The azure-native:dataprotection:BackupInstance resource, part of the Pulumi Azure Native provider, registers a data source with a backup vault and associates it with a backup policy. This guide focuses on three capabilities: PostgreSQL database backup with Key Vault credentials, AKS cluster backup with namespace and resource filtering, and multi-user authorization for policy modifications.
Backup instances reference existing backup vaults, backup policies, data sources, and authentication infrastructure such as Key Vault secrets and managed identities. The examples are intentionally small. Combine them with your own backup policies, vaults, and data sources.
Protect a PostgreSQL database with Key Vault credentials
Most backup deployments begin by registering a database with a backup vault and specifying how to authenticate. For PostgreSQL databases, credentials are typically stored in Azure Key Vault rather than embedded in the backup configuration.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupInstance = new azure_native.dataprotection.BackupInstance("backupInstance", {
backupInstanceName: "testInstance1",
properties: {
dataSourceInfo: {
datasourceType: "Microsoft.DBforPostgreSQL/servers/databases",
objectType: "Datasource",
resourceID: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
resourceLocation: "",
resourceName: "testdb",
resourceType: "Microsoft.DBforPostgreSQL/servers/databases",
resourceUri: "",
},
dataSourceSetInfo: {
datasourceType: "Microsoft.DBforPostgreSQL/servers/databases",
objectType: "DatasourceSet",
resourceID: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
resourceLocation: "",
resourceName: "viveksipgtest",
resourceType: "Microsoft.DBforPostgreSQL/servers",
resourceUri: "",
},
datasourceAuthCredentials: {
objectType: "SecretStoreBasedAuthCredentials",
secretStoreResource: {
secretStoreType: azure_native.dataprotection.SecretStoreType.AzureKeyVault,
uri: "https://samplevault.vault.azure.net/secrets/credentials",
},
},
friendlyName: "harshitbi2",
identityDetails: {
useSystemAssignedIdentity: false,
userAssignedIdentityArmUrl: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami",
},
objectType: "BackupInstance",
policyInfo: {
policyId: "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
policyParameters: {
dataStoreParametersList: [{
dataStoreType: azure_native.dataprotection.DataStoreTypes.OperationalStore,
objectType: "AzureOperationalStoreParameters",
resourceGroupId: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
}],
},
},
validationType: azure_native.dataprotection.ValidationType.ShallowValidation,
},
resourceGroupName: "000pikumar",
tags: {
key1: "val1",
},
vaultName: "PratikPrivatePreviewVault1",
});
import pulumi
import pulumi_azure_native as azure_native
backup_instance = azure_native.dataprotection.BackupInstance("backupInstance",
backup_instance_name="testInstance1",
properties={
"data_source_info": {
"datasource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"object_type": "Datasource",
"resource_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
"resource_location": "",
"resource_name": "testdb",
"resource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"resource_uri": "",
},
"data_source_set_info": {
"datasource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"object_type": "DatasourceSet",
"resource_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
"resource_location": "",
"resource_name": "viveksipgtest",
"resource_type": "Microsoft.DBforPostgreSQL/servers",
"resource_uri": "",
},
"datasource_auth_credentials": {
"object_type": "SecretStoreBasedAuthCredentials",
"secret_store_resource": {
"secret_store_type": azure_native.dataprotection.SecretStoreType.AZURE_KEY_VAULT,
"uri": "https://samplevault.vault.azure.net/secrets/credentials",
},
},
"friendly_name": "harshitbi2",
"identity_details": {
"use_system_assigned_identity": False,
"user_assigned_identity_arm_url": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami",
},
"object_type": "BackupInstance",
"policy_info": {
"policy_id": "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
"policy_parameters": {
"data_store_parameters_list": [{
"data_store_type": azure_native.dataprotection.DataStoreTypes.OPERATIONAL_STORE,
"object_type": "AzureOperationalStoreParameters",
"resource_group_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
}],
},
},
"validation_type": azure_native.dataprotection.ValidationType.SHALLOW_VALIDATION,
},
resource_group_name="000pikumar",
tags={
"key1": "val1",
},
vault_name="PratikPrivatePreviewVault1")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupInstance(ctx, "backupInstance", &dataprotection.BackupInstanceArgs{
BackupInstanceName: pulumi.String("testInstance1"),
Properties: &dataprotection.BackupInstanceTypeArgs{
DataSourceInfo: &dataprotection.DatasourceArgs{
DatasourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ObjectType: pulumi.String("Datasource"),
ResourceID: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb"),
ResourceLocation: pulumi.String(""),
ResourceName: pulumi.String("testdb"),
ResourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ResourceUri: pulumi.String(""),
},
DataSourceSetInfo: &dataprotection.DatasourceSetArgs{
DatasourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ObjectType: pulumi.String("DatasourceSet"),
ResourceID: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest"),
ResourceLocation: pulumi.String(""),
ResourceName: pulumi.String("viveksipgtest"),
ResourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers"),
ResourceUri: pulumi.String(""),
},
DatasourceAuthCredentials: &dataprotection.SecretStoreBasedAuthCredentialsArgs{
ObjectType: pulumi.String("SecretStoreBasedAuthCredentials"),
SecretStoreResource: &dataprotection.SecretStoreResourceArgs{
SecretStoreType: pulumi.String(dataprotection.SecretStoreTypeAzureKeyVault),
Uri: pulumi.String("https://samplevault.vault.azure.net/secrets/credentials"),
},
},
FriendlyName: pulumi.String("harshitbi2"),
IdentityDetails: &dataprotection.IdentityDetailsArgs{
UseSystemAssignedIdentity: pulumi.Bool(false),
UserAssignedIdentityArmUrl: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami"),
},
ObjectType: pulumi.String("BackupInstance"),
PolicyInfo: &dataprotection.PolicyInfoArgs{
PolicyId: pulumi.String("/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1"),
PolicyParameters: &dataprotection.PolicyParametersArgs{
DataStoreParametersList: dataprotection.AzureOperationalStoreParametersArray{
&dataprotection.AzureOperationalStoreParametersArgs{
DataStoreType: pulumi.String(dataprotection.DataStoreTypesOperationalStore),
ObjectType: pulumi.String("AzureOperationalStoreParameters"),
ResourceGroupId: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest"),
},
},
},
},
ValidationType: pulumi.String(dataprotection.ValidationTypeShallowValidation),
},
ResourceGroupName: pulumi.String("000pikumar"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("PratikPrivatePreviewVault1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupInstance = new AzureNative.DataProtection.BackupInstance("backupInstance", new()
{
BackupInstanceName = "testInstance1",
Properties = new AzureNative.DataProtection.Inputs.BackupInstanceArgs
{
DataSourceInfo = new AzureNative.DataProtection.Inputs.DatasourceArgs
{
DatasourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ObjectType = "Datasource",
ResourceID = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
ResourceLocation = "",
ResourceName = "testdb",
ResourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ResourceUri = "",
},
DataSourceSetInfo = new AzureNative.DataProtection.Inputs.DatasourceSetArgs
{
DatasourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ObjectType = "DatasourceSet",
ResourceID = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
ResourceLocation = "",
ResourceName = "viveksipgtest",
ResourceType = "Microsoft.DBforPostgreSQL/servers",
ResourceUri = "",
},
DatasourceAuthCredentials = new AzureNative.DataProtection.Inputs.SecretStoreBasedAuthCredentialsArgs
{
ObjectType = "SecretStoreBasedAuthCredentials",
SecretStoreResource = new AzureNative.DataProtection.Inputs.SecretStoreResourceArgs
{
SecretStoreType = AzureNative.DataProtection.SecretStoreType.AzureKeyVault,
Uri = "https://samplevault.vault.azure.net/secrets/credentials",
},
},
FriendlyName = "harshitbi2",
IdentityDetails = new AzureNative.DataProtection.Inputs.IdentityDetailsArgs
{
UseSystemAssignedIdentity = false,
UserAssignedIdentityArmUrl = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami",
},
ObjectType = "BackupInstance",
PolicyInfo = new AzureNative.DataProtection.Inputs.PolicyInfoArgs
{
PolicyId = "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
PolicyParameters = new AzureNative.DataProtection.Inputs.PolicyParametersArgs
{
DataStoreParametersList = new[]
{
new AzureNative.DataProtection.Inputs.AzureOperationalStoreParametersArgs
{
DataStoreType = AzureNative.DataProtection.DataStoreTypes.OperationalStore,
ObjectType = "AzureOperationalStoreParameters",
ResourceGroupId = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
},
},
},
},
ValidationType = AzureNative.DataProtection.ValidationType.ShallowValidation,
},
ResourceGroupName = "000pikumar",
Tags =
{
{ "key1", "val1" },
},
VaultName = "PratikPrivatePreviewVault1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupInstance;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceSetArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecretStoreBasedAuthCredentialsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecretStoreResourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.IdentityDetailsArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyInfoArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupInstance = new BackupInstance("backupInstance", BackupInstanceArgs.builder()
.backupInstanceName("testInstance1")
.properties(BackupInstanceArgs.builder()
.dataSourceInfo(DatasourceArgs.builder()
.datasourceType("Microsoft.DBforPostgreSQL/servers/databases")
.objectType("Datasource")
.resourceID("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb")
.resourceLocation("")
.resourceName("testdb")
.resourceType("Microsoft.DBforPostgreSQL/servers/databases")
.resourceUri("")
.build())
.dataSourceSetInfo(DatasourceSetArgs.builder()
.datasourceType("Microsoft.DBforPostgreSQL/servers/databases")
.objectType("DatasourceSet")
.resourceID("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest")
.resourceLocation("")
.resourceName("viveksipgtest")
.resourceType("Microsoft.DBforPostgreSQL/servers")
.resourceUri("")
.build())
.datasourceAuthCredentials(Map.ofEntries(
Map.entry("objectType", "SecretStoreBasedAuthCredentials"),
Map.entry("secretStoreResource", SecretStoreResourceArgs.builder()
.secretStoreType("AzureKeyVault")
.uri("https://samplevault.vault.azure.net/secrets/credentials")
.build())
))
.friendlyName("harshitbi2")
.identityDetails(IdentityDetailsArgs.builder()
.useSystemAssignedIdentity(false)
.userAssignedIdentityArmUrl("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami")
.build())
.objectType("BackupInstance")
.policyInfo(PolicyInfoArgs.builder()
.policyId("/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1")
.policyParameters(PolicyParametersArgs.builder()
.dataStoreParametersList(Map.ofEntries(
Map.entry("dataStoreType", "OperationalStore"),
Map.entry("objectType", "AzureOperationalStoreParameters"),
Map.entry("resourceGroupId", "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest")
))
.build())
.build())
.validationType("ShallowValidation")
.build())
.resourceGroupName("000pikumar")
.tags(Map.of("key1", "val1"))
.vaultName("PratikPrivatePreviewVault1")
.build());
}
}
resources:
backupInstance:
type: azure-native:dataprotection:BackupInstance
properties:
backupInstanceName: testInstance1
properties:
dataSourceInfo:
datasourceType: Microsoft.DBforPostgreSQL/servers/databases
objectType: Datasource
resourceID: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb
resourceLocation: ""
resourceName: testdb
resourceType: Microsoft.DBforPostgreSQL/servers/databases
resourceUri: ""
dataSourceSetInfo:
datasourceType: Microsoft.DBforPostgreSQL/servers/databases
objectType: DatasourceSet
resourceID: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest
resourceLocation: ""
resourceName: viveksipgtest
resourceType: Microsoft.DBforPostgreSQL/servers
resourceUri: ""
datasourceAuthCredentials:
objectType: SecretStoreBasedAuthCredentials
secretStoreResource:
secretStoreType: AzureKeyVault
uri: https://samplevault.vault.azure.net/secrets/credentials
friendlyName: harshitbi2
identityDetails:
useSystemAssignedIdentity: false
userAssignedIdentityArmUrl: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourcegroups/rg-name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testUami
objectType: BackupInstance
policyInfo:
policyId: /subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1
policyParameters:
dataStoreParametersList:
- dataStoreType: OperationalStore
objectType: AzureOperationalStoreParameters
resourceGroupId: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest
validationType: ShallowValidation
resourceGroupName: 000pikumar
tags:
key1: val1
vaultName: PratikPrivatePreviewVault1
The dataSourceInfo identifies the specific database to back up, while dataSourceSetInfo identifies the parent PostgreSQL server. The datasourceAuthCredentials property points to a Key Vault secret URI containing database credentials. The identityDetails property specifies which managed identity the backup service uses to access both the database and Key Vault. The policyInfo links this instance to a backup policy that defines schedule and retention.
Back up AKS clusters with namespace and volume filtering
Kubernetes workloads often require selective backup strategies that include specific namespaces while excluding system components or sensitive resources like secrets.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupInstance = new azure_native.dataprotection.BackupInstance("backupInstance", {
backupInstanceName: "aksbi",
properties: {
dataSourceInfo: {
datasourceType: "Microsoft.ContainerService/managedclusters",
objectType: "Datasource",
resourceID: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
resourceLocation: "eastus2euap",
resourceName: "akscluster",
resourceType: "Microsoft.ContainerService/managedclusters",
resourceUri: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
dataSourceSetInfo: {
datasourceType: "Microsoft.ContainerService/managedclusters",
objectType: "DatasourceSet",
resourceID: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
resourceLocation: "eastus2euap",
resourceName: "akscluster",
resourceType: "Microsoft.ContainerService/managedclusters",
resourceUri: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
friendlyName: "aksbi",
objectType: "BackupInstance",
policyInfo: {
policyId: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy",
policyParameters: {
backupDatasourceParametersList: [{
excludedNamespaces: ["kube-system"],
excludedResourceTypes: ["v1/Secret"],
includeClusterScopeResources: true,
includedNamespaces: ["test"],
includedResourceTypes: [],
includedVolumeTypes: [
azure_native.dataprotection.AKSVolumeTypes.AzureDisk,
azure_native.dataprotection.AKSVolumeTypes.AzureFileShareSMB,
],
labelSelectors: [],
objectType: "KubernetesClusterBackupDatasourceParameters",
snapshotVolumes: true,
}],
dataStoreParametersList: [{
dataStoreType: azure_native.dataprotection.DataStoreTypes.OperationalStore,
objectType: "AzureOperationalStoreParameters",
resourceGroupId: "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg",
}],
},
},
},
resourceGroupName: "aksrg",
tags: {
key1: "val1",
},
vaultName: "aksvault",
});
import pulumi
import pulumi_azure_native as azure_native
backup_instance = azure_native.dataprotection.BackupInstance("backupInstance",
backup_instance_name="aksbi",
properties={
"data_source_info": {
"datasource_type": "Microsoft.ContainerService/managedclusters",
"object_type": "Datasource",
"resource_id": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
"resource_location": "eastus2euap",
"resource_name": "akscluster",
"resource_type": "Microsoft.ContainerService/managedclusters",
"resource_uri": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
"data_source_set_info": {
"datasource_type": "Microsoft.ContainerService/managedclusters",
"object_type": "DatasourceSet",
"resource_id": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
"resource_location": "eastus2euap",
"resource_name": "akscluster",
"resource_type": "Microsoft.ContainerService/managedclusters",
"resource_uri": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
"friendly_name": "aksbi",
"object_type": "BackupInstance",
"policy_info": {
"policy_id": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy",
"policy_parameters": {
"backup_datasource_parameters_list": [{
"excluded_namespaces": ["kube-system"],
"excluded_resource_types": ["v1/Secret"],
"include_cluster_scope_resources": True,
"included_namespaces": ["test"],
"included_resource_types": [],
"included_volume_types": [
azure_native.dataprotection.AKSVolumeTypes.AZURE_DISK,
azure_native.dataprotection.AKSVolumeTypes.AZURE_FILE_SHARE_SMB,
],
"label_selectors": [],
"object_type": "KubernetesClusterBackupDatasourceParameters",
"snapshot_volumes": True,
}],
"data_store_parameters_list": [{
"data_store_type": azure_native.dataprotection.DataStoreTypes.OPERATIONAL_STORE,
"object_type": "AzureOperationalStoreParameters",
"resource_group_id": "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg",
}],
},
},
},
resource_group_name="aksrg",
tags={
"key1": "val1",
},
vault_name="aksvault")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupInstance(ctx, "backupInstance", &dataprotection.BackupInstanceArgs{
BackupInstanceName: pulumi.String("aksbi"),
Properties: &dataprotection.BackupInstanceTypeArgs{
DataSourceInfo: &dataprotection.DatasourceArgs{
DatasourceType: pulumi.String("Microsoft.ContainerService/managedclusters"),
ObjectType: pulumi.String("Datasource"),
ResourceID: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster"),
ResourceLocation: pulumi.String("eastus2euap"),
ResourceName: pulumi.String("akscluster"),
ResourceType: pulumi.String("Microsoft.ContainerService/managedclusters"),
ResourceUri: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster"),
},
DataSourceSetInfo: &dataprotection.DatasourceSetArgs{
DatasourceType: pulumi.String("Microsoft.ContainerService/managedclusters"),
ObjectType: pulumi.String("DatasourceSet"),
ResourceID: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster"),
ResourceLocation: pulumi.String("eastus2euap"),
ResourceName: pulumi.String("akscluster"),
ResourceType: pulumi.String("Microsoft.ContainerService/managedclusters"),
ResourceUri: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster"),
},
FriendlyName: pulumi.String("aksbi"),
ObjectType: pulumi.String("BackupInstance"),
PolicyInfo: &dataprotection.PolicyInfoArgs{
PolicyId: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy"),
PolicyParameters: &dataprotection.PolicyParametersArgs{
BackupDatasourceParametersList: pulumi.Array{
dataprotection.KubernetesClusterBackupDatasourceParameters{
ExcludedNamespaces: []string{
"kube-system",
},
ExcludedResourceTypes: []string{
"v1/Secret",
},
IncludeClusterScopeResources: true,
IncludedNamespaces: []string{
"test",
},
IncludedResourceTypes: []interface{}{},
IncludedVolumeTypes: []dataprotection.AKSVolumeTypes{
dataprotection.AKSVolumeTypesAzureDisk,
dataprotection.AKSVolumeTypesAzureFileShareSMB,
},
LabelSelectors: []interface{}{},
ObjectType: "KubernetesClusterBackupDatasourceParameters",
SnapshotVolumes: true,
},
},
DataStoreParametersList: dataprotection.AzureOperationalStoreParametersArray{
&dataprotection.AzureOperationalStoreParametersArgs{
DataStoreType: pulumi.String(dataprotection.DataStoreTypesOperationalStore),
ObjectType: pulumi.String("AzureOperationalStoreParameters"),
ResourceGroupId: pulumi.String("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg"),
},
},
},
},
},
ResourceGroupName: pulumi.String("aksrg"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("aksvault"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupInstance = new AzureNative.DataProtection.BackupInstance("backupInstance", new()
{
BackupInstanceName = "aksbi",
Properties = new AzureNative.DataProtection.Inputs.BackupInstanceArgs
{
DataSourceInfo = new AzureNative.DataProtection.Inputs.DatasourceArgs
{
DatasourceType = "Microsoft.ContainerService/managedclusters",
ObjectType = "Datasource",
ResourceID = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
ResourceLocation = "eastus2euap",
ResourceName = "akscluster",
ResourceType = "Microsoft.ContainerService/managedclusters",
ResourceUri = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
DataSourceSetInfo = new AzureNative.DataProtection.Inputs.DatasourceSetArgs
{
DatasourceType = "Microsoft.ContainerService/managedclusters",
ObjectType = "DatasourceSet",
ResourceID = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
ResourceLocation = "eastus2euap",
ResourceName = "akscluster",
ResourceType = "Microsoft.ContainerService/managedclusters",
ResourceUri = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster",
},
FriendlyName = "aksbi",
ObjectType = "BackupInstance",
PolicyInfo = new AzureNative.DataProtection.Inputs.PolicyInfoArgs
{
PolicyId = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy",
PolicyParameters = new AzureNative.DataProtection.Inputs.PolicyParametersArgs
{
BackupDatasourceParametersList = new[]
{
new AzureNative.DataProtection.Inputs.KubernetesClusterBackupDatasourceParametersArgs
{
ExcludedNamespaces = new[]
{
"kube-system",
},
ExcludedResourceTypes = new[]
{
"v1/Secret",
},
IncludeClusterScopeResources = true,
IncludedNamespaces = new[]
{
"test",
},
IncludedResourceTypes = new() { },
IncludedVolumeTypes = new[]
{
AzureNative.DataProtection.AKSVolumeTypes.AzureDisk,
AzureNative.DataProtection.AKSVolumeTypes.AzureFileShareSMB,
},
LabelSelectors = new() { },
ObjectType = "KubernetesClusterBackupDatasourceParameters",
SnapshotVolumes = true,
},
},
DataStoreParametersList = new[]
{
new AzureNative.DataProtection.Inputs.AzureOperationalStoreParametersArgs
{
DataStoreType = AzureNative.DataProtection.DataStoreTypes.OperationalStore,
ObjectType = "AzureOperationalStoreParameters",
ResourceGroupId = "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg",
},
},
},
},
},
ResourceGroupName = "aksrg",
Tags =
{
{ "key1", "val1" },
},
VaultName = "aksvault",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupInstance;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceSetArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyInfoArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupInstance = new BackupInstance("backupInstance", BackupInstanceArgs.builder()
.backupInstanceName("aksbi")
.properties(BackupInstanceArgs.builder()
.dataSourceInfo(DatasourceArgs.builder()
.datasourceType("Microsoft.ContainerService/managedclusters")
.objectType("Datasource")
.resourceID("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster")
.resourceLocation("eastus2euap")
.resourceName("akscluster")
.resourceType("Microsoft.ContainerService/managedclusters")
.resourceUri("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster")
.build())
.dataSourceSetInfo(DatasourceSetArgs.builder()
.datasourceType("Microsoft.ContainerService/managedclusters")
.objectType("DatasourceSet")
.resourceID("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster")
.resourceLocation("eastus2euap")
.resourceName("akscluster")
.resourceType("Microsoft.ContainerService/managedclusters")
.resourceUri("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster")
.build())
.friendlyName("aksbi")
.objectType("BackupInstance")
.policyInfo(PolicyInfoArgs.builder()
.policyId("/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy")
.policyParameters(PolicyParametersArgs.builder()
.backupDatasourceParametersList(KubernetesClusterBackupDatasourceParametersArgs.builder()
.excludedNamespaces("kube-system")
.excludedResourceTypes("v1/Secret")
.includeClusterScopeResources(true)
.includedNamespaces("test")
.includedResourceTypes()
.includedVolumeTypes(
"AzureDisk",
"AzureFileShareSMB")
.labelSelectors()
.objectType("KubernetesClusterBackupDatasourceParameters")
.snapshotVolumes(true)
.build())
.dataStoreParametersList(Map.ofEntries(
Map.entry("dataStoreType", "OperationalStore"),
Map.entry("objectType", "AzureOperationalStoreParameters"),
Map.entry("resourceGroupId", "/subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg")
))
.build())
.build())
.build())
.resourceGroupName("aksrg")
.tags(Map.of("key1", "val1"))
.vaultName("aksvault")
.build());
}
}
resources:
backupInstance:
type: azure-native:dataprotection:BackupInstance
properties:
backupInstanceName: aksbi
properties:
dataSourceInfo:
datasourceType: Microsoft.ContainerService/managedclusters
objectType: Datasource
resourceID: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster
resourceLocation: eastus2euap
resourceName: akscluster
resourceType: Microsoft.ContainerService/managedclusters
resourceUri: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster
dataSourceSetInfo:
datasourceType: Microsoft.ContainerService/managedclusters
objectType: DatasourceSet
resourceID: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster
resourceLocation: eastus2euap
resourceName: akscluster
resourceType: Microsoft.ContainerService/managedclusters
resourceUri: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg/providers/Microsoft.ContainerService/managedClusters/akscluster
friendlyName: aksbi
objectType: BackupInstance
policyInfo:
policyId: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourcegroups/aksrg/providers/Microsoft.DataProtection/BackupVaults/aksvault/backupPolicies/akspolicy
policyParameters:
backupDatasourceParametersList:
- excludedNamespaces:
- kube-system
excludedResourceTypes:
- v1/Secret
includeClusterScopeResources: true
includedNamespaces:
- test
includedResourceTypes: []
includedVolumeTypes:
- AzureDisk
- AzureFileShareSMB
labelSelectors: []
objectType: KubernetesClusterBackupDatasourceParameters
snapshotVolumes: true
dataStoreParametersList:
- dataStoreType: OperationalStore
objectType: AzureOperationalStoreParameters
resourceGroupId: /subscriptions/62b829ee-7936-40c9-a1c9-47a93f9f3965/resourceGroups/aksrg
resourceGroupName: aksrg
tags:
key1: val1
vaultName: aksvault
The backupDatasourceParametersList property contains Kubernetes-specific configuration. The excludedNamespaces array prevents backing up system namespaces like kube-system, while includedNamespaces limits backup to specific application namespaces. The excludedResourceTypes array skips sensitive resources like Secrets. The snapshotVolumes property enables volume snapshot integration, and includedVolumeTypes specifies which volume types to capture (Azure Disk, Azure File Share).
Enforce multi-user authorization for policy changes
Organizations with strict compliance requirements use Resource Guard to require approval from a separate security team before modifying backup policies or performing critical operations.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupInstance = new azure_native.dataprotection.BackupInstance("backupInstance", {
backupInstanceName: "testInstance1",
properties: {
dataSourceInfo: {
datasourceType: "Microsoft.DBforPostgreSQL/servers/databases",
objectType: "Datasource",
resourceID: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
resourceLocation: "",
resourceName: "testdb",
resourceType: "Microsoft.DBforPostgreSQL/servers/databases",
resourceUri: "",
},
dataSourceSetInfo: {
datasourceType: "Microsoft.DBforPostgreSQL/servers/databases",
objectType: "DatasourceSet",
resourceID: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
resourceLocation: "",
resourceName: "viveksipgtest",
resourceType: "Microsoft.DBforPostgreSQL/servers",
resourceUri: "",
},
datasourceAuthCredentials: {
objectType: "SecretStoreBasedAuthCredentials",
secretStoreResource: {
secretStoreType: azure_native.dataprotection.SecretStoreType.AzureKeyVault,
uri: "https://samplevault.vault.azure.net/secrets/credentials",
},
},
friendlyName: "harshitbi2",
objectType: "BackupInstance",
policyInfo: {
policyId: "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
policyParameters: {
dataStoreParametersList: [{
dataStoreType: azure_native.dataprotection.DataStoreTypes.OperationalStore,
objectType: "AzureOperationalStoreParameters",
resourceGroupId: "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
}],
},
},
resourceGuardOperationRequests: ["/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default"],
validationType: azure_native.dataprotection.ValidationType.ShallowValidation,
},
resourceGroupName: "000pikumar",
tags: {
key1: "val1",
},
vaultName: "PratikPrivatePreviewVault1",
});
import pulumi
import pulumi_azure_native as azure_native
backup_instance = azure_native.dataprotection.BackupInstance("backupInstance",
backup_instance_name="testInstance1",
properties={
"data_source_info": {
"datasource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"object_type": "Datasource",
"resource_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
"resource_location": "",
"resource_name": "testdb",
"resource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"resource_uri": "",
},
"data_source_set_info": {
"datasource_type": "Microsoft.DBforPostgreSQL/servers/databases",
"object_type": "DatasourceSet",
"resource_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
"resource_location": "",
"resource_name": "viveksipgtest",
"resource_type": "Microsoft.DBforPostgreSQL/servers",
"resource_uri": "",
},
"datasource_auth_credentials": {
"object_type": "SecretStoreBasedAuthCredentials",
"secret_store_resource": {
"secret_store_type": azure_native.dataprotection.SecretStoreType.AZURE_KEY_VAULT,
"uri": "https://samplevault.vault.azure.net/secrets/credentials",
},
},
"friendly_name": "harshitbi2",
"object_type": "BackupInstance",
"policy_info": {
"policy_id": "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
"policy_parameters": {
"data_store_parameters_list": [{
"data_store_type": azure_native.dataprotection.DataStoreTypes.OPERATIONAL_STORE,
"object_type": "AzureOperationalStoreParameters",
"resource_group_id": "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
}],
},
},
"resource_guard_operation_requests": ["/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default"],
"validation_type": azure_native.dataprotection.ValidationType.SHALLOW_VALIDATION,
},
resource_group_name="000pikumar",
tags={
"key1": "val1",
},
vault_name="PratikPrivatePreviewVault1")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupInstance(ctx, "backupInstance", &dataprotection.BackupInstanceArgs{
BackupInstanceName: pulumi.String("testInstance1"),
Properties: &dataprotection.BackupInstanceTypeArgs{
DataSourceInfo: &dataprotection.DatasourceArgs{
DatasourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ObjectType: pulumi.String("Datasource"),
ResourceID: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb"),
ResourceLocation: pulumi.String(""),
ResourceName: pulumi.String("testdb"),
ResourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ResourceUri: pulumi.String(""),
},
DataSourceSetInfo: &dataprotection.DatasourceSetArgs{
DatasourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers/databases"),
ObjectType: pulumi.String("DatasourceSet"),
ResourceID: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest"),
ResourceLocation: pulumi.String(""),
ResourceName: pulumi.String("viveksipgtest"),
ResourceType: pulumi.String("Microsoft.DBforPostgreSQL/servers"),
ResourceUri: pulumi.String(""),
},
DatasourceAuthCredentials: &dataprotection.SecretStoreBasedAuthCredentialsArgs{
ObjectType: pulumi.String("SecretStoreBasedAuthCredentials"),
SecretStoreResource: &dataprotection.SecretStoreResourceArgs{
SecretStoreType: pulumi.String(dataprotection.SecretStoreTypeAzureKeyVault),
Uri: pulumi.String("https://samplevault.vault.azure.net/secrets/credentials"),
},
},
FriendlyName: pulumi.String("harshitbi2"),
ObjectType: pulumi.String("BackupInstance"),
PolicyInfo: &dataprotection.PolicyInfoArgs{
PolicyId: pulumi.String("/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1"),
PolicyParameters: &dataprotection.PolicyParametersArgs{
DataStoreParametersList: dataprotection.AzureOperationalStoreParametersArray{
&dataprotection.AzureOperationalStoreParametersArgs{
DataStoreType: pulumi.String(dataprotection.DataStoreTypesOperationalStore),
ObjectType: pulumi.String("AzureOperationalStoreParameters"),
ResourceGroupId: pulumi.String("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest"),
},
},
},
},
ResourceGuardOperationRequests: pulumi.StringArray{
pulumi.String("/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default"),
},
ValidationType: pulumi.String(dataprotection.ValidationTypeShallowValidation),
},
ResourceGroupName: pulumi.String("000pikumar"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("PratikPrivatePreviewVault1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupInstance = new AzureNative.DataProtection.BackupInstance("backupInstance", new()
{
BackupInstanceName = "testInstance1",
Properties = new AzureNative.DataProtection.Inputs.BackupInstanceArgs
{
DataSourceInfo = new AzureNative.DataProtection.Inputs.DatasourceArgs
{
DatasourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ObjectType = "Datasource",
ResourceID = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb",
ResourceLocation = "",
ResourceName = "testdb",
ResourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ResourceUri = "",
},
DataSourceSetInfo = new AzureNative.DataProtection.Inputs.DatasourceSetArgs
{
DatasourceType = "Microsoft.DBforPostgreSQL/servers/databases",
ObjectType = "DatasourceSet",
ResourceID = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest",
ResourceLocation = "",
ResourceName = "viveksipgtest",
ResourceType = "Microsoft.DBforPostgreSQL/servers",
ResourceUri = "",
},
DatasourceAuthCredentials = new AzureNative.DataProtection.Inputs.SecretStoreBasedAuthCredentialsArgs
{
ObjectType = "SecretStoreBasedAuthCredentials",
SecretStoreResource = new AzureNative.DataProtection.Inputs.SecretStoreResourceArgs
{
SecretStoreType = AzureNative.DataProtection.SecretStoreType.AzureKeyVault,
Uri = "https://samplevault.vault.azure.net/secrets/credentials",
},
},
FriendlyName = "harshitbi2",
ObjectType = "BackupInstance",
PolicyInfo = new AzureNative.DataProtection.Inputs.PolicyInfoArgs
{
PolicyId = "/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1",
PolicyParameters = new AzureNative.DataProtection.Inputs.PolicyParametersArgs
{
DataStoreParametersList = new[]
{
new AzureNative.DataProtection.Inputs.AzureOperationalStoreParametersArgs
{
DataStoreType = AzureNative.DataProtection.DataStoreTypes.OperationalStore,
ObjectType = "AzureOperationalStoreParameters",
ResourceGroupId = "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest",
},
},
},
},
ResourceGuardOperationRequests = new[]
{
"/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default",
},
ValidationType = AzureNative.DataProtection.ValidationType.ShallowValidation,
},
ResourceGroupName = "000pikumar",
Tags =
{
{ "key1", "val1" },
},
VaultName = "PratikPrivatePreviewVault1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupInstance;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.DatasourceSetArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecretStoreBasedAuthCredentialsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecretStoreResourceArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyInfoArgs;
import com.pulumi.azurenative.dataprotection.inputs.PolicyParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupInstance = new BackupInstance("backupInstance", BackupInstanceArgs.builder()
.backupInstanceName("testInstance1")
.properties(BackupInstanceArgs.builder()
.dataSourceInfo(DatasourceArgs.builder()
.datasourceType("Microsoft.DBforPostgreSQL/servers/databases")
.objectType("Datasource")
.resourceID("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb")
.resourceLocation("")
.resourceName("testdb")
.resourceType("Microsoft.DBforPostgreSQL/servers/databases")
.resourceUri("")
.build())
.dataSourceSetInfo(DatasourceSetArgs.builder()
.datasourceType("Microsoft.DBforPostgreSQL/servers/databases")
.objectType("DatasourceSet")
.resourceID("/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest")
.resourceLocation("")
.resourceName("viveksipgtest")
.resourceType("Microsoft.DBforPostgreSQL/servers")
.resourceUri("")
.build())
.datasourceAuthCredentials(Map.ofEntries(
Map.entry("objectType", "SecretStoreBasedAuthCredentials"),
Map.entry("secretStoreResource", SecretStoreResourceArgs.builder()
.secretStoreType("AzureKeyVault")
.uri("https://samplevault.vault.azure.net/secrets/credentials")
.build())
))
.friendlyName("harshitbi2")
.objectType("BackupInstance")
.policyInfo(PolicyInfoArgs.builder()
.policyId("/subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1")
.policyParameters(PolicyParametersArgs.builder()
.dataStoreParametersList(Map.ofEntries(
Map.entry("dataStoreType", "OperationalStore"),
Map.entry("objectType", "AzureOperationalStoreParameters"),
Map.entry("resourceGroupId", "/subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest")
))
.build())
.build())
.resourceGuardOperationRequests("/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default")
.validationType("ShallowValidation")
.build())
.resourceGroupName("000pikumar")
.tags(Map.of("key1", "val1"))
.vaultName("PratikPrivatePreviewVault1")
.build());
}
}
resources:
backupInstance:
type: azure-native:dataprotection:BackupInstance
properties:
backupInstanceName: testInstance1
properties:
dataSourceInfo:
datasourceType: Microsoft.DBforPostgreSQL/servers/databases
objectType: Datasource
resourceID: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest/databases/testdb
resourceLocation: ""
resourceName: testdb
resourceType: Microsoft.DBforPostgreSQL/servers/databases
resourceUri: ""
dataSourceSetInfo:
datasourceType: Microsoft.DBforPostgreSQL/servers/databases
objectType: DatasourceSet
resourceID: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest/providers/Microsoft.DBforPostgreSQL/servers/viveksipgtest
resourceLocation: ""
resourceName: viveksipgtest
resourceType: Microsoft.DBforPostgreSQL/servers
resourceUri: ""
datasourceAuthCredentials:
objectType: SecretStoreBasedAuthCredentials
secretStoreResource:
secretStoreType: AzureKeyVault
uri: https://samplevault.vault.azure.net/secrets/credentials
friendlyName: harshitbi2
objectType: BackupInstance
policyInfo:
policyId: /subscriptions/04cf684a-d41f-4550-9f70-7708a3a2283b/resourceGroups/000pikumar/providers/Microsoft.DataProtection/Backupvaults/PratikPrivatePreviewVault1/backupPolicies/PratikPolicy1
policyParameters:
dataStoreParametersList:
- dataStoreType: OperationalStore
objectType: AzureOperationalStoreParameters
resourceGroupId: /subscriptions/f75d8d8b-6735-4697-82e1-1a7a3ff0d5d4/resourceGroups/viveksipgtest
resourceGuardOperationRequests:
- /subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourcegroups/ankurResourceGuard1/providers/Microsoft.DataProtection/resourceGuards/ResourceGuard38-1/dppModifyPolicy/default
validationType: ShallowValidation
resourceGroupName: 000pikumar
tags:
key1: val1
vaultName: PratikPrivatePreviewVault1
The resourceGuardOperationRequests property lists Resource Guard operations that require additional authorization. When you attempt to modify the backup policy, Azure Data Protection checks with the Resource Guard before allowing the change. This prevents a single administrator from both configuring backups and modifying protection policies, enforcing separation of duties.
Beyond these examples
These snippets focus on specific backup instance features: PostgreSQL and AKS backup registration, Key Vault credential integration, Kubernetes-specific filtering, and multi-user authorization with Resource Guard. They’re intentionally minimal rather than full backup solutions.
The examples reference pre-existing infrastructure such as backup vaults and backup policies, data sources (PostgreSQL servers, AKS clusters), Key Vault secrets for database credentials, managed identities for authentication, and Resource Guards for MUA scenarios. They focus on registering data sources with backup vaults rather than provisioning the surrounding infrastructure.
To keep things focused, common backup instance patterns are omitted, including:
- Backup schedule configuration (defined in backup policy, not instance)
- Retention settings (defined in backup policy, not instance)
- Cross-region restore configuration
- Backup validation types beyond ShallowValidation
These omissions are intentional: the goal is to illustrate how each backup instance feature is wired, not provide drop-in backup modules. See the BackupInstance resource reference for all available configuration options.
Let's configure Azure Data Protection Backup Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Required Properties
What properties can't I change after creating a backup instance?
The
backupInstanceName, resourceGroupName, and vaultName properties are immutable and cannot be changed after creation. You’ll need to recreate the backup instance to modify these values.What's the difference between dataSourceInfo and dataSourceSetInfo?
dataSourceInfo identifies the specific resource to back up (like a database), while dataSourceSetInfo identifies its parent resource (like the database server). For example, when backing up a PostgreSQL database, dataSourceInfo points to the database and dataSourceSetInfo points to the server.What datasource types are supported for backup?
The examples demonstrate
Microsoft.DBforPostgreSQL/servers/databases for PostgreSQL databases and Microsoft.ContainerService/managedclusters for AKS clusters. Different datasource types may require different configuration parameters.What's the resourceGroupId in dataStoreParametersList used for?
The
resourceGroupId in AzureOperationalStoreParameters specifies where backup data snapshots are stored. This is typically set to the resource group containing the datasource being backed up.Authentication & Identity
How do I configure authentication for backup instances?
Use
datasourceAuthCredentials with SecretStoreBasedAuthCredentials to store credentials in Azure Key Vault. Set secretStoreType to AzureKeyVault and provide the Key Vault secret URI.Should I use system-assigned or user-assigned managed identity?
Configure this in
identityDetails. Set useSystemAssignedIdentity to true for system-assigned identity, or set it to false and provide userAssignedIdentityArmUrl for user-assigned identity.Policy Configuration
How do I reference a backup policy?
Set
policyInfo.policyId to the full ARM resource ID of your backup policy (e.g., /subscriptions/{id}/resourceGroups/{rg}/providers/Microsoft.DataProtection/Backupvaults/{vault}/backupPolicies/{policy}).What validation types are available for backup instances?
The examples show
ShallowValidation as the validationType. This validates the backup configuration without performing a full backup operation.AKS-Specific Configuration
How do I filter which Kubernetes namespaces get backed up?
Use
KubernetesClusterBackupDatasourceParameters in policyParameters.backupDatasourceParametersList. Specify includedNamespaces for namespaces to back up and excludedNamespaces for those to skip (e.g., kube-system).How do I enable volume snapshots for AKS backups?
In
KubernetesClusterBackupDatasourceParameters, set snapshotVolumes to true and specify includedVolumeTypes (such as AzureDisk or AzureFileShareSMB).Can I exclude specific Kubernetes resource types from backup?
Yes, use
excludedResourceTypes in KubernetesClusterBackupDatasourceParameters to specify resource types to skip (e.g., v1/Secret). You can also use includedResourceTypes to back up only specific types.What does includeClusterScopeResources do for AKS backups?
Setting
includeClusterScopeResources to true in KubernetesClusterBackupDatasourceParameters includes cluster-wide resources (not namespaced) in the backup.