["[concat(variables('resourceGroupName'),'.',variables('securityGroupName'))]"]}],"outputs":{}}}}}}}}