Azure · AlexanderSehr · Dec 6, 2021 · Dec 6, 2021 · Dec 6, 2021 · Dec 6, 2021
@@ -5,6 +5,12 @@
         "name": {
             "value": "sxx-az-rsv-x-001"
         },
+        "backupConfig": {
+            "value": {
+                "enhancedSecurityState": "Disabled",
+                "softDeleteFeatureState": "Disabled"
+            }
+        },
         "backupPolicies": {
             "value": [
                 {

@@ -0,0 +1 @@
+
@@ -0,0 +1,81 @@
+@description('Required. Name of the Azure Recovery Service Vault')
+param recoveryVaultName string
+
+@description('Optional. Name of the Azure Recovery Service Vault Backup Policy')
+param name string = 'vaultconfig'
+
+@description('Optional. Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations.')
+@allowed([
+  'Disabled'
+  'Enabled'
+])
+param enhancedSecurityState string = 'Enabled'
+
+@description('Optional. ResourceGuard Operation Requests')
+param resourceGuardOperationRequests array = []
+
+@description('Optional. Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes')
+@allowed([
+  'Disabled'
+  'Enabled'
+])
+param softDeleteFeatureState string = 'Enabled'
+
+@description('Optional. Storage type')
+@allowed([
+  'GeoRedundant'
+  'LocallyRedundant'
+  'ReadAccessGeoZoneRedundant'
+  'ZoneRedundant'
+])
+param storageModelType string = 'GeoRedundant'
+
+@description('Optional. Storage type')
+@allowed([
+  'GeoRedundant'
+  'LocallyRedundant'
+  'ReadAccessGeoZoneRedundant'
+  'ZoneRedundant'
+])
+param storageType string = 'GeoRedundant'
+
+@description('Optional. Once a machine is registered against a resource, the storageTypeState is always Locked.')
+@allowed([
+  'Locked'
+  'Unlocked'
+])
+param storageTypeState string = 'Locked'
+
+@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered')
+param cuaId string = ''
+
+module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) {
+  name: 'pid-${cuaId}'
+  params: {}
+}
+
+resource rsv 'Microsoft.RecoveryServices/vaults@2021-08-01' existing = {
+  name: recoveryVaultName
+}
+
+resource backupConfig 'Microsoft.RecoveryServices/vaults/backupconfig@2021-08-01' = {
+  name: name
+  parent: rsv
+  properties: {
+    enhancedSecurityState: enhancedSecurityState
+    resourceGuardOperationRequests: resourceGuardOperationRequests
+    softDeleteFeatureState: softDeleteFeatureState
+    storageModelType: storageModelType
+    storageType: storageType
+    storageTypeState: storageTypeState
+  }
+}
+
+@description('The name of the backup config')
+output backupConfigName string = backupConfig.name
+
+@description('The resource ID of the backup config')
+output backupConfigResourceId string = backupConfig.id
+
+@description('The name of the resource group the backup config was created in.')
+output backupConfigResourceGroup string = resourceGroup().name
@@ -0,0 +1,35 @@
+# Recovery Services Vault Backup Config `[Microsoft.RecoveryServices/vaults/backupconfig]`
+
+This module deploys recovery services vault backup config.
+
+## Resource Types
+
+| Resource Type | API Version |
+| :-- | :-- |
+| `Microsoft.RecoveryServices/vaults/backupconfig` | 2021-08-01 |
+
+## Parameters
+
+| Parameter Name | Type | Default Value | Possible Values | Description |
+| :-- | :-- | :-- | :-- | :-- |
+| `cuaId` | string |  |  | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |
+| `enhancedSecurityState` | string | `Enabled` | `[Disabled, Enabled]` | Optional. Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations. |
+| `name` | string | `vaultconfig` |  | Optional. Name of the Azure Recovery Service Vault Backup Policy |
+| `recoveryVaultName` | string |  |  | Required. Name of the Azure Recovery Service Vault |
+| `resourceGuardOperationRequests` | array | `[]` |  | Optional. ResourceGuard Operation Requests |
+| `softDeleteFeatureState` | string | `Enabled` | `[Disabled, Enabled]` | Optional. Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes |
+| `storageModelType` | string | `GeoRedundant` | `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` | Optional. Storage type |
+| `storageType` | string | `GeoRedundant` | `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` | Optional. Storage type |
+| `storageTypeState` | string | `Locked` | `[Locked, Unlocked]` | Optional. Once a machine is registered against a resource, the storageTypeState is always Locked. |
+
+## Outputs
+
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `backupConfigName` | string | The name of the backup config |
+| `backupConfigResourceGroup` | string | The name of the resource group the backup config was created in. |
+| `backupConfigResourceId` | string | The resource ID of the backup config |
+
+## Template references
+
+- [Vaults/Backupconfig](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupconfig)
@@ -1,5 +1,4 @@
 @description('Required. Name of the Azure Recovery Service Vault')
-@minLength(1)
 param recoveryVaultName string
 
 @description('Required. Name of the Azure Recovery Service Vault Backup Policy')
@@ -29,8 +28,8 @@ resource backupPolicy 'Microsoft.RecoveryServices/vaults/backupPolicies@2021-08-
 @description('The name of the backup policy')
 output backupPolicyName string = backupPolicy.name
 
-@description('The Resource ID of the backup policy')
+@description('The resource ID of the backup policy')
 output backupPolicyResourceId string = backupPolicy.id
 
-@description('The name of the Resource Group the backup policy was created in.')
+@description('The name of the resource group the backup policy was created in.')
 output backupPolicyResourceGroup string = resourceGroup().name
@@ -110,8 +110,8 @@ Object continaining the configuration for backup policies. It needs to be proper
 | Output Name | Type | Description |
 | :-- | :-- | :-- |
 | `backupPolicyName` | string | The name of the backup policy |
-| `backupPolicyResourceGroup` | string | The name of the Resource Group the backup policy was created in. |
-| `backupPolicyResourceId` | string | The Resource ID of the backup policy |
+| `backupPolicyResourceGroup` | string | The name of the resource group the backup policy was created in. |
+| `backupPolicyResourceId` | string | The resource ID of the backup policy |
 
 ## Template references
 

@@ -1,5 +1,4 @@
 @description('Required. Name of the Azure Recovery Service Vault')
-@minLength(1)
 param recoveryVaultName string
 
 @description('Optional. The name of the backup storage config')

@@ -1,5 +1,4 @@
 @description('Required. Name of the Azure Recovery Service Vault')
-@minLength(1)
 param name string
 
 @description('Optional. The storage configuration for the Azure Recovery Service Vault')
@@ -14,6 +13,9 @@ param location string = resourceGroup().location
 @description('Optional. List of all backup policies.')
 param backupPolicies array = []
 
+@description('Optional. The backup configuration.')
+param backupConfig object = {}
+
 @description('Optional. List of all protection containers.')
 @minLength(0)
 param protectionContainers array = []
@@ -170,6 +172,20 @@ module rsv_backupPolicies 'backupPolicies/deploy.bicep' = [for (backupPolicy, in
   }
 }]
 
+module rsv_backupConfig 'backupConfig/deploy.bicep' = if (!empty(backupConfig)) {
+  name: '${uniqueString(deployment().name, location)}-RSV-BackupConfig'
+  params: {
+    recoveryVaultName: rsv.name
+    name: contains(backupConfig, 'name') ? backupConfig.name : 'vaultconfig'
+    enhancedSecurityState: contains(backupConfig, 'enhancedSecurityState') ? backupConfig.enhancedSecurityState : 'Enabled'
+    resourceGuardOperationRequests: contains(backupConfig, 'resourceGuardOperationRequests') ? backupConfig.resourceGuardOperationRequests : []
+    softDeleteFeatureState: contains(backupConfig, 'softDeleteFeatureState') ? backupConfig.softDeleteFeatureState : 'Enabled'
+    storageModelType: contains(backupConfig, 'storageModelType') ? backupConfig.storageModelType : 'GeoRedundant'
+    storageType: contains(backupConfig, 'storageType') ? backupConfig.storageType : 'GeoRedundant'
+    storageTypeState: contains(backupConfig, 'storageTypeState') ? backupConfig.storageTypeState : 'Locked'
+  }
+}
+
 resource rsv_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') {
   name: '${rsv.name}-${lock}-lock'
   properties: {
@@ -201,13 +217,13 @@ module rsv_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in rol
   }
 }]
 
-@description('The resource ID of the Recovery Services Vault')
+@description('The resource ID of the recovery services vault')
 output recoveryServicesVaultResourceId string = rsv.id
 
-@description('The name of the Resource Group the Recovery Services Vault was created in')
+@description('The name of the resource group the recovery services vault was created in')
 output recoveryServicesVaultResourceGroup string = resourceGroup().name
 
-@description('The Name of the Recovery Services Vault')
+@description('The Name of the recovery services vault')
 output recoveryServicesVaultName string = rsv.name
 
 @description('The principal ID of the system assigned identity.')

@@ -1,5 +1,4 @@
 @description('Required. Name of the Azure Recovery Service Vault')
-@minLength(1)
 param recoveryVaultName string
 
 @description('Required. Name of the Azure Recovery Service Vault Protection Container')

@@ -10,6 +10,7 @@ This module deploys a recovery service vault.
 | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview |
 | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview |
 | `Microsoft.RecoveryServices/vaults` | 2021-08-01 |
+| `Microsoft.RecoveryServices/vaults/backupconfig` | 2021-08-01 |
 | `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers` | 2021-08-01 |
 | `Microsoft.RecoveryServices/vaults/backupPolicies` | 2021-08-01 |
 | `Microsoft.RecoveryServices/vaults/backupstorageconfig` | 2021-08-01 |
@@ -18,6 +19,7 @@ This module deploys a recovery service vault.
 
 | Parameter Name | Type | Default Value | Possible Values | Description |
 | :-- | :-- | :-- | :-- | :-- |
+| `backupConfig` | _[backupConfig](backupConfig/readme.md)_ object | `{object}` |  | Optional. The backup configuration. |
 | `backupPolicies` | _[backupPolicies](backupPolicies/readme.md)_ array | `[]` |  | Optional. List of all backup policies. |
 | `backupStorageConfig` | _[backupStorageConfig](backupStorageConfig/readme.md)_ object | `{object}` |  | Optional. The storage configuration for the Azure Recovery Service Vault |
 | `cuaId` | string |  |  | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |
@@ -346,9 +348,9 @@ You can specify multiple user assigned identities to a resource by providing add
 
 | Output Name | Type | Description |
 | :-- | :-- | :-- |
-| `recoveryServicesVaultName` | string | The Name of the Recovery Services Vault |
-| `recoveryServicesVaultResourceGroup` | string | The name of the Resource Group the Recovery Services Vault was created in |
-| `recoveryServicesVaultResourceId` | string | The resource ID of the Recovery Services Vault |
+| `recoveryServicesVaultName` | string | The Name of the recovery services vault |
+| `recoveryServicesVaultResourceGroup` | string | The name of the resource group the recovery services vault was created in |
+| `recoveryServicesVaultResourceId` | string | The resource ID of the recovery services vault |
 | `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. |
 
 ## Template references
@@ -357,6 +359,7 @@ You can specify multiple user assigned identities to a resource by providing add
 - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments)
 - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings)
 - [Vaults](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults)
+- [Vaults/Backupconfig](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupconfig)
 - [Vaults/Backupfabrics/Protectioncontainers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupFabrics/protectionContainers)
 - [Vaults/Backuppolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupPolicies)
 - [Vaults/Backupstorageconfig](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupstorageconfig)