Bicep Module Documentation

← Back to Overview

Module backup-vault

backupVault

Property Value Description
general (required) general
identityType 'None'
'SystemAssigned'		 The identityType which can be either SystemAssigned or None (default: None)
alertsForAllJobFailures 'Disabled'
'Enabled'		 Monitoring Settings (default: Enabled)
immutabilityState 'Disabled'
'Locked'
'Unlocked'		 Immutability Settings at vault level (default: Disabled)
softDeleteRetentionDurationInDays int Soft delete retention duration (default: 14)
softDeleteRetentionState 'AlwaysOn'
'Off'
'On'		 State of soft delete (default: On)
storageSettings (required) backupVaultStorageSettings[] Storage Settings
backupPolicies backupVaultPolicies[] Backup policies in the backup vault

backupVaultStorageSettings

Property Value Description
datastoreType (required) 'ArchiveStore'
'SnapshotStore'
'VaultStore'		 Gets or sets the type of the datastore.
type (required) 'GeoRedundant'
'LocallyRedundant'
'ZoneRedundant'		 Gets or sets the type.

backupVaultPolicies

Property Value Description
function (required) string The function of the policy
datasourceTypes (required) Array containing any of:
'Microsoft.Compute/disks'
'Microsoft.ContainerService/managedClusters'
'Microsoft.DBforPostgreSQL/flexibleServers'
'Microsoft.DBforPostgreSQL/servers'
'Microsoft.Storage/storageAccounts/blobServices'		 Type of datasource for the backup management
policyRules (required) backupVaultBasePolicyRule[] Policy rule dictionary that contains rules for each backuptype i.e Full/Incremental/Logs etc
instances backupVaultInstance[] Backup instances in the policy

backupVaultBasePolicyRule

Set the objectType property to specify the type of object.

For AzureBackupRule, use:

Property Value Description
name (required) string
objectType (required) 'AzureBackupRule'
backupParameters backupVaultBackupParameters BackupParameters base
dataStore (required) backupVaultDataStoreInfoBase DataStoreInfo base
trigger (required) backupVaultTriggerContext Trigger context

Set the objectType property to specify the type of object.

For AzureRetentionRule, use:

Property Value Description
name (required) string
objectType (required) 'AzureRetentionRule'
isDefault bool
lifecycles (required) backupVaultSourceLifeCycle[]

backupVaultDataStoreInfoBase

Property Value Description
dataStoreType (required) 'ArchiveStore'
'OperationalStore'
'VaultStore'		 type of datastore; Operational/Vault/Archive
objectType (required) string Type of Datasource object, used to initialize the right inherited type

backupVaultBackupParameters

Property Value Description
objectType (required) 'AzureBackupParams' Type of the specific object - used for deserializing
backupType (required) string BackupType ; Full/Incremental etc

backupVaultTriggerContext

Set the objectType property to specify the type of object.

For AdhocBasedTriggerContext, use:

Property Value Description
objectType (required) 'AdhocBasedTriggerContext'
taggingCriteria (required) taggingCriteria Tagging Criteria containing retention tag for adhoc backup.

Set the objectType property to specify the type of object.

For ScheduleBasedTriggerContext, use:

Property Value Description
objectType (required) 'ScheduleBasedTriggerContext'
schedule (required) backupVaultBackupSchedule Schedule for this backup
taggingCriteria (required) backupVaultTaggingCriteria[] List of tags that can be applicable for given schedule.

tagInfo

Property Value Description
tagName (required) string Retention Tag Name to relate it to retention rule.

taggingCriteria

Property Value Description
tagInfo (required) tagInfo

backupVaultBackupSchedule

Property Value Description
repeatingTimeIntervals (required) string[] ISO 8601 repeating time interval format
timeZone 'Eastern Standard Time'
'GMT Standard Time'
'Pacific Standard Time'
'Romance Standard Time'
'UTC'		 Time zone for a schedule. Example: Pacific Standard Time

backupVaultTaggingCriteria

Property Value Description
criteria backupVaultScheduleBasedBackupCriteria Criteria which decides whether the tag can be applied to a triggered backup.
isDefault (required) bool Specifies if tag is default.
taggingPriority (required) int Retention Tag priority.
tagInfo (required) tagInfo Retention tag information

backupVaultScheduleBasedBackupCriteria

Property Value Description
objectType (required) 'ScheduleBasedBackupCriteria' Type of the specific object - used for deserializing
absoluteCriteria Array containing any of:
'AllBackup'
'FirstOfDay'
'FirstOfMonth'
'FirstOfWeek'
'FirstOfYear'		 it contains absolute values like "AllBackup" / "FirstOfDay" / "FirstOfWeek" / "FirstOfMonth" and should be part of AbsoluteMarker enum
daysOfMonth backupDaysOfTheMonth[] This is day of the month from 1 to 28 other wise last of month
daysOfTheWeek Array containing any of:
'Friday'
'Monday'
'Saturday'
'Sunday'
'Thursday'
'Tuesday'
'Wednesday'		 It should be Sunday/Monday/T..../Saturday
monthsOfYear Array containing any of:
'April'
'August'
'December'
'February'
'January'
'July'
'June'
'March'
'May'
'November'
'October'
'September'		 It should be January/February/....../December
scheduleTimes string[] List of schedule times for backup
weeksOfTheMonth Array containing any of:
'First'
'Fourth'
'Last'
'Second'
'Third'		 It should be First/Second/Third/Fourth/Last

backupVaultSourceLifeCycle

Property Value Description
deleteAfter (required) deleteAfter Delete Option
sourceDataStore (required) backupVaultDataStoreInfoBase DataStoreInfo base
targetDataStoreCopySettings backupVaultTargetDataStoreCopySettings[]

deleteAfter

Property Value Description
duration (required) string Duration of deletion after given timespan
objectType (required) 'AbsoluteDeleteOption' Type of the specific object - used for deserializing

backupVaultTargetDataStoreCopySettings

Property Value Description
copyAfter (required) backupVaultCopyOption It can be CustomCopyOption or ImmediateCopyOption.
dataStore (required) backupVaultDataStoreInfoBase Info of target datastore

backupVaultCopyOption

Set the objectType property to specify the type of object.

For CopyOnExpiryOption, use:

Property Value Description
objectType (required) 'CopyOnExpiryOption'

Set the objectType property to specify the type of object.

For CustomCopyOption, use:

Property Value Description
objectType (required) 'CustomCopyOption'
duration (required) string Data copied after given timespan

Set the objectType property to specify the type of object.

For ImmediateCopyOption, use:

Property Value Description
objectType (required) 'ImmediateCopyOption'

backupVaultInstance

Property Value Description
overrideName string Full name of the backup policy
function (required) string The function of the policy
datasourceAuthCredentialsKvUri string Credentials to use to authenticate with data source provider. Uri to get to the resource
datasourceAuthCredentialsKvValue string Credentials to use to authenticate with data source provider. Gets or sets value stored in secret store resource
dataSourceInfo (required) dataSourceInfo Gets or sets the data source information.
dataSourceSetInfo dataSourceSetInfo Gets or sets the data source set information.
friendlyName (required) string Gets or sets the Backup Instance friendly name.
objectType (required) 'BackupInstance' objectType
policyInfo (required) policyInfo Gets or sets the policy information.
validationType 'DeepValidation'
'ShallowValidation'		 Specifies the type of validation. In case of DeepValidation, all validations from /validateForBackup API will run again.

dataSourceInfo

Property Value Description
datasourceType string DatasourceType of the resource.
objectType string Type of Datasource object, used to initialize the right inherited type
resourceID (required) string Full ARM ID of the resource. For azure resources, this is ARM ID. For non azure resources, this will be the ID created by backup service via Fabric/Vault.
resourceLocation string Location of datasource.
resourceName string Unique identifier of the resource in the context of parent.
resourceType string Resource Type of Datasource.
resourceUri string Uri of the resource.

dataSourceSetInfo

Property Value Description
datasourceType string DatasourceType of the resource.
objectType string Type of Datasource object, used to initialize the right inherited type
resourceID (required) string Full ARM ID of the resource. For azure resources, this is ARM ID. For non azure resources, this will be the ID created by backup service via Fabric/Vault.
resourceLocation string Location of datasource.
resourceName string Unique identifier of the resource in the context of parent.
resourceType string Resource Type of Datasource.
resourceUri string Uri of the resource.

policyParameters

Property Value Description
backupDatasourceParametersList (required) backupVaultInstanceDataSourceParams[] Gets or sets the Backup Data Source Parameters
dataStoreParametersList backupVaultInstanceDataStoreParams[] Gets or sets the DataStore Parameters

policyInfo

Property Value Description
policyParameters (required) policyParameters Policy parameters for the backup instance

backupVaultInstanceDataSourceParams

Set the objectType property to specify the type of object.

For BlobBackupDatasourceParameters, use:

Property Value Description
objectType (required) 'BlobBackupDatasourceParameters'
containersList (required) string[] List of containers to be backed up during configuration of backup of blobs

Set the objectType property to specify the type of object.

For KubernetesClusterBackupDatasourceParameters, use:

Property Value Description
objectType (required) 'KubernetesClusterBackupDatasourceParameters'
excludedNamespaces string[] Gets or sets the exclude namespaces property. This property sets the namespaces to be excluded during restore.
excludedResourceTypes string[] Gets or sets the exclude resource types property. This property sets the resource types to be excluded during restore.
includeClusterScopeResources (required) bool Gets or sets the include cluster resources property. This property if enabled will include cluster scope resources during restore.
includedNamespaces string[] Gets or sets the include namespaces property. This property sets the namespaces to be included during restore.
includedResourceTypes string[] Gets or sets the include resource types property. This property sets the resource types to be included during restore.
labelSelectors string[] Gets or sets the LabelSelectors property. This property sets the resource with such label selectors to be included during restore.
snapshotVolumes (required) bool Gets or sets the volume snapshot property. This property if enabled will take volume snapshots during restore.

backupVaultInstanceDataStoreParams

Property Value Description
dataStoreType (required) 'ArchiveStore'
'OperationalStore'
'VaultStore'		 type of datastore; Operational/Vault/Archive
objectType (required) 'AzureOperationalStoreParameters' Type of the specific object - used for deserializing
resourceGroupId string Gets or sets the Snapshot Resource Group Uri.

diagnosticSetting

Property Value Description
name (required) string The resource name
eventHubAuthorizationRuleId string The resource Id for the event hub authorization rule.
eventHubName string The name of the event hub. If none is specified, the default event hub will be selected.
logAnalyticsDestinationType string A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type constructed as follows: {normalized service identity}_{normalized category name}. Possible values are: Dedicated and null (default: null)
logs diagnosticLogSettings[] The list of logs settings.
marketplacePartnerId string The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
metrics diagnosticMetricSettings[] The list of metric settings.
serviceBusRuleId string The service bus rule Id of the diagnostic setting. This is here to maintain backwards compatibility.
storageAccountId string The resource ID of the storage account to which you would like to send Diagnostic Logs.
workspaceId string The full ARM resource ID of the Log Analytics workspace to which you would like to send Diagnostic Logs. Example: /subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2

diagnosticLogSettings

Set the resourceType property to specify the type of object.

For Custom, use:

Property Value Description
resourceType (required) 'Custom'
category string Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this log is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this log.

Set the resourceType property to specify the type of object.

For App Service Plan, use:

Property Value Description
resourceType (required) 'App Service Plan'

Set the resourceType property to specify the type of object.

For Azure Firewall, use:

Property Value Description
resourceType (required) 'Azure Firewall'
category 'AZFWApplicationRule'
'AZFWApplicationRuleAggregation'
'AZFWDnsQuery'
'AZFWFatFlow'
'AZFWFlowTrace'
'AZFWFqdnResolveFailure'
'AZFWIdpsSignature'
'AZFWNatRule'
'AZFWNatRuleAggregation'
'AZFWNetworkRule'
'AZFWNetworkRuleAggregation'
'AZFWThreatIntel'
'AzureFirewallApplicationRule'
'AzureFirewallDnsProxy'
'AzureFirewallNetworkRule'		 Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this log is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this log.

Set the resourceType property to specify the type of object.

For Application Gateway, use:

Property Value Description
resourceType (required) 'Application Gateway'
category 'ApplicationGatewayAccessLog'
'ApplicationGatewayFirewallLog'
'ApplicationGatewayPerformanceLog'		 Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
categoryGroup string Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this log is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this log.

retentionPolicy

Property Value Description
days (required) int the number of days for the retention in days. A value of 0 will retain the events indefinitely.
enabled (required) bool a value indicating whether the retention policy is enabled.

diagnosticMetricSettings

Set the resourceType property to specify the type of object.

For Custom, use:

Property Value Description
resourceType (required) 'Custom'
category string Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled (required) bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

Set the resourceType property to specify the type of object.

For App Service Plan, use:

Property Value Description
resourceType (required) 'App Service Plan'
category (required) 'AllMetrics' Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

Set the resourceType property to specify the type of object.

For Azure Firewall, use:

Property Value Description
resourceType (required) 'Azure Firewall'
category (required) 'AllMetrics' Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

Set the resourceType property to specify the type of object.

For Application Gateway, use:

Property Value Description
resourceType (required) 'Application Gateway'
category (required) 'AllMetrics' Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation.
enabled bool a value indicating whether this category is enabled. (default: Enabled)
retentionPolicy retentionPolicy the retention policy for this category.
timeGrain string the timegrain of the metric in ISO8601 format.

backupDaysOfTheMonth

Property Value Description
date (required) int Date of the month
isLast bool Whether Date is last date of month

naming

Property Value Description
forceFunctionAsFullName bool Use the function value as the full name of the resource
abbreviation string Override the abbreviation of this resource with this parameter
environment string The resource environment (for example: dev, tst, acc, prd)
location string The resource location (for example: weu, we, westeurope)
customer string The name of the customer
delimiter string The delimiter between resources (default: -)
nameFormat Array containing any of:
'abbreviation'
'customer'
'environment'
'function'
'location'
'param1'
'param2'
'param3'
'useCaseName'		 The order of the array defines the order of elements in the naming scheme
param1 string Extra parameter self defined
param2 string Extra parameter self defined
param3 string Extra parameter self defined
function (required) string Function of the resource [can be app, db, security,...]
useCaseName string Name of the use case [can be hub, spoke,...]
suffix string Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...]
forceDefaultNaming bool Force the CAF naming instead of default company naming

resourceLock

Property Value Description
name string Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period.
level (required) 'CanNotDelete'
'ReadOnly'		 The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again
notes string Notes about the lock. Maximum of 512 characters.
owners resourceLockOwner[] The owners of the lock

resourceLockOwner

Property Value Description
applicationId (required) string The application ID of the lock owner.

roleAssignment

Property Value Description
principalId (required) string The principal ID
roleDefinitionId (required) string The role definition ID, data file can be used for this
condition string Condition on the role assignment
conditionVersion string Version of the condition. Currently the only accepted value is "2.0"
delegatedManagedIdentityResourceId string Id of the delegated managed identity resource
description string Description of role assignment

general

Property Value Description
tags object Tags of the resource [hashtable]
location (required) string Location of the resource
naming (required) naming Naming module of the resource
resourceGroupName (required) string Name of the resource group where the resource should be located
sharedNaming (required) naming Reference to the default naming
roleAssignments roleAssignment[] Role assignments on the resource
resourceLocks resourceLock[] Resource Locks on the resource

Changelog

2.2.0 (2025-10-06)

Features

  • update resource api versions

2.1.1 (2025-09-24)

Bug Fixes

  • remove deployment name + cleanup

2.1.0 (2025-03-26)

Features

  • add resourceName output

2.0.0 (2025-03-17)

⚠ BREAKING CHANGES

  • remove role-assignment principalType parameter

Features

  • remove role-assignment principalType parameter

1.2.2 (2025-02-28)

Bug Fixes

  • revise descriptions