Backup

Overview

Azure Backup uses a Recovery Services Vault as the management resource for backup policies, recovery points, and (optionally) restore operations. This implementation creates Recovery Services Vaults and optionally streams the vault's platform logs to a Log Analytics Workspace (or other destination) for monitoring and reporting.

Module Structure

Module	Azure Resource	Purpose
`recovery_services_vault`	`azurerm_recovery_services_vault`	The vault that owns backup policies and recovery points
`monitor_diagnostic_setting`	`azurerm_monitor_diagnostic_setting`	Optional: routes vault platform logs to one or more destinations (workspace, storage, event hub, partner solution)

Usage

1. Create a Recovery Services Vault

recovery_services_vault = {
  epic = {
    resource_group    = "recoveryvault"
    storage_mode_type = "GeoRedundant"
  }
}

2. Stream Vault Logs to a Destination (Optional)

Add a diagnostic_settings map on the vault entry to forward platform logs to one or more destinations (Log Analytics Workspace, Storage Account, Event Hub, or partner solution). Each map key becomes a separate azurerm_monitor_diagnostic_setting resource — define multiple entries to fan out to different destinations. The workspace and storage_account values are module keys, not resource IDs:

recovery_services_vault = {
  epic = {
    resource_group    = "recoveryvault"
    storage_mode_type = "GeoRedundant"
    diagnostic_settings = {
      law = {
        workspace                      = "shared"
        log_analytics_destination_type = "Dedicated"
        enabled_logs = {
          categories = [
            "CoreAzureBackup",
            "AddonAzureBackupAlerts",
            "AddonAzureBackupJobs",
            "AddonAzureBackupPolicy",
            "AddonAzureBackupProtectedInstance",
            "AddonAzureBackupStorage",
          ]
        }
      }
      archive = {
        storage_account = "auditarchive"
        enabled_logs = {
          category_groups = ["allLogs"]
        }
      }
    }
  }
}

This requires a Log Analytics Workspace with the matching key — see Log Analytics Workspace. The diagnostic settings themselves are created by the monitor_diagnostic_setting module, which is wired up at the root level. See that page for the full list of supported destination fields, including Event Hub and partner solution.

Note: log_analytics_destination_type = "Dedicated" writes logs to resource-specific tables (e.g. AddonAzureBackupJobs) instead of the legacy single AzureDiagnostics table. Prefer Dedicated for new workspaces.

Variable Reference

`recovery_services_vault`

Field	Type	Description	Default
`name`	string	Override the resource name	Prefix + key + suffix
`resource_group`	string	Resource group key	Required
`location`	string	Override location	`var.location`
`sku`	string	Vault SKU	`"Standard"`
`public_network_access_enabled`	string	Allow public network access	`"true"`
`storage_mode_type`	string	`"LocallyRedundant"`, `"ZoneRedundant"`, or `"GeoRedundant"`	`"GeoRedundant"`
`cross_region_restore_enabled`	string	Enable cross-region restore (requires `GeoRedundant`)	`"false"`
`immutability`	string	Vault immutability state: `"Disabled"`, `"Unlocked"`, or `"Locked"`. Once set to `"Locked"`, it cannot be reverted.	`"Disabled"`
`diagnostic_settings`	map(object)	Optional map of diagnostic settings — one entry per destination (see below)	`{}`
`tags`	map(string)	Resource tags (merged with `default_tags`)	`{}`

`diagnostic_settings`

Each map entry produces a separate azurerm_monitor_diagnostic_setting resource. At least one destination must be set on each entry.

Field	Type	Description	Default
`name`	string	Override the diagnostic setting name	`"recovery_services_vault-<vault_key>-<setting_key>"`
`workspace`	string	`log_analytics_workspace` key (workspace destination)	`null`
`log_analytics_destination_type`	string	`"Dedicated"` (per-table) or `"AzureDiagnostics"` (legacy)	`null`
`storage_account`	string	`storage_account` key (storage destination)	`null`
`eventhub_authorization_rule_id`	string	Full Event Hub namespace authorization rule ID. Pair with `eventhub_name`.	`null`
`eventhub_name`	string	Event Hub name within the namespace	`null`
`partner_solution_id`	string	Full resource ID of a partner monitoring solution	`null`
`enabled_logs`	object	Log categories and category groups to forward (see below)	`{}`
`enabled_metrics`	list(string)	Metric category names to forward	`null`

A single setting can fan out to workspace + storage + event hub simultaneously. To send to two workspaces (or two storage accounts), define two separate entries in diagnostic_settings.

`enabled_logs`

Field	Type	Description	Default
`categories`	list(string)	Individual log category names	`[]`
`category_groups`	list(string)	Category groups (e.g. `"audit"`, `"allLogs"`)	`[]`

categories and category_groups are mutually exclusive — pick one. Recovery vault log category names:

CoreAzureBackup
AddonAzureBackupAlerts
AddonAzureBackupJobs
AddonAzureBackupPolicy
AddonAzureBackupProtectedInstance
AddonAzureBackupStorage

Naming Convention

Resources follow the standard {prefix}{key}{suffix} pattern. The recovery vault uses the recovery_services_vault key:

name_prefixes = {
  recovery_services_vault = "prod-"
}

name_suffixes = {
  recovery_services_vault = "-eastus2-rsv"
}

With the example above, vault key epic → prod-epic-eastus2-rsv.

Diagnostic settings on the vault are named recovery_services_vault-<vault_key>-<setting_key> unless the entry's name overrides it; they do not use the prefix/suffix maps. The resource-type prefix prevents Azure-side name collisions if a key vault or automation account uses the same <key>-<setting_key> combination.

Log Analytics Workspace — destination for vault diagnostic logs
Monitor Diagnostic Setting — module that creates the diagnostic settings