azurerm_data_protection_backup_instance_kubernetes_cluster is created with message "Fix protection error for the backup instance" and code ScenarioPluginInvalidWorkflowDataRequest

[rakrueger]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.1

AzureRM Provider Version

3.96.0

Affected Resource(s)/Data Source(s)

azurerm_data_protection_backup_instance_kubernetes_cluster

Terraform Configuration Files

resource "azurerm_data_protection_backup_instance_kubernetes_cluster" "backup-instance" {
  name                         = format("%s-%s", azurerm_kubernetes_cluster.cluster.name, "backup001")
  location                     = var.location
  vault_id                     = data.azurerm_data_protection_backup_vault.backup_vault.id
  kubernetes_cluster_id        = azurerm_kubernetes_cluster.cluster.id
  snapshot_resource_group_name = azurerm_resource_group.aks-disk-backup.name
  backup_policy_id             = "/subscriptions/<SubscriptionID>/resourceGroups/<BackupVault-ResourceGroup>/providers/Microsoft.DataProtection/backupVaults/<BackupVault-Name>/backupPolicies/<BackupPolicy-Name>"

  backup_datasource_parameters {
    cluster_scoped_resources_enabled = true
    volume_snapshot_enabled          = true
  }
}

Debug Output/Panic Output

In the Azure Portal, the protection status shows the message "Protection error" and in the instance I can see the message "Fix protection error for the backup instance". Additionally, in the json view of the backup instance resource in the Azure Portal I can see the code "ScenarioPluginInvalidWorkflowDataRequest".

Expected Behaviour

Create the resource and show it with successful state in the Azure Portal.

Actual Behaviour

The resource is created but in the Azure Portal the protection status shows the message "Protection error" and in the instance I can see the message "Fix protection error for the backup instance". Additionally, in the json view of the backup instance resource in the Azure Portal I can see the code "ScenarioPluginInvalidWorkflowDataRequest".

When having a look at the json view of this backup instance in the Azure Portal, I noticed, that the other values like excludedNamespaces and excludedResourceTypes are set to an empty list:

{
    "properties": {
        "friendlyName": "<ClusterName>-backup001",
        "dataSourceInfo": {
            "resourceID": "/subscriptions/<SubscriptionID>/resourceGroups/<AKS-ResourceGroup>/providers/Microsoft.ContainerService/managedClusters/<ClusterName>",
            "resourceUri": "/subscriptions/<SubscriptionID>/resourceGroups/<AKS-ResourceGroup>/providers/Microsoft.ContainerService/managedClusters/<ClusterName>",
            "datasourceType": "Microsoft.ContainerService/managedClusters",
            "resourceName": "<ClusterName>",
            "resourceType": "Microsoft.ContainerService/managedClusters",
            "resourceLocation": "westeurope",
            "objectType": "Datasource"
        },
        "policyInfo": {
            "policyId": "/subscriptions/<SubscriptionID>/resourceGroups/<BackupVault-ResourceGroup>/providers/Microsoft.DataProtection/backupVaults/<BackupVault-Name>/backupPolicies/<BackupPolicy-Name>",
            "policyParameters": {
                "dataStoreParametersList": [
                    {
                        "dataStoreType": "OperationalStore",
                        "objectType": "AzureOperationalStoreParameters",
                        "resourceGroupId": "/subscriptions/<SubscriptionID>/resourceGroups/<DiskBackup-ResourceGroup>"
                    }
                ],
                "backupDatasourceParametersList": [
                    {
                        "excludedNamespaces": [],
                        "excludedResourceTypes": [],
                        "includeClusterScopeResources": true,
                        "includedNamespaces": [],
                        "includedResourceTypes": [],
                        "labelSelectors": [],
                        "objectType": "KubernetesClusterBackupDatasourceParameters",
                        "snapshotVolumes": true,
                        "backupHookReferences": null
                    }
                ]
            }
        },
        "protectionStatus": {
            "status": "ProtectionError",
            "errorDetails": {
                "message": "",
                "recommendedAction": [
                    ""
                ],
                "code": "ScenarioPluginInvalidWorkflowDataRequest",
                "target": "",
                "isRetryable": false,
                "isUserError": false,
                "properties": {
                    "ActivityId": "4eb970b7-4836-4558-a362-f448362be87f"
                }
            }
        },
        "currentProtectionState": "ProtectionError",
        "protectionErrorDetails": {
            "message": "",
            "recommendedAction": [
                ""
            ],
            "code": "ScenarioPluginInvalidWorkflowDataRequest",
            "target": "",
            "isRetryable": false,
            "isUserError": false,
            "properties": {
                "ActivityId": "4eb970b7-4836-4558-a362-f448362be87f"
            }
        },
        "provisioningState": "Succeeded",
        "objectType": "BackupInstance"
    },
    "id": "/subscriptions/<SubscriptionID>/resourceGroups/<BackupVault-ResourceGroup>/providers/Microsoft.DataProtection/backupVaults/<BackupVault-Name>/backupInstances/<ClusterName>-backup001",
    "name": "<ClusterName>-backup001",
    "type": "Microsoft.DataProtection/backupVaults/backupInstances"
}

To exclude that there is an issue with the Backup Vault, the Backup Policy in the Vault, the Kubernetes Cluster or any permissions, I created a backup instance in the Azure Portal with the same configuration.
I compared the terraform created backup instance to the manually created backup instance in the Azure Portal and the json view for this manually created backup instance shows null values for eg.
excludedNamespaces and excludedResourceTypes instead of the empty list.
In this case the json view of this manually created backup instance looks like the following:

{
    "properties": {
        "friendlyName": "<ClusterName>\\manualtest",
        "dataSourceInfo": {
            "resourceID": "/subscriptions/<SubscriptionID>/resourceGroups/<AKS-ResourceGroup>/providers/Microsoft.ContainerService/managedClusters/<ClusterName>",
            "resourceUri": "/subscriptions/<SubscriptionID>/resourceGroups/<AKS-ResourceGroup>/providers/Microsoft.ContainerService/managedClusters/<ClusterName>",
            "datasourceType": "Microsoft.ContainerService/managedClusters",
            "resourceName": "<ClusterName>",
            "resourceType": "Microsoft.ContainerService/managedClusters",
            "resourceLocation": "westeurope",
            "resourceProperties": {
                "objectType": null
            },
            "objectType": "Datasource"
        },
        "dataSourceSetInfo": {
            "resourceID": "/subscriptions/<SubscriptionID>/resourceGroups/<AKS-ResourceGroup>/providers/Microsoft.ContainerService/managedClusters/<ClusterName>",
            "resourceUri": "/subscriptions/<SubscriptionID>/resourceGroups/<AKS-ResourceGroup>/providers/Microsoft.ContainerService/managedClusters/<ClusterName>",
            "datasourceType": "Microsoft.ContainerService/managedClusters",
            "resourceName": "<ClusterName>",
            "resourceType": "Microsoft.ContainerService/managedClusters",
            "resourceLocation": "westeurope",
            "objectType": "DatasourceSet"
        },
        "policyInfo": {
            "policyId": "/subscriptions/<SubscriptionID>/resourceGroups/<BackupVault-ResourceGroup>/providers/Microsoft.DataProtection/backupVaults/<BackupVault-Name>/backupPolicies/<BackupPolicy-Name>",
            "policyVersion": "",
            "policyParameters": {
                "dataStoreParametersList": [
                    {
                        "objectType": "AzureOperationalStoreParameters",
                        "dataStoreType": "OperationalStore",
                        "resourceGroupId": "/subscriptions/<SubscriptionID>/resourceGroups/<DiskBackup-ResourceGroup>"
                    }
                ],
                "backupDatasourceParametersList": [
                    {
                        "objectType": "KubernetesClusterBackupDatasourceParameters",
                        "includedNamespaces": null,
                        "excludedNamespaces": null,
                        "includedResourceTypes": null,
                        "excludedResourceTypes": null,
                        "labelSelectors": null,
                        "snapshotVolumes": true,
                        "includeClusterScopeResources": true,
                        "backupHookReferences": null
                    }
                ]
            }
        },
        "protectionStatus": {
            "status": "ProtectionConfigured"
        },
        "currentProtectionState": "ProtectionConfigured",
        "provisioningState": "Succeeded",
        "objectType": "BackupInstance"
    },
    "id": "/subscriptions/<SubscriptionID>/resourceGroups/<BackupVault-ResourceGroup>/providers/Microsoft.DataProtection/backupVaults/<BackupVault-Name>/backupInstances/<ClusterName>-<ClusterName>-07ff256b-e9bc-4ca6-a37b-275b1b2d9255",
    "name": "<ClusterName>-<ClusterName>-07ff256b-e9bc-4ca6-a37b-275b1b2d9255",
    "type": "Microsoft.DataProtection/backupVaults/backupInstances"
}

Because of this, I configured the terraform resource to have values for every backup_datasource_parameters so the section looks like the following:

backup_datasource_parameters {
    excluded_namespaces              = ["namespace1"]
    excluded_resource_types          = ["pods"]
    cluster_scoped_resources_enabled = true
    included_namespaces              = ["namespace2"]
    included_resource_types          = ["configmaps"]
    label_selectors                  = ["kubernetes.io/metadata.name:test"]
    volume_snapshot_enabled          = true
}

But this is resulting in the same error. Also when not configuring the optional section backup_datasource_parameters at all, I get the same error.
I noticed, that the syntax of the friendlyName differs, but when trying to adjust the name in terraform so something similar like <ClusterName>\\backup001 I get an HTTP 400 error with message BMSUserErrorInvalidInput in the terraform apply.

I guess there are some issues with the resource azurerm_data_protection_backup_instance_kubernetes_cluster because with my current setup in Azure I am able to create the backup instance manually.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[sinbai]

Hi @rakrueger thanks for reporting this issue. I'm currently working on this issue and will submit a PR to resolve it as soon as possible.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.