Add backups to workspaces.

CHANGELOG.md

@@ -14,11 +14,12 @@ ENHANCEMENTS:
 * Add bundle target to Makefile for handling different bundle types in single command ([#4372](https://github.com/microsoft/AzureTRE/issues/4372))
 * Migrate UI to Vite build engine and update dependencies ([#4368](https://github.com/microsoft/AzureTRE/pull/4368))
 * Add Windows image field to the Admin VM template ([#4274](https://github.com/microsoft/AzureTRE/pull/4274))
-* Update TLS to the latest version for web apps / function apps (([#4351](https://github.com/microsoft/AzureTRE/issues/4351))
+* Update TLS to the latest version for web apps / function apps ([#4351](https://github.com/microsoft/AzureTRE/issues/4351))
+* Added backup vault to base workspace & updated Azurerm provider to match core. ([[#4362](https://github.com/microsoft/AzureTRE/issues/4362)])
 
 BUG FIXES:
 * Fix upgrade when porter install has failed ([#4338](https://github.com/microsoft/AzureTRE/pull/4338))
-* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294)])
+* Certs shared service: Secret nexus-ssl-password is currently in a deleted but recoverable state ([#4294](https://github.com/microsoft/AzureTRE/issues/4294))
 * Fix Cosmos DB local debugging configuration ([#4340](https://github.com/microsoft/AzureTRE/pull/4340))
 
 COMPONENTS:

templates/workspaces/base/parameters.json

@@ -159,6 +159,12 @@
       "source": {
         "env": "KEY_STORE_ID"
       }
+    },
+    {
+      "name": "enable_backup",
+      "source": {
+        "env": "ENABLE_BACKUP"
+      }
     }
   ]
 }

templates/workspaces/base/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 1.9.3
+version: 2.0.12
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -126,6 +126,27 @@ parameters:
     type: string
     default: "GRS"
     description: "The redundancy option for the storage account in the workspace: GRS (Geo-Redundant Storage) or ZRS (Zone-Redundant Storage)."
+  - name: enable_backup
+    type: boolean
+    default: true
+    description: "Enable backups for the workspace, including the vm's & shared storage."
+  - name: backup_vault_name
+    type: string
+    default: ""
+    description: "The name of the backup vault to use for backups"
+  - name: backup_vault_vm_backup_policy_name
+    type: string
+    default: ""
+    description: "The name of the backup policy to use for VM backups"
+  - name: backup_vault_fileshare_backup_policy_name
+    type: string
+    default: ""
+    description: "The name of the backup policy to use for fileshare backups"
+  - name: workspace_resource_name_suffix
+    type: string
+    default: ""
+    description: "A suffix to append to the workspace resource names"
+
 
 outputs:
   - name: app_role_id_workspace_owner
@@ -158,6 +179,22 @@ outputs:
     applyTo:
       - install
       - upgrade
+  - name: backup_vault_name
+    type: string
+    applyTo:
+      - install
+      - upgrade
+  - name: backup_vault_vm_backup_policy_name
+    type: string
+    applyTo:
+      - install
+      - upgrade
+  - name: backup_vault_fileshare_backup_policy_name
+    type: string
+    applyTo:
+      - install
+      - upgrade
+
 
 mixins:
   - exec
@@ -196,6 +233,7 @@ install:
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy }
+        enable_backup: ${ bundle.parameters.enable_backup }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -210,6 +248,9 @@ install:
         - name: client_id
         - name: scope_id
         - name: sp_id
+        - name: backup_vault_name
+        - name: backup_vault_vm_backup_policy_name
+        - name: backup_vault_fileshare_backup_policy_name
 
 upgrade:
   - terraform:
@@ -241,6 +282,7 @@ upgrade:
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy }
+        enable_backup: ${ bundle.parameters.enable_backup }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -255,6 +297,9 @@ upgrade:
         - name: client_id
         - name: scope_id
         - name: sp_id
+        - name: backup_vault_name
+        - name: backup_vault_vm_backup_policy_name
+        - name: backup_vault_fileshare_backup_policy_name
   - az:
       description: "Set Azure Cloud Environment"
       arguments:
@@ -309,10 +354,21 @@ uninstall:
         enable_cmk_encryption: ${ bundle.parameters.enable_cmk_encryption }
         key_store_id: ${ bundle.parameters.key_store_id }
         storage_account_redundancy: ${ bundle.parameters.storage_account_redundancy }
+        enable_backup: ${ bundle.parameters.enable_backup }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
         resource_group_name: ${ bundle.parameters.tfstate_resource_group_name }
         storage_account_name: ${ bundle.parameters.tfstate_storage_account_name }
         container_name: ${ bundle.parameters.tfstate_container_name }
         key: ${ bundle.parameters.tre_id }-ws-${ bundle.parameters.id }
+      outputs:
+        - name: app_role_id_workspace_owner
+        - name: app_role_id_workspace_researcher
+        - name: app_role_id_workspace_airlock_manager
+        - name: client_id
+        - name: scope_id
+        - name: sp_id
+        - name: backup_vault_name
+        - name: backup_vault_vm_backup_policy_name
+        - name: backup_vault_fileshare_backup_policy_name

templates/workspaces/base/template_schema.json

@@ -73,6 +73,13 @@
         "Manual"
       ],
       "updateable": true
+    },
+    "enable_backup": {
+      "type": "boolean",
+      "title": "Enable Backup",
+      "description": "Enable backups for the workspace. This covers any VMs deployed, and the workspace file share",
+      "default": true,
+      "updateable": true
     }
   },
   "allOf": [
@@ -304,6 +311,7 @@
       "create_aad_groups",
       "client_id",
       "client_secret",
+      "enable_backup",
       "enable_airlock",
       "configure_review_vms",
       "airlock_review_config",

templates/workspaces/base/terraform/aad/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117.0"
+      version = "=4.14.0"
     }
     azuread = {
       source  = "hashicorp/azuread"

templates/workspaces/base/terraform/airlock/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117.0"
+      version = "=4.14.0"
     }
   }
 }

templates/workspaces/base/terraform/api-permissions.tf

@@ -20,3 +20,5 @@ resource "azurerm_role_assignment" "api_reader" {
   role_definition_name = "Reader"
   principal_id         = data.azurerm_user_assigned_identity.api_id.principal_id
 }
+
+

templates/workspaces/base/terraform/azure-monitor/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.117.0"
+      version = "=4.14.0"
     }
 
     azapi = {

templates/workspaces/base/terraform/backup/backup.tf

@@ -0,0 +1,136 @@
+
+resource "azurerm_recovery_services_vault" "vault" {
+  name                = local.vault_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  sku                 = "Standard"
+  soft_delete_enabled = true
+  storage_mode_type   = "ZoneRedundant" #  Possible values are "GeoRedundant", "LocallyRedundant" and "ZoneRedundant". Defaults to "GeoRedundant".
+  tags                = var.tre_workspace_tags
+
+  dynamic "identity" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      type         = "UserAssigned"
+      identity_ids = [azurerm_user_assigned_identity.encryption_identity[0].id]
+    }
+  }
+
+  dynamic "encryption" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content{
+      key_id                            = azurerm_key_vault_key.encryption_key[0].versionless_id
+      infrastructure_encryption_enabled = true
+      user_assigned_identity_id         = azurerm_user_assigned_identity.encryption_identity[0].id
+      use_system_assigned_identity      = false
+    }
+  }
+
+  lifecycle { ignore_changes = [encryption, tags] }
+
+}
+
+resource "azurerm_backup_policy_vm" "vm_policy" {
+  name                = local.vm_backup_policy_name
+  resource_group_name = var.resource_group_name
+  recovery_vault_name = azurerm_recovery_services_vault.vault.name
+
+
+  timezone = "UTC"
+
+  backup {
+    frequency = "Daily"
+    time      = "22:00"
+  }
+
+  retention_daily {
+    count = 14
+  }
+
+  retention_weekly {
+    count    = 4
+    weekdays = ["Sunday"]
+  }
+
+  retention_monthly {
+    count     = 12
+    weekdays  = ["Monday"]
+    weeks     = ["First"]
+  }
+
+  retention_yearly {
+    count = 2
+    months = ["December"]
+    weekdays = ["Sunday"]
+    weeks = ["Last"]
+  }
+
+  depends_on = [
+    azurerm_recovery_services_vault.vault
+  ]
+
+
+}
+
+resource "azurerm_backup_policy_file_share" "file_share_policy" {
+  name                = local.fs_backup_policy_name
+  resource_group_name = var.resource_group_name
+  recovery_vault_name = azurerm_recovery_services_vault.vault.name
+
+  timezone = "UTC"
+
+  backup {
+    frequency = "Daily"
+    time      = "23:00"
+  }
+
+  retention_daily {
+    count = 14
+  }
+
+  retention_weekly {
+    count    = 4
+    weekdays = ["Sunday"]
+  }
+
+  retention_monthly {
+    count     = 12
+    weekdays  = ["Monday"]
+    weeks     = ["First"]
+  }
+
+  retention_yearly {
+    count = 2
+    months = ["December"]
+    weekdays = ["Sunday"]
+    weeks = ["Last"]
+  }
+
+  depends_on = [
+    azurerm_recovery_services_vault.vault
+  ]
+
+}
+
+resource "azurerm_backup_container_storage_account" "storage_account" {
+  resource_group_name = var.resource_group_name
+  recovery_vault_name = azurerm_recovery_services_vault.vault.name
+  storage_account_id  = var.azurerm_storage_account_id
+
+  depends_on = [
+    azurerm_recovery_services_vault.vault
+  ]
+}
+
+resource "azurerm_backup_protected_file_share" "file_share" {
+  resource_group_name        = var.resource_group_name
+  recovery_vault_name        = azurerm_recovery_services_vault.vault.name
+  source_storage_account_id  = var.azurerm_storage_account_id
+  source_file_share_name     = var.shared_storage_name
+  backup_policy_id           = azurerm_backup_policy_file_share.file_share_policy.id
+
+  depends_on = [
+    azurerm_backup_policy_file_share.file_share_policy,
+    azurerm_backup_container_storage_account.storage_account
+  ]
+}

templates/workspaces/base/terraform/backup/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  short_workspace_id     = substr(var.tre_resource_id, -4, -1)
+  vault_name             = "arsv-${var.tre_id}-ws-${local.short_workspace_id}"
+  vm_backup_policy_name  = "abp-vm-${var.tre_id}-ws-${local.short_workspace_id}"
+  fs_backup_policy_name  = "abp-fs-${var.tre_id}-ws-${local.short_workspace_id}"
+}