0
votes

I am trying to create a DeployIfNotExist policy that will automatically enroll VMs in backups that go to a Recovery Services Vault in a Location Named Resource group. The policy code seems like it should work. Here is its...

{
  "properties": {
    "displayName": "Virtual Machine OS Backup",
    "policyType": "Custom",
    "mode": "All",
    "metadata": {
      "category": "Compute"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.RecoveryServices/backupprotecteditems",
          "existenceCondition": {
            "allOf": [
              {
                "field": "name",
                "like": "*"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "VMName": {
                  "value": "[field('name')]"
                },
                "VMRG": {
                  "value": "[resourcegroup().name]"
                },
                "VMLocation": {
                  "value": "[field('location')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                "contentVersion": "1.0.0.1",
                "parameters": {
                  "VMName": {
                    "type": "string"
                  },
                  "VMRG": {
                    "type": "string"
                  },
                  "VMLocation": {
                    "type": "string"
                  }
                },
                "variables": {
                  "BackupVaultRGName": "[concat('RGP-BACKUPS-', toUpper(parameters('VMLocation')))]",
                  "BackupVaultName": "[concat('rsv-backups-',toLower(parameters('VMLocation')))]",
                  "BackupPolicyName": "DefaultPolicy",
                  "BackupIntentConcat": "[concat('/Azure/vm;iaasvmcontainerv2;',parameters('VMRG'),';',parameters('VMName'))]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/resourceGroups",
                    "apiVersion": "2018-05-01",
                    "location": "[parameters('VMLocation')]",
                    "name": "[variables('BackupVaultRGName')]",
                    "properties": {},
                    "resources": [
                      {
                        "apiVersion": "2018-05-01",
                        "name": "[concat(parameters('VMName'), '-' , 'BackupIntent')]",
                        "type": "Microsoft.Resources/deployments",
                        "resourceGroup": "[variables('BackupVaultRGName')]",
                        "dependsOn": [
                          "[resourceId('Microsoft.Resources/resourceGroups', variables('BackupVaultRGName'))]"
                        ],
                        "properties": {
                          "mode": "Incremental",
                          "template": {
                            "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                            "contentVersion": "1.0.0.0",
                            "resources": [
                              {
                                "name": "[concat(variables('BackupVaultName'),variables('BackupIntentConcat'))]",
                                "apiVersion": "2017-07-01",
                                "type": "Microsoft.RecoveryServices/vaults/backupFabrics/backupProtectionIntent",
                                "properties": {
                                  "protectionIntentItemType": "AzureResourceItem",
                                  "policyId": "[resourceId(variables('BackupVaultRGName'),'Microsoft.RecoveryServices/vaults/backuppolicies', variables('BackupVaultName'), variables('BackupPolicyName'))]",
                                  "sourceResourceId": "[resourceId(parameters('VMRG'),'Microsoft.Compute/virtualMachines', parameters('VMName'))]"
                                },
                                "dependsOn": [
                                  "[resourceId(variables('BackupVaultRGName'),variables('BackupVaultRGName'),'Microsoft.RecoveryServices/vaults', variables('BackupVaultName'))]"
                                ]
                              },
                              {
                                "type": "Microsoft.RecoveryServices/vaults",
                                "apiVersion": "2018-01-10",
                                "name": "[variables('BackupVaultName')]",
                                "location": "[parameters('VMLocation')]",
                                "sku": {
                                  "name": "RS0",
                                  "tier": "Standard"
                                },
                                "properties": {}
                              }
                            ]
                          }
                        }
                      }
                    ]
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/b99xxxxx-e44f-469f-b874-585a7b10eb58",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "b99xxxxx-e44f-469f-b874-585a7b10eb58"
}

The error I get is the following.

Unable to evaluate policy with definition '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/b99xxxxx-e44f-469f-b874-585a7b10eb58/' and assignment '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/edxxxxx576044ecdaf510972/'. Policy evaluation exceeded the maximum allowed time.

I'm currently in the second iteration of my development process. The first was to make this policy work if the resource group and recovery services vault already exist, which works well. My current iteration is to deploy the resource group and recovery services vault if they do not exist and then enroll the VM in backup policy. This requires some context switching in the nested deployments and maybe I have knocked something sideways somewhere.

1

1 Answers