The azure-native:dataprotection:BackupInstance resource, part of the Pulumi Azure Native provider, registers a data source with a backup vault and associates it with a backup policy. This guide focuses on three capabilities: PostgreSQL database backup with Key Vault credentials, AKS cluster backup with namespace and resource filtering, and multi-user authorization for policy modifications.
Backup instances reference existing backup vaults, backup policies, data sources, and authentication infrastructure such as Key Vault secrets and managed identities. The examples are intentionally small. Combine them with your own backup policies, vaults, and data sources.
Protect a PostgreSQL database with Key Vault credentials
Most backup deployments begin by registering a database with a backup vault and specifying how to authenticate. For PostgreSQL databases, credentials are typically stored in Azure Key Vault rather than embedded in the backup configuration.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupInstance = new azure_native.dataprotection.BackupInstance("backupInstance", {
backupInstanceName: "testInstance1",
properties: {
dataSourceInfo: {
datasourceType: "Microsoft.DBforPostgreSQL/servers/databases",
objectType: "Datasource",
resourceID: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
resourceLocation: "",
resourceName: "testdb",
resourceType: "Microsoft.DBforPostgreSQL/servers/databases",
resourceUri: "",
},
dataSourceSetInfo: {
datasourceType: "Microsoft.DBforPostgreSQL/servers/databases",
objectType: "DatasourceSet",
resourceID: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
resourceLocation: "",
resourceName: "viveksipgtest",
resourceType: "Microsoft.DBforPostgreSQL/servers",
resourceUri: "",
},
datasourceAuthCredentials: {
objectType: "SecretStoreBasedAuthCredentials",
secretStoreResource: {
secretStoreType: azure_native.dataprotection.SecretStoreType.AzureKeyVault,
uri: "https://samplevault.vault.azure.net/secrets/credentials",
},
},
friendlyName: "harshitbi2",
identityDetails: {
useSystemAssignedIdentity: false,
userAssignedIdentityArmUrl: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami",
},
objectType: "BackupInstance",
policyInfo: {
policyId: "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
policyParameters: {
dataStoreParametersList: [{
dataStoreType: azure_native.dataprotection.DataStoreTypes.OperationalStore,
objectType: "AzureOperationalStoreParameters",
resourceGroupId: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
}],
},
},
validationType: azure_native.dataprotection.ValidationType.ShallowValidation,
},
resourceGroupName: "000pikumar",
tags: {
key1: "val1",
},
vaultName: "PratikPrivatePreviewVault1",
});
import pulumi
import pulumi_azure_native as azure_native
backup_instance = azure_native.dataprotection.BackupInstance("backupInstance",
backup_instance_name="testInstance1",
properties={
"data_source_info": {
"datasource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"object_type": "Datasource",
"resource_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
"resource_location": "",
"resource_name": "testdb",
"resource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"resource_uri": "",
},
"data_source_set_info": {
"datasource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"object_type": "DatasourceSet",
"resource_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
"resource_location": "",
"resource_name": "viveksipgtest",
"resource_type": "Microsoft.DBforPostgreSQL/servers",
"resource_uri": "",
},
"datasource_auth_credentials": {
"object_type": "SecretStoreBasedAuthCredentials",
"secret_store_resource": {
"secret_store_type": azure_native.dataprotection.SecretStoreType.AZURE_KEY_VAULT,
"uri": "https://samplevault.vault.azure.net/secrets/credentials",
},
},
"friendly_name": "harshitbi2",
"identity_details": {
"use_system_assigned_identity": False,
"user_assigned_identity_arm_url": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami",
},
"object_type": "BackupInstance",
"policy_info": {
"policy_id": "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
"policy_parameters": {
"data_store_parameters_list": [{
"data_store_type": azure_native.dataprotection.DataStoreTypes.OPERATIONAL_STORE,
"object_type": "AzureOperationalStoreParameters",
"resource_group_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
}],
},
},
"validation_type": azure_native.dataprotection.ValidationType.SHALLOW_VALIDATION,
},
resource_group_name="000pikumar",
tags={
"key1": "val1",
},
vault_name="PratikPrivatePreviewVault1")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupInstance(ctx, "backupInstance", &dataprotection.BackupInstanceArgs{
BackupInstanceName: pulumi.String("testInstance1"),
Properties: &dataprotection.BackupInstanceTypeArgs{
DataSourceInfo: &dataprotection.DatasourceArgs{
DatasourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ObjectType: pulumi.String("Datasource"),
ResourceID: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb"),
ResourceLocation: pulumi.String(""),
ResourceName: pulumi.String("testdb"),
ResourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ResourceUri: pulumi.String(""),
},
DataSourceSetInfo: &dataprotection.DatasourceSetArgs{
DatasourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ObjectType: pulumi.String("DatasourceSet"),
ResourceID: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest"),
ResourceLocation: pulumi.String(""),
ResourceName: pulumi.String("viveksipgtest"),
ResourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers"),
ResourceUri: pulumi.String(""),
},
DatasourceAuthCredentials: &dataprotection.SecretStoreBasedAuthCredentialsArgs{
ObjectType: pulumi.String("SecretStoreBasedAuthCredentials"),
SecretStoreResource: &dataprotection.SecretStoreResourceArgs{
SecretStoreType: pulumi.String(dataprotection.SecretStoreTypeAzureKeyVault),
Uri: pulumi.String("https://samplevault.vault.azure.net/secrets/credentials"),
},
},
FriendlyName: pulumi.String("harshitbi2"),
IdentityDetails: &dataprotection.IdentityDetailsArgs{
UseSystemAssignedIdentity: pulumi.Bool(false),
UserAssignedIdentityArmUrl: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami"),
},
ObjectType: pulumi.String("BackupInstance"),
PolicyInfo: &dataprotection.PolicyInfoArgs{
PolicyId: pulumi.String("/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1"),
PolicyParameters: &dataprotection.PolicyParametersArgs{
DataStoreParametersList: dataprotection.AzureOperationalStoreParametersArray{
&dataprotection.AzureOperationalStoreParametersArgs{
DataStoreType: pulumi.String(dataprotection.DataStoreTypesOperationalStore),
ObjectType: pulumi.String("AzureOperationalStoreParameters"),
ResourceGroupId: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest"),
},
},
},
},
ValidationType: pulumi.String(dataprotection.ValidationTypeShallowValidation),
},
ResourceGroupName: pulumi.String("000pikumar"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("PratikPrivatePreviewVault1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupInstance = new AzureNative.DataProtection.BackupInstance("backupInstance", new()
{
BackupInstanceName = "testInstance1",
Properties = new AzureNative.DataProtection.Inputs.BackupInstanceArgs
{
DataSourceInfo = new AzureNative.DataProtection.Inputs.DatasourceArgs
{
DatasourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ObjectType = "Datasource",
ResourceID = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
ResourceLocation = "",
ResourceName = "testdb",
ResourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ResourceUri = "",
},
DataSourceSetInfo = new AzureNative.DataProtection.Inputs.DatasourceSetArgs
{
DatasourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ObjectType = "DatasourceSet",
ResourceID = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
ResourceLocation = "",
ResourceName = "viveksipgtest",
ResourceType = "Microsoft.DBforPostgreSQL/servers",
ResourceUri = "",
},
DatasourceAuthCredentials = new AzureNative.DataProtection.Inputs.SecretStoreBasedAuthCredentialsArgs
{
ObjectType = "SecretStoreBasedAuthCredentials",
SecretStoreResource = new AzureNative.DataProtection.Inputs.SecretStoreResourceArgs
{
SecretStoreType = AzureNative.DataProtection.SecretStoreType.AzureKeyVault,
Uri = "https://samplevault.vault.azure.net/secrets/credentials",
},
},
FriendlyName = "harshitbi2",
IdentityDetails = new AzureNative.DataProtection.Inputs.IdentityDetailsArgs
{
UseSystemAssignedIdentity = false,
UserAssignedIdentityArmUrl = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami",
},
ObjectType = "BackupInstance",
PolicyInfo = new AzureNative.DataProtection.Inputs.PolicyInfoArgs
{
PolicyId = "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
PolicyParameters = new AzureNative.DataProtection.Inputs.PolicyParametersArgs
{
DataStoreParametersList = new[]
{
new AzureNative.DataProtection.Inputs.AzureOperationalStoreParametersArgs
{
DataStoreType = AzureNative.DataProtection.DataStoreTypes.OperationalStore,
ObjectType = "AzureOperationalStoreParameters",
ResourceGroupId = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
},
},
},
},
ValidationType = AzureNative.DataProtection.ValidationType.ShallowValidation,
},
ResourceGroupName = "000pikumar",
Tags =
{
{ "key1", "val1" },
},
VaultName = "PratikPrivatePreviewVault1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupInstance;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceSetArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecretStoreBasedAuthCredentialsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecretStoreResourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.IdentityDetailsArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyInfoArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupInstance = new BackupInstance("backupInstance", BackupInstanceArgs.builder()
.backupInstanceName("testInstance1")
.properties(BackupInstanceArgs.builder()
.dataSourceInfo(DatasourceArgs.builder()
.datasourceType("Microsoft.DBforPostgreSQL/servers/databases")
.objectType("Datasource")
.resourceID("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb")
.resourceLocation("")
.resourceName("testdb")
.resourceType("Microsoft.DBforPostgreSQL/servers/databases")
.resourceUri("")
.build())
.dataSourceSetInfo(DatasourceSetArgs.builder()
.datasourceType("Microsoft.DBforPostgreSQL/servers/databases")
.objectType("DatasourceSet")
.resourceID("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest")
.resourceLocation("")
.resourceName("viveksipgtest")
.resourceType("Microsoft.DBforPostgreSQL/servers")
.resourceUri("")
.build())
.datasourceAuthCredentials(Map.ofEntries(
Map.entry("objectType", "SecretStoreBasedAuthCredentials"),
Map.entry("secretStoreResource", SecretStoreResourceArgs.builder()
.secretStoreType("AzureKeyVault")
.uri("https://samplevault.vault.azure.net/secrets/credentials")
.build())
))
.friendlyName("harshitbi2")
.identityDetails(IdentityDetailsArgs.builder()
.useSystemAssignedIdentity(false)
.userAssignedIdentityArmUrl("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami")
.build())
.objectType("BackupInstance")
.policyInfo(PolicyInfoArgs.builder()
.policyId("/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1")
.policyParameters(PolicyParametersArgs.builder()
.dataStoreParametersList(Map.ofEntries(
Map.entry("dataStoreType", "OperationalStore"),
Map.entry("objectType", "AzureOperationalStoreParameters"),
Map.entry("resourceGroupId", "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest")
))
.build())
.build())
.validationType("ShallowValidation")
.build())
.resourceGroupName("000pikumar")
.tags(Map.of("key1", "val1"))
.vaultName("PratikPrivatePreviewVault1")
.build());
}
}
resources:
backupInstance:
type: azure-native:dataprotection:BackupInstance
properties:
backupInstanceName: testInstance1
properties:
dataSourceInfo:
datasourceType: Microsoft.DBforPostgreSQL/servers/databases
objectType: Datasource
resourceID: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb
resourceLocation: ""
resourceName: testdb
resourceType: Microsoft.DBforPostgreSQL/servers/databases
resourceUri: ""
dataSourceSetInfo:
datasourceType: Microsoft.DBforPostgreSQL/servers/databases
objectType: DatasourceSet
resourceID: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest
resourceLocation: ""
resourceName: viveksipgtest
resourceType: Microsoft.DBforPostgreSQL/servers
resourceUri: ""
datasourceAuthCredentials:
objectType: SecretStoreBasedAuthCredentials
secretStoreResource:
secretStoreType: AzureKeyVault
uri: https://samplevault.vault.azure.net/secrets/credentials
friendlyName: harshitbi2
identityDetails:
useSystemAssignedIdentity: false
userAssignedIdentityArmUrl: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami
objectType: BackupInstance
policyInfo:
policyId: /subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1
policyParameters:
dataStoreParametersList:
- dataStoreType: OperationalStore
objectType: AzureOperationalStoreParameters
resourceGroupId: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest
validationType: ShallowValidation
resourceGroupName: 000pikumar
tags:
key1: val1
vaultName: PratikPrivatePreviewVault1
The dataSourceInfo identifies the specific database to back up, while dataSourceSetInfo identifies the parent PostgreSQL server. The datasourceAuthCredentials property points to a Key Vault secret URI containing database credentials. The identityDetails property specifies which managed identity the backup service uses to access both the database and Key Vault. The policyInfo links this instance to a backup policy that defines schedule and retention.
Back up AKS clusters with namespace and volume filtering
Kubernetes workloads often require selective backup strategies that include specific namespaces while excluding system components or sensitive resources like secrets.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupInstance = new azure_native.dataprotection.BackupInstance("backupInstance", {
backupInstanceName: "aksbi",
properties: {
dataSourceInfo: {
datasourceType: "Microsoft.ContainerService/managedclusters",
objectType: "Datasource",
resourceID: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
resourceLocation: "eastus2euap",
resourceName: "akscluster",
resourceType: "Microsoft.ContainerService/managedclusters",
resourceUri: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
dataSourceSetInfo: {
datasourceType: "Microsoft.ContainerService/managedclusters",
objectType: "DatasourceSet",
resourceID: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
resourceLocation: "eastus2euap",
resourceName: "akscluster",
resourceType: "Microsoft.ContainerService/managedclusters",
resourceUri: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
friendlyName: "aksbi",
objectType: "BackupInstance",
policyInfo: {
policyId: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy",
policyParameters: {
backupDatasourceParametersList: [{
excludedNamespaces: ["kube-system"],
excludedResourceTypes: ["v1/Secret"],
includeClusterScopeResources: true,
includedNamespaces: ["test"],
includedResourceTypes: [],
includedVolumeTypes: [
azure_native.dataprotection.AKSVolumeTypes.AzureDisk,
azure_native.dataprotection.AKSVolumeTypes.AzureFileShareSMB,
],
labelSelectors: [],
objectType: "KubernetesClusterBackupDatasourceParameters",
snapshotVolumes: true,
}],
dataStoreParametersList: [{
dataStoreType: azure_native.dataprotection.DataStoreTypes.OperationalStore,
objectType: "AzureOperationalStoreParameters",
resourceGroupId: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg",
}],
},
},
},
resourceGroupName: "aksrg",
tags: {
key1: "val1",
},
vaultName: "aksvault",
});
import pulumi
import pulumi_azure_native as azure_native
backup_instance = azure_native.dataprotection.BackupInstance("backupInstance",
backup_instance_name="aksbi",
properties={
"data_source_info": {
"datasource_type": "Microsoft.ContainerService/managedclusters",
"object_type": "Datasource",
"resource_id": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
"resource_location": "eastus2euap",
"resource_name": "akscluster",
"resource_type": "Microsoft.ContainerService/managedclusters",
"resource_uri": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
"data_source_set_info": {
"datasource_type": "Microsoft.ContainerService/managedclusters",
"object_type": "DatasourceSet",
"resource_id": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
"resource_location": "eastus2euap",
"resource_name": "akscluster",
"resource_type": "Microsoft.ContainerService/managedclusters",
"resource_uri": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
"friendly_name": "aksbi",
"object_type": "BackupInstance",
"policy_info": {
"policy_id": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy",
"policy_parameters": {
"backup_datasource_parameters_list": [{
"excluded_namespaces": ["kube-system"],
"excluded_resource_types": ["v1/Secret"],
"include_cluster_scope_resources": True,
"included_namespaces": ["test"],
"included_resource_types": [],
"included_volume_types": [
azure_native.dataprotection.AKSVolumeTypes.AZURE_DISK,
azure_native.dataprotection.AKSVolumeTypes.AZURE_FILE_SHARE_SMB,
],
"label_selectors": [],
"object_type": "KubernetesClusterBackupDatasourceParameters",
"snapshot_volumes": True,
}],
"data_store_parameters_list": [{
"data_store_type": azure_native.dataprotection.DataStoreTypes.OPERATIONAL_STORE,
"object_type": "AzureOperationalStoreParameters",
"resource_group_id": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg",
}],
},
},
},
resource_group_name="aksrg",
tags={
"key1": "val1",
},
vault_name="aksvault")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupInstance(ctx, "backupInstance", &dataprotection.BackupInstanceArgs{
BackupInstanceName: pulumi.String("aksbi"),
Properties: &dataprotection.BackupInstanceTypeArgs{
DataSourceInfo: &dataprotection.DatasourceArgs{
DatasourceType: pulumi.String("Microsoft.ContainerService/managedclusters"),
ObjectType: pulumi.String("Datasource"),
ResourceID: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster"),
ResourceLocation: pulumi.String("eastus2euap"),
ResourceName: pulumi.String("akscluster"),
ResourceType: pulumi.String("Microsoft.ContainerService/managedclusters"),
ResourceUri: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster"),
},
DataSourceSetInfo: &dataprotection.DatasourceSetArgs{
DatasourceType: pulumi.String("Microsoft.ContainerService/managedclusters"),
ObjectType: pulumi.String("DatasourceSet"),
ResourceID: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster"),
ResourceLocation: pulumi.String("eastus2euap"),
ResourceName: pulumi.String("akscluster"),
ResourceType: pulumi.String("Microsoft.ContainerService/managedclusters"),
ResourceUri: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster"),
},
FriendlyName: pulumi.String("aksbi"),
ObjectType: pulumi.String("BackupInstance"),
PolicyInfo: &dataprotection.PolicyInfoArgs{
PolicyId: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy"),
PolicyParameters: &dataprotection.PolicyParametersArgs{
BackupDatasourceParametersList: pulumi.Array{
dataprotection.KubernetesClusterBackupDatasourceParameters{
ExcludedNamespaces: []string{
"kube-system",
},
ExcludedResourceTypes: []string{
"v1/Secret",
},
IncludeClusterScopeResources: true,
IncludedNamespaces: []string{
"test",
},
IncludedResourceTypes: []interface{}{},
IncludedVolumeTypes: []dataprotection.AKSVolumeTypes{
dataprotection.AKSVolumeTypesAzureDisk,
dataprotection.AKSVolumeTypesAzureFileShareSMB,
},
LabelSelectors: []interface{}{},
ObjectType: "KubernetesClusterBackupDatasourceParameters",
SnapshotVolumes: true,
},
},
DataStoreParametersList: dataprotection.AzureOperationalStoreParametersArray{
&dataprotection.AzureOperationalStoreParametersArgs{
DataStoreType: pulumi.String(dataprotection.DataStoreTypesOperationalStore),
ObjectType: pulumi.String("AzureOperationalStoreParameters"),
ResourceGroupId: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg"),
},
},
},
},
},
ResourceGroupName: pulumi.String("aksrg"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("aksvault"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupInstance = new AzureNative.DataProtection.BackupInstance("backupInstance", new()
{
BackupInstanceName = "aksbi",
Properties = new AzureNative.DataProtection.Inputs.BackupInstanceArgs
{
DataSourceInfo = new AzureNative.DataProtection.Inputs.DatasourceArgs
{
DatasourceType = "Microsoft.ContainerService/managedclusters",
ObjectType = "Datasource",
ResourceID = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
ResourceLocation = "eastus2euap",
ResourceName = "akscluster",
ResourceType = "Microsoft.ContainerService/managedclusters",
ResourceUri = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
DataSourceSetInfo = new AzureNative.DataProtection.Inputs.DatasourceSetArgs
{
DatasourceType = "Microsoft.ContainerService/managedclusters",
ObjectType = "DatasourceSet",
ResourceID = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
ResourceLocation = "eastus2euap",
ResourceName = "akscluster",
ResourceType = "Microsoft.ContainerService/managedclusters",
ResourceUri = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
FriendlyName = "aksbi",
ObjectType = "BackupInstance",
PolicyInfo = new AzureNative.DataProtection.Inputs.PolicyInfoArgs
{
PolicyId = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy",
PolicyParameters = new AzureNative.DataProtection.Inputs.PolicyParametersArgs
{
BackupDatasourceParametersList = new[]
{
new AzureNative.DataProtection.Inputs.KubernetesClusterBackupDatasourceParametersArgs
{
ExcludedNamespaces = new[]
{
"kube-system",
},
ExcludedResourceTypes = new[]
{
"v1/Secret",
},
IncludeClusterScopeResources = true,
IncludedNamespaces = new[]
{
"test",
},
IncludedResourceTypes = new() { },
IncludedVolumeTypes = new[]
{
AzureNative.DataProtection.AKSVolumeTypes.AzureDisk,
AzureNative.DataProtection.AKSVolumeTypes.AzureFileShareSMB,
},
LabelSelectors = new() { },
ObjectType = "KubernetesClusterBackupDatasourceParameters",
SnapshotVolumes = true,
},
},
DataStoreParametersList = new[]
{
new AzureNative.DataProtection.Inputs.AzureOperationalStoreParametersArgs
{
DataStoreType = AzureNative.DataProtection.DataStoreTypes.OperationalStore,
ObjectType = "AzureOperationalStoreParameters",
ResourceGroupId = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg",
},
},
},
},
},
ResourceGroupName = "aksrg",
Tags =
{
{ "key1", "val1" },
},
VaultName = "aksvault",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupInstance;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceSetArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyInfoArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupInstance = new BackupInstance("backupInstance", BackupInstanceArgs.builder()
.backupInstanceName("aksbi")
.properties(BackupInstanceArgs.builder()
.dataSourceInfo(DatasourceArgs.builder()
.datasourceType("Microsoft.ContainerService/managedclusters")
.objectType("Datasource")
.resourceID("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster")
.resourceLocation("eastus2euap")
.resourceName("akscluster")
.resourceType("Microsoft.ContainerService/managedclusters")
.resourceUri("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster")
.build())
.dataSourceSetInfo(DatasourceSetArgs.builder()
.datasourceType("Microsoft.ContainerService/managedclusters")
.objectType("DatasourceSet")
.resourceID("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster")
.resourceLocation("eastus2euap")
.resourceName("akscluster")
.resourceType("Microsoft.ContainerService/managedclusters")
.resourceUri("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster")
.build())
.friendlyName("aksbi")
.objectType("BackupInstance")
.policyInfo(PolicyInfoArgs.builder()
.policyId("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy")
.policyParameters(PolicyParametersArgs.builder()
.backupDatasourceParametersList(KubernetesClusterBackupDatasourceParametersArgs.builder()
.excludedNamespaces("kube-system")
.excludedResourceTypes("v1/Secret")
.includeClusterScopeResources(true)
.includedNamespaces("test")
.includedResourceTypes()
.includedVolumeTypes(
"AzureDisk",
"AzureFileShareSMB")
.labelSelectors()
.objectType("KubernetesClusterBackupDatasourceParameters")
.snapshotVolumes(true)
.build())
.dataStoreParametersList(Map.ofEntries(
Map.entry("dataStoreType", "OperationalStore"),
Map.entry("objectType", "AzureOperationalStoreParameters"),
Map.entry("resourceGroupId", "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg")
))
.build())
.build())
.build())
.resourceGroupName("aksrg")
.tags(Map.of("key1", "val1"))
.vaultName("aksvault")
.build());
}
}
resources:
backupInstance:
type: azure-native:dataprotection:BackupInstance
properties:
backupInstanceName: aksbi
properties:
dataSourceInfo:
datasourceType: Microsoft.ContainerService/managedclusters
objectType: Datasource
resourceID: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster
resourceLocation: eastus2euap
resourceName: akscluster
resourceType: Microsoft.ContainerService/managedclusters
resourceUri: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster
dataSourceSetInfo:
datasourceType: Microsoft.ContainerService/managedclusters
objectType: DatasourceSet
resourceID: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster
resourceLocation: eastus2euap
resourceName: akscluster
resourceType: Microsoft.ContainerService/managedclusters
resourceUri: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster
friendlyName: aksbi
objectType: BackupInstance
policyInfo:
policyId: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy
policyParameters:
backupDatasourceParametersList:
- excludedNamespaces:
- kube-system
excludedResourceTypes:
- v1/Secret
includeClusterScopeResources: true
includedNamespaces:
- test
includedResourceTypes: []
includedVolumeTypes:
- AzureDisk
- AzureFileShareSMB
labelSelectors: []
objectType: KubernetesClusterBackupDatasourceParameters
snapshotVolumes: true
dataStoreParametersList:
- dataStoreType: OperationalStore
objectType: AzureOperationalStoreParameters
resourceGroupId: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg
resourceGroupName: aksrg
tags:
key1: val1
vaultName: aksvault
The backupDatasourceParametersList property contains Kubernetes-specific configuration. The excludedNamespaces array prevents backing up system namespaces like kube-system, while includedNamespaces limits backup to specific application namespaces. The excludedResourceTypes array skips sensitive resources like Secrets. The snapshotVolumes property enables volume snapshot integration, and includedVolumeTypes specifies which volume types to capture (Azure Disk, Azure File Share).
Enforce multi-user authorization for policy changes
Organizations with strict compliance requirements use Resource Guard to require approval from a separate security team before modifying backup policies or performing critical operations.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupInstance = new azure_native.dataprotection.BackupInstance("backupInstance", {
backupInstanceName: "testInstance1",
properties: {
dataSourceInfo: {
datasourceType: "Microsoft.DBforPostgreSQL/servers/databases",
objectType: "Datasource",
resourceID: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
resourceLocation: "",
resourceName: "testdb",
resourceType: "Microsoft.DBforPostgreSQL/servers/databases",
resourceUri: "",
},
dataSourceSetInfo: {
datasourceType: "Microsoft.DBforPostgreSQL/servers/databases",
objectType: "DatasourceSet",
resourceID: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
resourceLocation: "",
resourceName: "viveksipgtest",
resourceType: "Microsoft.DBforPostgreSQL/servers",
resourceUri: "",
},
datasourceAuthCredentials: {
objectType: "SecretStoreBasedAuthCredentials",
secretStoreResource: {
secretStoreType: azure_native.dataprotection.SecretStoreType.AzureKeyVault,
uri: "https://samplevault.vault.azure.net/secrets/credentials",
},
},
friendlyName: "harshitbi2",
objectType: "BackupInstance",
policyInfo: {
policyId: "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
policyParameters: {
dataStoreParametersList: [{
dataStoreType: azure_native.dataprotection.DataStoreTypes.OperationalStore,
objectType: "AzureOperationalStoreParameters",
resourceGroupId: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
}],
},
},
resourceGuardOperationRequests: ["/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default"],
validationType: azure_native.dataprotection.ValidationType.ShallowValidation,
},
resourceGroupName: "000pikumar",
tags: {
key1: "val1",
},
vaultName: "PratikPrivatePreviewVault1",
});
import pulumi
import pulumi_azure_native as azure_native
backup_instance = azure_native.dataprotection.BackupInstance("backupInstance",
backup_instance_name="testInstance1",
properties={
"data_source_info": {
"datasource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"object_type": "Datasource",
"resource_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
"resource_location": "",
"resource_name": "testdb",
"resource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"resource_uri": "",
},
"data_source_set_info": {
"datasource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"object_type": "DatasourceSet",
"resource_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
"resource_location": "",
"resource_name": "viveksipgtest",
"resource_type": "Microsoft.DBforPostgreSQL/servers",
"resource_uri": "",
},
"datasource_auth_credentials": {
"object_type": "SecretStoreBasedAuthCredentials",
"secret_store_resource": {
"secret_store_type": azure_native.dataprotection.SecretStoreType.AZURE_KEY_VAULT,
"uri": "https://samplevault.vault.azure.net/secrets/credentials",
},
},
"friendly_name": "harshitbi2",
"object_type": "BackupInstance",
"policy_info": {
"policy_id": "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
"policy_parameters": {
"data_store_parameters_list": [{
"data_store_type": azure_native.dataprotection.DataStoreTypes.OPERATIONAL_STORE,
"object_type": "AzureOperationalStoreParameters",
"resource_group_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
}],
},
},
"resource_guard_operation_requests": ["/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default"],
"validation_type": azure_native.dataprotection.ValidationType.SHALLOW_VALIDATION,
},
resource_group_name="000pikumar",
tags={
"key1": "val1",
},
vault_name="PratikPrivatePreviewVault1")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupInstance(ctx, "backupInstance", &dataprotection.BackupInstanceArgs{
BackupInstanceName: pulumi.String("testInstance1"),
Properties: &dataprotection.BackupInstanceTypeArgs{
DataSourceInfo: &dataprotection.DatasourceArgs{
DatasourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ObjectType: pulumi.String("Datasource"),
ResourceID: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb"),
ResourceLocation: pulumi.String(""),
ResourceName: pulumi.String("testdb"),
ResourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ResourceUri: pulumi.String(""),
},
DataSourceSetInfo: &dataprotection.DatasourceSetArgs{
DatasourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ObjectType: pulumi.String("DatasourceSet"),
ResourceID: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest"),
ResourceLocation: pulumi.String(""),
ResourceName: pulumi.String("viveksipgtest"),
ResourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers"),
ResourceUri: pulumi.String(""),
},
DatasourceAuthCredentials: &dataprotection.SecretStoreBasedAuthCredentialsArgs{
ObjectType: pulumi.String("SecretStoreBasedAuthCredentials"),
SecretStoreResource: &dataprotection.SecretStoreResourceArgs{
SecretStoreType: pulumi.String(dataprotection.SecretStoreTypeAzureKeyVault),
Uri: pulumi.String("https://samplevault.vault.azure.net/secrets/credentials"),
},
},
FriendlyName: pulumi.String("harshitbi2"),
ObjectType: pulumi.String("BackupInstance"),
PolicyInfo: &dataprotection.PolicyInfoArgs{
PolicyId: pulumi.String("/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1"),
PolicyParameters: &dataprotection.PolicyParametersArgs{
DataStoreParametersList: dataprotection.AzureOperationalStoreParametersArray{
&dataprotection.AzureOperationalStoreParametersArgs{
DataStoreType: pulumi.String(dataprotection.DataStoreTypesOperationalStore),
ObjectType: pulumi.String("AzureOperationalStoreParameters"),
ResourceGroupId: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest"),
},
},
},
},
ResourceGuardOperationRequests: pulumi.StringArray{
pulumi.String("/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default"),
},
ValidationType: pulumi.String(dataprotection.ValidationTypeShallowValidation),
},
ResourceGroupName: pulumi.String("000pikumar"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("PratikPrivatePreviewVault1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupInstance = new AzureNative.DataProtection.BackupInstance("backupInstance", new()
{
BackupInstanceName = "testInstance1",
Properties = new AzureNative.DataProtection.Inputs.BackupInstanceArgs
{
DataSourceInfo = new AzureNative.DataProtection.Inputs.DatasourceArgs
{
DatasourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ObjectType = "Datasource",
ResourceID = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
ResourceLocation = "",
ResourceName = "testdb",
ResourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ResourceUri = "",
},
DataSourceSetInfo = new AzureNative.DataProtection.Inputs.DatasourceSetArgs
{
DatasourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ObjectType = "DatasourceSet",
ResourceID = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
ResourceLocation = "",
ResourceName = "viveksipgtest",
ResourceType = "Microsoft.DBforPostgreSQL/servers",
ResourceUri = "",
},
DatasourceAuthCredentials = new AzureNative.DataProtection.Inputs.SecretStoreBasedAuthCredentialsArgs
{
ObjectType = "SecretStoreBasedAuthCredentials",
SecretStoreResource = new AzureNative.DataProtection.Inputs.SecretStoreResourceArgs
{
SecretStoreType = AzureNative.DataProtection.SecretStoreType.AzureKeyVault,
Uri = "https://samplevault.vault.azure.net/secrets/credentials",
},
},
FriendlyName = "harshitbi2",
ObjectType = "BackupInstance",
PolicyInfo = new AzureNative.DataProtection.Inputs.PolicyInfoArgs
{
PolicyId = "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
PolicyParameters = new AzureNative.DataProtection.Inputs.PolicyParametersArgs
{
DataStoreParametersList = new[]
{
new AzureNative.DataProtection.Inputs.AzureOperationalStoreParametersArgs
{
DataStoreType = AzureNative.DataProtection.DataStoreTypes.OperationalStore,
ObjectType = "AzureOperationalStoreParameters",
ResourceGroupId = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
},
},
},
},
ResourceGuardOperationRequests = new[]
{
"/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default",
},
ValidationType = AzureNative.DataProtection.ValidationType.ShallowValidation,
},
ResourceGroupName = "000pikumar",
Tags =
{
{ "key1", "val1" },
},
VaultName = "PratikPrivatePreviewVault1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupInstance;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceSetArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecretStoreBasedAuthCredentialsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecretStoreResourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyInfoArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupInstance = new BackupInstance("backupInstance", BackupInstanceArgs.builder()
.backupInstanceName("testInstance1")
.properties(BackupInstanceArgs.builder()
.dataSourceInfo(DatasourceArgs.builder()
.datasourceType("Microsoft.DBforPostgreSQL/servers/databases")
.objectType("Datasource")
.resourceID("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb")
.resourceLocation("")
.resourceName("testdb")
.resourceType("Microsoft.DBforPostgreSQL/servers/databases")
.resourceUri("")
.build())
.dataSourceSetInfo(DatasourceSetArgs.builder()
.datasourceType("Microsoft.DBforPostgreSQL/servers/databases")
.objectType("DatasourceSet")
.resourceID("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest")
.resourceLocation("")
.resourceName("viveksipgtest")
.resourceType("Microsoft.DBforPostgreSQL/servers")
.resourceUri("")
.build())
.datasourceAuthCredentials(Map.ofEntries(
Map.entry("objectType", "SecretStoreBasedAuthCredentials"),
Map.entry("secretStoreResource", SecretStoreResourceArgs.builder()
.secretStoreType("AzureKeyVault")
.uri("https://samplevault.vault.azure.net/secrets/credentials")
.build())
))
.friendlyName("harshitbi2")
.objectType("BackupInstance")
.policyInfo(PolicyInfoArgs.builder()
.policyId("/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1")
.policyParameters(PolicyParametersArgs.builder()
.dataStoreParametersList(Map.ofEntries(
Map.entry("dataStoreType", "OperationalStore"),
Map.entry("objectType", "AzureOperationalStoreParameters"),
Map.entry("resourceGroupId", "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest")
))
.build())
.build())
.resourceGuardOperationRequests("/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default")
.validationType("ShallowValidation")
.build())
.resourceGroupName("000pikumar")
.tags(Map.of("key1", "val1"))
.vaultName("PratikPrivatePreviewVault1")
.build());
}
}
resources:
backupInstance:
type: azure-native:dataprotection:BackupInstance
properties:
backupInstanceName: testInstance1
properties:
dataSourceInfo:
datasourceType: Microsoft.DBforPostgreSQL/servers/databases
objectType: Datasource
resourceID: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb
resourceLocation: ""
resourceName: testdb
resourceType: Microsoft.DBforPostgreSQL/servers/databases
resourceUri: ""
dataSourceSetInfo:
datasourceType: Microsoft.DBforPostgreSQL/servers/databases
objectType: DatasourceSet
resourceID: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest
resourceLocation: ""
resourceName: viveksipgtest
resourceType: Microsoft.DBforPostgreSQL/servers
resourceUri: ""
datasourceAuthCredentials:
objectType: SecretStoreBasedAuthCredentials
secretStoreResource:
secretStoreType: AzureKeyVault
uri: https://samplevault.vault.azure.net/secrets/credentials
friendlyName: harshitbi2
objectType: BackupInstance
policyInfo:
policyId: /subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1
policyParameters:
dataStoreParametersList:
- dataStoreType: OperationalStore
objectType: AzureOperationalStoreParameters
resourceGroupId: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest
resourceGuardOperationRequests:
- /subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default
validationType: ShallowValidation
resourceGroupName: 000pikumar
tags:
key1: val1
vaultName: PratikPrivatePreviewVault1
The resourceGuardOperationRequests property lists Resource Guard operations that require additional authorization. When you attempt to modify the backup policy, Azure Data Protection checks with the Resource Guard before allowing the change. This prevents a single administrator from both configuring backups and modifying protection policies, enforcing separation of duties.
Beyond these examples
These snippets focus on specific backup instance features: PostgreSQL and AKS backup registration, Key Vault credential integration, Kubernetes-specific filtering, and multi-user authorization with Resource Guard. They’re intentionally minimal rather than full backup solutions.
The examples reference pre-existing infrastructure such as backup vaults and backup policies, data sources (PostgreSQL servers, AKS clusters), Key Vault secrets for database credentials, managed identities for authentication, and Resource Guards for MUA scenarios. They focus on registering data sources with backup vaults rather than provisioning the surrounding infrastructure.
To keep things focused, common backup instance patterns are omitted, including:
- Backup schedule configuration (defined in backup policy, not instance)
- Retention settings (defined in backup policy, not instance)
- Cross-region restore configuration
- Backup validation types beyond ShallowValidation
These omissions are intentional: the goal is to illustrate how each backup instance feature is wired, not provide drop-in backup modules. See the BackupInstance resource reference for all available configuration options.
Let's configure Azure Data Protection Backup Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Core Configuration
What's the difference between dataSourceInfo and dataSourceSetInfo?
dataSourceInfo identifies the specific resource to back up (like a database), while dataSourceSetInfo identifies its parent resource (like the database server). Both use the same structure but point to different resource IDs in the hierarchy.Why do I need to specify objectType for every configuration object?
The
objectType field tells Azure Data Protection which configuration schema to use. Set it to "Datasource" for data sources, "DatasourceSet" for parent resources, "BackupInstance" for the instance itself, and specific types like "KubernetesClusterBackupDatasourceParameters" for specialized configurations.What does the resourceGroupId in dataStoreParametersList specify?
The
resourceGroupId in dataStoreParametersList specifies where backup data will be stored, which can be different from the backup instance’s own resource group.Authentication & Identity
When do I need to configure datasourceAuthCredentials?
Configure
datasourceAuthCredentials when backing up resources that require authentication, such as PostgreSQL databases. Use SecretStoreBasedAuthCredentials with an Azure Key Vault URI to securely store credentials.Should I use system-assigned or user-assigned managed identity?
Configure
identityDetails with useSystemAssignedIdentity: false and provide a userAssignedIdentityArmUrl to use a user-assigned managed identity. If you omit identityDetails, the system may use default identity settings.AKS & Kubernetes Backup
How do I selectively back up Kubernetes resources?
Use
KubernetesClusterBackupDatasourceParameters in backupDatasourceParametersList to configure filters. You can specify includedNamespaces/excludedNamespaces for namespace filtering and includedResourceTypes/excludedResourceTypes for resource type filtering (like "v1/Secret").What volume types can I back up in AKS clusters?
Configure
includedVolumeTypes with values like AzureDisk and AzureFileShareSMB. Set snapshotVolumes: true to enable volume snapshots during backup.What does includeClusterScopeResources do in Kubernetes backups?
Setting
includeClusterScopeResources: true includes cluster-wide resources (not namespaced) in the backup, such as cluster roles and persistent volumes.Can I use label selectors to filter Kubernetes resources?
Yes, configure the
labelSelectors array in KubernetesClusterBackupDatasourceParameters to filter resources by Kubernetes labels.Policy & Advanced Features
What's the difference between dataStoreParametersList and backupDatasourceParametersList?
dataStoreParametersList configures where backups are stored (like AzureOperationalStoreParameters with a resource group). backupDatasourceParametersList configures datasource-specific backup behavior (like Kubernetes filtering rules).What is resourceGuardOperationRequests used for?
resourceGuardOperationRequests enables multi-user authorization (MUA) by requiring approval from a Resource Guard for critical operations like policy modifications. Provide an array of Resource Guard operation request paths.What does validationType: ShallowValidation mean?
ShallowValidation performs basic validation checks during backup instance creation. All examples use this validation type.