Azure · IannGeorges · Dec 2, 2024 · Dec 17, 2024 · Jan 3, 2025 · Jan 5, 2025
@@ -237,7 +237,8 @@ def load_arguments(self, _):
         c.argument('fix_for_inconsistent_items', arg_type=get_three_state_flag(), options_list=['--fix-for-inconsistent-items'], help='Specify whether or not to retry Policy Update for failed items.')
         c.argument('backup_management_type', backup_management_type)
         c.argument('tenant_id', help='ID of the tenant if the Resource Guard protecting the vault exists in a different tenant.')
-
+        c.argument('yes', options_list=['--yes', '-y'], help='Skip confirmation when updating Standard to Enhanced Policies.', action='store_true')
+
     with self.argument_context('backup policy create') as c:
         c.argument('policy', type=file_type, help='JSON encoded policy definition. Use the show command with JSON output to obtain a policy object. Modify the values using a file editor and pass the object.', completer=FilesCompleter())
         c.argument('name', options_list=['--name', '-n'], help='Name of the Policy.')

@@ -245,9 +245,9 @@ def list_recovery_points(cmd, client, resource_group_name, vault_name, item, sta
             Please either remove the flag or query for any other backup-management-type.
             """)
 
-    if is_ready_for_move is not None or target_tier is not None or tier is not None:
+    if is_ready_for_move is not None or target_tier is not None:
         raise ArgumentUsageError("""Invalid argument has been passed. --is-ready-for-move true, --target-tier
-        and --tier flags are not supported for --backup-management-type AzureStorage.""")
+        are not supported for --backup-management-type AzureStorage.""")
 
     if recommended_for_archive is not None:
         raise ArgumentUsageError("""--recommended-for-archive is supported by AzureIaasVM backup management
@@ -269,12 +269,51 @@ def list_recovery_points(cmd, client, resource_group_name, vault_name, item, sta
     # Get recovery points
     recovery_points = client.list(vault_name, resource_group_name, fabric_name, container_uri, item_uri, filter_string)
     paged_recovery_points = helper.get_list_from_paged_response(recovery_points)
+
+    if tier:
+        filtered_recovery_points = []
+        for rp in paged_recovery_points:
+            rp_tier = None
+            rp_tier_types = []
+
+            # Safely access 'additional_properties' attribute of rp.properties
+            additional_props = getattr(rp.properties, 'additional_properties', {})
+
+            # Ensure additional_props is a dictionary before using dict.get()
+            if isinstance(additional_props, dict):
+                # Safely get 'recoveryPointTierDetails' from the dictionary
+                tier_details_list = additional_props.get("recoveryPointTierDetails", [])
+
+                # Ensure tier_details_list is a list before iterating
+                if isinstance(tier_details_list, list):
+                    for detail in tier_details_list:
+                        # Ensure each detail is a dictionary
+                        if isinstance(detail, dict):
+                            # Safely get the 'type' from each detail
+                            rp_type = detail.get("type")
+                            if rp_type:
+                                rp_tier_types.append(rp_type)
+
+            # Determine the tier of the recovery point based on the types
+            if 'InstantRP' in rp_tier_types and 'HardenedRP' in rp_tier_types:
+                rp_tier = 'SnapshotAndVaultStandard'
+            elif 'InstantRP' in rp_tier_types:
+                rp_tier = 'Snapshot'
+            elif 'HardenedRP' in rp_tier_types:
+                rp_tier = 'VaultStandard'
+            else:
+                rp_tier = 'Unknown'
+
+            # Compare with the tier parameter and add to filtered list if matched
+            if rp_tier == tier:
+                filtered_recovery_points.append(rp)
+        return filtered_recovery_points
 
     return paged_recovery_points
 
 
 def update_policy_for_item(cmd, client, resource_group_name, vault_name, item, policy, tenant_id=None,
-                           is_critical_operation=False):
+                           is_critical_operation=False, yes=False):
     if item.properties.backup_management_type != policy.properties.backup_management_type:
         raise CLIError(
             """
@@ -302,6 +341,13 @@ def update_policy_for_item(cmd, client, resource_group_name, vault_name, item, p
                                                  aux_tenants=[tenant_id]).protected_items
             afs_item.properties.resource_guard_operation_requests = [helper.get_resource_guard_operation_request(
                 cmd.cli_ctx, resource_group_name, vault_name, "updateProtection")]
+
+    # Validate existing & new policy
+    existing_policy_name = item.properties.policy_id.split('/')[-1]         
+    existing_policy = common.show_policy(protection_policies_cf(cmd.cli_ctx), resource_group_name, vault_name,
+                                             existing_policy_name)
+    helper.validate_update_policy_request(existing_policy, policy, yes)
+
     # Update policy
     result = client.create_or_update(vault_name, resource_group_name, fabric_name,
                                      container_uri, item_uri, afs_item, cls=helper.get_pipeline_response)
@@ -365,7 +411,7 @@ def _get_storage_account_id(cli_ctx, storage_account_name, storage_account_rg):
 
 
 def set_policy(cmd, client, resource_group_name, vault_name, policy, policy_name, tenant_id=None,
-               is_critical_operation=False):
+               is_critical_operation=False, yes=False):
     if policy_name is None:
         raise CLIError(
             """
@@ -375,7 +421,8 @@ def set_policy(cmd, client, resource_group_name, vault_name, policy, policy_name
     policy_object = helper.get_policy_from_json(client, policy)
     policy_object.properties.work_load_type = workload_type
     existing_policy = common.show_policy(client, resource_group_name, vault_name, policy_name)
-    helper.validate_update_policy_request(existing_policy, policy_object)
+
+    helper.validate_update_policy_request(existing_policy, policy_object, yes)
     if is_critical_operation:
         if helper.is_retention_duration_decreased(existing_policy, policy_object, "AzureStorage"):
             # update the payload with critical operation and add auxiliary header for cross tenant case

@@ -230,7 +230,7 @@ def update_policy_for_item(cmd, client, resource_group_name, vault_name, contain
 
     if item.properties.backup_management_type.lower() == "azurestorage":
         return custom_afs.update_policy_for_item(cmd, client, resource_group_name, vault_name, item, policy, tenant_id,
-                                                 is_critical_operation)
+                                                 is_critical_operation, yes)
 
     if item.properties.backup_management_type.lower() == "azureworkload":
         return custom_wl.update_policy_for_item(cmd, client, resource_group_name, vault_name, item, policy, tenant_id,
@@ -239,19 +239,18 @@ def update_policy_for_item(cmd, client, resource_group_name, vault_name, contain
 
 
 def set_policy(cmd, client, resource_group_name, vault_name, policy=None, name=None,
-               fix_for_inconsistent_items=None, backup_management_type=None, tenant_id=None):
+               fix_for_inconsistent_items=None, backup_management_type=None, tenant_id=None, yes=False):
     if backup_management_type is None and policy is not None:
         policy_object = custom_help.get_policy_from_json(client, policy)
         backup_management_type = policy_object.properties.backup_management_type.lower()
     is_critical_operation = custom_help.has_resource_guard_mapping(cmd.cli_ctx, resource_group_name, vault_name,
                                                                    "updatePolicy")
-
     if backup_management_type.lower() == "azureiaasvm":
         return custom.set_policy(cmd, client, resource_group_name, vault_name, policy, name, tenant_id,
                                  is_critical_operation)
     if backup_management_type.lower() == "azurestorage":
         return custom_afs.set_policy(cmd, client, resource_group_name, vault_name, policy, name, tenant_id,
-                                     is_critical_operation)
+                                     is_critical_operation, yes)
     if backup_management_type.lower() == "azureworkload":
         return custom_wl.set_policy(cmd, client, resource_group_name, vault_name, policy, name,
                                     fix_for_inconsistent_items, tenant_id, is_critical_operation)

@@ -11,6 +11,7 @@
 from urllib.parse import urlparse
 
 from knack.log import get_logger
+from knack.prompting import prompt_y_n
 
 from azure.mgmt.core.tools import parse_resource_id, is_valid_resource_id
 
@@ -671,11 +672,25 @@ def validate_and_extract_container_type(container_name, backup_management_type):
     return None
 
 
-def validate_update_policy_request(existing_policy, new_policy):
+def validate_update_policy_request(existing_policy, new_policy, yes=False):
     existing_backup_management_type = existing_policy.properties.backup_management_type
     new_backup_management_type = new_policy.properties.backup_management_type
     if existing_backup_management_type != new_backup_management_type:
         raise CLIError("BackupManagementType cannot be different than the existing type.")
+    # vault -> snapshot
+    if hasattr(existing_policy.properties, 'vault_retention_policy') and existing_policy.properties.vault_retention_policy is not None and hasattr(new_policy.properties, 'retention_policy') and new_policy.properties.retention_policy is not None:
+        raise CLIError(
+            """
+            Switching the backup tier from vaulted backup to snapshot is not possible. 
+            Please create a new policy for snapshot-only backups.
+            """)
+    # snapshot -> vault
+    if not yes and hasattr(existing_policy.properties, 'retention_policy') and existing_policy.properties.retention_policy is not None and hasattr(new_policy.properties, 'vault_retention_policy') and new_policy.properties.vault_retention_policy is not None:
+        warning_prompt = ('Changing the backup tier keeps current snapshots as-is under the existing policy. Future backups will be stored in the vault with new retention settings.' 
+                          'This action is irreversible and incurs additional costs. Switching from vault to snapshot requires reconfiguration.' 
+                          'Learn more at https://learn.microsoft.com/en-us/azure/backup/azure-file-share-backup-overview?tabs=snapshot.')
+        if not prompt_y_n(warning_prompt):
+            raise CLIError('Cancelling policy update operation')
 
 
 def transform_softdelete_parameters(parameter):

@@ -395,7 +395,7 @@ def _get_key_url(self, **kwargs):
 class AFSPolicyPreparer(AbstractPreparer, SingleValueReplacer):
     def __init__(self, name_prefix='clitest-item', parameter_name='policy_name', vault_parameter_name='vault_name',
                  resource_group_parameter_name='resource_group',
-                 instant_rp_days=None):
+                 backup_tier="Snapshot"):
         super().__init__(name_prefix, 24)
         from azure.cli.core.mock import DummyCli
         self.cli_ctx = DummyCli()
@@ -404,7 +404,7 @@ def __init__(self, name_prefix='clitest-item', parameter_name='policy_name', vau
         self.resource_group_parameter_name = resource_group_parameter_name
         self.vault = None
         self.vault_parameter_name = vault_parameter_name
-        self.instant_rp_days = instant_rp_days
+        self.backup_tier = backup_tier
 
     def create_resource(self, name, **kwargs):
         if not os.environ.get('AZURE_CLI_TEST_DEV_BACKUP_POLICY_NAME', None):
@@ -413,10 +413,46 @@ def create_resource(self, name, **kwargs):
 
             policy_json = execute(self.cli_ctx, 'az backup policy show -g {} -v {} -n {}'
                                   .format(self.resource_group, self.vault, 'DefaultPolicy')).get_output_in_json()
+
+            # Remove unwanted keys from default AzureVM policy
+            keys_to_remove = [
+                'instantRpDetails',
+                'instantRpRetentionRangeInDays',
+                'policyType',
+                'snapshotConsistencyType',
+                'tieringPolicy'
+            ]
+
+            for key in keys_to_remove:
+                policy_json['properties'].pop(key, None)
+
             policy_json['name'] = name
-            if self.instant_rp_days:
-                policy_json['properties']['instantRpRetentionRangeInDays'] = self.instant_rp_days
+
             policy_json['properties']['backupManagementType'] = "AzureStorage"
+            policy_json['properties']['workLoadType'] = "AzureFileShare"
+
+            # Modify the policy based on the backup tier
+            if self.backup_tier.lower() == 'vaultstandard':
+                # Set retentionPolicy to null
+                policy_json['properties'].pop('retentionPolicy', None)
+
+                # Add vaultRetentionPolicy with the required properties
+                policy_json['properties']['vaultRetentionPolicy'] = {
+                    "snapshotRetentionInDays": 5,
+                    "vaultRetention": {
+                        "dailySchedule": {
+                            "retentionDuration": {
+                                "count": 30,
+                                "durationType": "Days"
+                            },
+                            "retentionTimes": policy_json['properties']['schedulePolicy']['scheduleRunTimes']
+                        },
+                        "monthlySchedule": None,
+                        "retentionPolicyType": "LongTermRetentionPolicy",
+                        "weeklySchedule": None,
+                        "yearlySchedule": None
+                    }
+                }
             policy_json = json.dumps(policy_json)
 
             command_string = 'az backup policy create -g {} -v {} --policy \'{}\' -n {} --backup-management-type {}'