Blog Post

Azure Architecture Blog
6 MIN READ

Managing Azure NetApp Files preview features with Terraform Cloud and AzAPI Provider

GeertVanTeylingen's avatar
Oct 20, 2022

Table of Contents

 

Abstract

Introduction

Scenario

Azure NetApp Files backup preview enablement

Managing Resource Providers in Terraform

Terraform Configuration

Terraform AzAPI and AzureRM Providers

Declaring the Azure NetApp Files infrastructure

Azure NetApp Files backup policy creation

Assigning a backup policy to an Azure NetApp Files volume

AzAPI to AzureRM migration

Summary

Additional Information

 

Abstract

 

This article demonstrates how to enable the use of preview features in Azure NetApp Files in combination with Terraform Cloud and the AzAPI provider. In this example we enhance data protection with Azure NetApp Files backup (preview) by enabling and creating backup policies using the AzAPI Terraform provider and leveraging Terraform Cloud for the deployment.

 

Co-authors: John Alfaro (NetApp)

 

Introduction

 

As Azure NetApp Files development progresses new features are continuously being brought to market. Some of those features arrive in a typical Azure ‘preview’ fashion first. These features normally do not get included into Terraform before general availability (GA). A recent example of such a preview feature at the time of writing is Azure NetApp Files backup.

 

In addition to snapshots and cross-region replication, Azure NetApp Files data protection has extended to include backup vaulting of snapshots. Using Azure NetApp Files backup, you can create backups of your volumes based on volume snapshots for longer term retention. At the time of writing, Azure NetApp files backup is a preview feature, and has not yet been included in the Terraform AzureRM provider. For that reason, we decided to use the Terraform AzAPI provider to enable and manage this feature.

 

Azure NetApp Files backup provides fully managed backup solution for long-term recovery, archive, and compliance.

 

  • Backups created by the service are stored in an Azure storage account independent of volume snapshots. The Azure storage account will be zone-redundant storage (ZRS) where availability zones are available or locally redundant storage (LRS) in regions without support for availability zones.
  • Backups taken by the service can be restored to an Azure NetApp Files volume within the region.
  • Azure NetApp Files backup supports both policy-based (scheduled) backups and manual (on-demand) backups. In this article, we will be focusing on policy-based backups.

 

For more information regarding this capability go to Azure NetApp Files backup documentation.

 

Scenario

 

In the following scenario, we will demonstrate how Azure NetApp Files backup can be enabled and managed using the Terraform AzAPI provider. To provide additional redundancy for our backups, we will backup our volumes in the Australia East region, taking advantage of zone-redundant storage (ZRS).

 

 

Azure NetApp Files backup preview enablement

To enable the preview feature for Azure NetApp Files, you need to enable the preview feature. In this case, this feature needs to be requested via the Public Preview request form. Once the feature is enabled, it will appear as ‘Registered’.

 

Get-AzProviderFeature -ProviderNamespace "Microsoft.NetApp" -Feature ANFBackupPreview

FeatureName ProviderName RegistrationState
----------- ------------ -----------------
ANFBackupPreview Microsoft.NetApp Registered

 

(!) Note

 

A ‘Pending’ status means that the feature needs to be enabled by Microsoft before it can be used.

 

Managing Resource Providers in Terraform

 

In case you manage resource providers and its features using Terraform you will find that registering the preview feature will fail with the below message, which is expected as it is a forms-based opt-in feature.

 

Resource “azurerm_resource_provider_registration” “anfa” {
   name     = “Microsoft.NetApp”
   feature {
     name       = “ANFSDNAppliance”
     registered = true
   }
   feature {
     name       = “ANFChownMode”
     registered = true
   }
   feature {
     name       = “ANFUnixPermissions”
     registered = true
   }
   feature {
     name = “ANFBackupPreview”
     registered = true
    }
 } 

 

 

Terraform Configuration

 

We are deploying Azure NetApp Files using a module with the Terraform AzureRM provider and configuring the backup preview feature using the AzAPI provider.

 

Microsoft has recently released the Terraform AzAPI provider which helps to break the barrier in the infrastructure as code (IaC) development process by enabling us to deploy features that are not yet released in the AzureRM provider. The definition is quite clear and taken from the provider GitHub page.

 

The AzAPI provider is a very thin layer on top of the Azure ARM REST APIs. This new provider can be used to authenticate to and manage Azure resources and functionality using the Azure Resource Manager APIs directly.

 

The code structure we have used looks like the sample below. However, if using Terraform Cloud you use the private registry for module consumption. For this article, we are using local modules.

 

ANF Repo
        |_Modules
            |_ANF_Pool
        |       |_ main.tf
        |       |_ variables.tf
        |       |_ outputs.tf
        |   |_ ANF_Volume
        |       |_ main.tf
        |       |_ variables.tf
        |       |_ outputs.tf       
        |_ main.tf
        |_ providers.tf
        |_ variables.tf
        |_ outputs.tf 

 

Terraform AzAPI and AzureRM Providers

 

We have declared the Terraform providers configuration to be used as below.

 

 provider "azurerm" {
  skip_provider_registration = true
  features {}
}
 
provider "azapi" {
}
 
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.00"
    }
 
    azapi = {
      source = "azure/azapi"
    }
  }
} 

 

Declaring the Azure NetApp Files infrastructure

 

To create the Azure NetApp Files infrastructure, we will be declaring and deploying the following resources:

 

  • NetApp account
  • capacity pool
  • volume
  • export policy which contains one or more export rules that provide client access rules

 

resource "azurerm_netapp_account" "analytics" {
  name                = "cero-netappaccount"
  location            = data.azurerm_resource_group.one.location
  resource_group_name = data.azurerm_resource_group.one.name
}
 
module "analytics_pools" {
  source   = "./modules/anf_pool"
 
  for_each = local.pools
 
  account_name        = azurerm_netapp_account.analytics.name
  resource_group_name =    azurerm_netapp_account.analytics.resource_group_name
  location            = azurerm_netapp_account.analytics.location
  volumes             = each.value
  tags                = var.tags
}

 

To configure Azure NetApp Files policy-based backups for a volume there are some requirements. For more info about these requirements, please check requirements and considerations for Azure NetApp Files backup.

 

  • snapshot policy must be configured and enabled
  • Azure NetApp Files backup is supported in the following regions. In this example we are using the Australia East region.

 

After deployment, you will be able to see the backup icon as part of the NetApp account as below.

 

 

Azure NetApp Files backup policy creation

 

The creation of the backup policy is similar to a snapshot policy and has its own Terraform resource. The backup policy is a child element of the NetApp account. You’ll need to use the 'azapi_resource’ resource type with the latest API version. 

 

(!) Note

 

It is helpful to install the Terraform AzAPI provider extension in VSCode, as it will make development easier with the IntelliSense completion.

 

The code looks like this:

 

resource "azapi_resource" "backup_policy" {
  type      = "Microsoft.NetApp/netAppAccounts/backupPolicies@2022-01-01"
  parent_id = azurerm_netapp_account.analytics.id
  name      = "test"
  location  = "australiaeast"
 
  body = jsonencode({
    properties = {
      enabled              = true
      dailyBackupsToKeep   = 1
      weeklyBackupsToKeep  = 0
      monthlyBackupsToKeep = 0
    }
  })
}

 

(!) Note

 

The ‘parent_id’ is the resource id of the NetApp account

 

Because we are deploying this in the Australia East region, which has support for availability zones, the Azure storage account used will be configured with zone-redundant storage (ZRS), as documented under Requirements and considerations for Azure NetApp Files backup. In the Azure Portal, within the volume context, it will look like the following:

 

 

(!) Note

 

Currently Azure NetApp File backups supports backing up the daily, weekly, and monthly local snapshots created by the associated snapshot policy to the Azure Storage account.

 

The first snapshot created when the backup feature is enabled is called a baseline snapshot, and its name includes the prefix ‘snapmirror’.

 

 

Assigning a backup policy to an Azure NetApp Files volume

 

The next step in the process is to assign the backup policy to an Azure NetApp Files volume. Once again, as this is not yet supported by the AzureRM provider, we will use the `azapi_update_resource` as it allows us to manage the resource properties we need from the existing NetApp account. Additionally, it does use the same auth methods as the AzureRM provider. In this case, the configuration code looks like the following where the data protection block is added to the volume configuration.

 

resource "azapi_update_resource" "vol_backup" {
  type        = "Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2021-10-01"
  resource_id = module.analytics_pools["pool1"].volumes.volume1.volume.id
  body = jsonencode({
    properties = {
      dataProtection = {
        backup = {
          backupEnabled  = true
          backupPolicyId = azapi_resource.backup_policy.id
          policyEnforced = true
        }
      }
      unixPermissions = "0740",
      exportPolicy = {
        rules = [{
          ruleIndex = 1,
          chownMode = "unRestricted" }
        ]
      }
    }
  })
}

 

The data protection policy will look like the screenshot below indicating the specified volume is fully protected within the region.

 

 

AzAPI to AzureRM migration

 

At some point, the resources created using the AzAPI provider will become available in the AzureRM provider, which is the recommended way to provision infrastructure as code in Azure. To make code migration a bit easier, Microsoft has provided the AzAPI2AzureRM migration tool.

 

Summary

 

The Terraform AzAPI provider is a tool to deploy Azure features that have not yet been integrated in to the AzureRM Terraform provider. As we see more adoption of preview features in Azure NetApp Files this new functionality will give us deployment support to manage zero-day and preview features, such as Azure NetApp Files backup and more.

 

Additional Information

  1. https://learn.microsoft.com/azure/azure-netapp-files
  2. https://learn.microsoft.com/azure/azure-netapp-files/backup-introduction
  3. https://learn.microsoft.com/azure/azure-netapp-files/backup-requirements-considerations
  4. https://learn.microsoft.com/azure/developer/terraform/overview-azapi-provider#azapi2azurerm-migration-tool
  5. https://registry.terraform.io/providers/hashicorp/azurerm
  6. https://registry.terraform.io/providers/Azure/azapi
  7. https://github.com/Azure/terraform-provider-azapi
Updated Oct 20, 2022
Version 1.0
No CommentsBe the first to comment