Support for Recovery Services Vault notification preferences

[elliot-resdiary]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

It's great that we have the resources to create Recovery Services Vaults, protection policies, and VM protection, however, arguably just as important as the backups themselves are the email notification preferences which let us know when backups aren't running or have been deleted.

New or Affected Resource(s)

• azurerm_recovery_services_vault

Potential Terraform Configuration

resource "azurerm_recovery_services_vault" "rsv" {
  name                = "example-rsv"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "Standard"

  notifications = {
      email_subscription_owner = true
      custom_emails = [
          "admin1@example.com",
          "admin2@example.com"
      ]
  }
}

References

[sean-nixon]

I'd also be interested in this feature, but support for it might be tricky. Based on configuring this in the Portal, the endpoint for backup notifications appears to be the following:

PATCH https://management.azure.com/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.RecoveryServices/vaults/xxx/monitoringConfigurations/notificationConfiguration?api-version=2017-07-01-preview

However, I'm unable to find any documentation on this endpoint in the API reference docs and no equivalent client in the azure-sdk-for-go.

[elliot-resdiary]

Could this be what we need? https://docs.microsoft.com/en-us/rest/api/site-recovery/replicationalertsettings/create

[sean-nixon]

That's specific for Azure Site Recovery replication alerts and doesn't cover backup. Configuring that is equivalent to setting "Email notifications" on "Site Recovery events" in the Portal.

Backup notifications are set in the Portal at "Backup Alerts" > "Configure notifications" and use the seemingly undocumented endpoint I described above if you look in the browser network calls.

Your initial issue sounded like you were wanting backup notifications specifically. Regardless, I would love it if Terraform supported both types. Building off your example, a potential configuration could be:

resource "azurerm_recovery_services_vault" "rsv" {
  name                = "example-rsv"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "Standard"

  replication_notifications = {
      email_subscription_owner = true
      custom_emails = [
          "admin1@example.com",
          "admin2@example.com"
      ]
      locale = "en-US"
  }
 
  backup_notifications = {
      recipient_emails = [
          "admin2@example.com"
       ]
     severities = [
         "Critical",
         "Warning",
         "Information"
     ]
     frequency = "Hourly" # or "Immediate"
  }
}

[SteveKurutz]

I agree that adding support for backup alerting settings is necessary. Due to the relationships between vaults, regions, and subscriptions, it's necessary to deploy multiple vaults to back up "one" organization. This results in a whole lot of manual configuration on a vault-by-vault basis.

Similarly, enabling the setting of diagnostic logging in TF would be helpful. As it stands, we can only automate 80% of what's important to us about vault configuration due to these limitations.

[Klaas-]

So my understanding is that the metrics alert is the way to go forward here, you can add them with tf already, a backup alert for failing backups should look something like this:

resource "azurerm_monitor_metric_alert" "backup_health" {
  name                     = "backup health alert"
  resource_group_name      = azurerm_resource_group.resource_group.name
  scopes                   = [azurerm_recovery_services_vault.backup_vault.id]
  description              = "Alert on Backup Health Events"
  target_resource_type     = "Microsoft.RecoveryServices/vaults"
  auto_mitigate            = true
  frequency                = "PT1H"
  window_size              = "P1D"

  criteria {
    metric_namespace = "Microsoft.RecoveryServices/vaults"
    metric_name      = "BackupHealthEvent"
    aggregation      = "Count"
    operator         = "GreaterThan"
    threshold        = "0"

    dimension {
      name     = "dataSourceURL"
      operator = "Include"
      values   = [
        "*"
      ]
    }

    dimension {
      name     = "healthStatus"
      operator = "Exclude"
      values   = ["Healthy"]
    } 
  }
  action {
    action_group_id    = ...
    webhook_properties = {}
  }  
}