Enable Backup Command for AKS in dataprotection CLI

src/dataprotection/HISTORY.rst

@@ -2,6 +2,11 @@
 
 Release History
 ===============
+1.9.0
++++++
+* `az dataprotection enable-backup trigger`: New command to enable backup for AKS clusters with a single command. Supports preset backup strategies (Week, Month, DisasterRecovery) and Custom strategy with user-provided configuration.
+* Added vendored SDKs: `azure-mgmt-containerservice` (40.2.0), `azure-mgmt-kubernetesconfiguration` (3.1.0), `azure-mgmt-resourcegraph` (8.0.0).
+
 1.8.1
 +++++
 * Documentation update for `initialize-backupconfig` and `initialize-restoreconfig` commands to clarify that the generated JSON is meant for use with other CLI commands, and may not work as an input for non-CLI scenarios without modification.

src/dataprotection/azext_dataprotection/manual/_consts.py

@@ -0,0 +1,18 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+# AKS Backup Strategy Constants
+CONST_BACKUP_STRATEGY_WEEK = "Week"
+CONST_BACKUP_STRATEGY_MONTH = "Month"
+CONST_BACKUP_STRATEGY_DISASTER_RECOVERY = "DisasterRecovery"
+CONST_BACKUP_STRATEGY_CUSTOM = "Custom"
+
+# List of all backup strategies for AKS
+CONST_AKS_BACKUP_STRATEGIES = [
+    CONST_BACKUP_STRATEGY_WEEK,
+    CONST_BACKUP_STRATEGY_MONTH,
+    CONST_BACKUP_STRATEGY_DISASTER_RECOVERY,
+    CONST_BACKUP_STRATEGY_CUSTOM,
+]

src/dataprotection/azext_dataprotection/manual/_help.py

@@ -291,3 +291,67 @@
       - name: List of Recovery Points in a Vault
         text: az dataprotection recovery-point list --backup-instance-name "sample_biname-00000000-0000-0000-0000-000000000000" --resource-group "sample_rg" --vault-name "sample_vault"
 """
+
+helps['dataprotection enable-backup'] = """
+    type: group
+    short-summary: Enable backup for Azure resources.
+"""
+
+helps['dataprotection enable-backup trigger'] = """
+    type: command
+    short-summary: Enable backup for an AKS cluster by setting up all required resources including backup vault, policy, storage account, extension, and trusted access.
+    long-summary: |
+        This command orchestrates all the steps required to enable backup for an AKS cluster:
+          1. Creates or reuses a backup resource group, storage account, and blob container
+          2. Installs the backup extension on the cluster (or reuses an existing one)
+          3. Creates or reuses a backup vault and backup policy
+          4. Configures trusted access and role assignments
+          5. Creates a backup instance
+
+        The --backup-configuration-file parameter accepts a JSON file (@file.json) or inline JSON string with the following optional settings:
+          - storageAccountResourceId: ARM ID of an existing storage account to use
+          - blobContainerName: Name of an existing blob container (used with storageAccountResourceId)
+          - backupResourceGroupId: ARM ID of an existing resource group for backup resources
+          - backupVaultId: ARM ID of an existing backup vault (required for Custom strategy)
+          - backupPolicyId: ARM ID of an existing backup policy (required for Custom strategy)
+          - tags: Dictionary of tags to apply to created resources (e.g., {"Owner": "team", "Env": "prod"})
+
+        Backup strategy presets (--backup-strategy):
+          - Week (default): Daily incremental backups with 7-day retention in Operational Store.
+          - Month: Daily incremental backups with 30-day retention in Operational Store.
+          - DisasterRecovery: Daily incremental backups with 7-day Operational Store + 90-day Vault Store retention. FirstOfDay backups are copied to Vault Store for cross-region restore.
+          - Custom: Bring your own vault and policy. Requires backupVaultId and backupPolicyId in --backup-configuration-file.
+    examples:
+      - name: Enable backup for an AKS cluster with default Week strategy
+        text: az dataprotection enable-backup trigger --datasource-type AzureKubernetesService --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster}
+      - name: Enable backup with Month strategy
+        text: az dataprotection enable-backup trigger --datasource-type AzureKubernetesService --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster} --backup-strategy Month
+      - name: Enable backup with Custom strategy using existing vault and policy
+        text: |
+            az dataprotection enable-backup trigger --datasource-type AzureKubernetesService \\
+              --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster} \\
+              --backup-strategy Custom \\
+              --backup-configuration-file @config.json
+
+            Where config.json contains:
+            {
+              "backupVaultId": "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.DataProtection/backupVaults/{vault}",
+              "backupPolicyId": "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.DataProtection/backupVaults/{vault}/backupPolicies/{policy}"
+            }
+      - name: Enable backup with resource tags for policy compliance
+        text: |
+            az dataprotection enable-backup trigger --datasource-type AzureKubernetesService \\
+              --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster} \\
+              --backup-configuration-file '{"tags": {"Owner": "team", "Environment": "prod", "DeleteBy": "2026-12"}}'
+      - name: Enable backup using an existing storage account
+        text: |
+            az dataprotection enable-backup trigger --datasource-type AzureKubernetesService \\
+              --datasource-id /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerService/managedClusters/{cluster} \\
+              --backup-configuration-file @config.json
+
+            Where config.json contains:
+            {
+              "storageAccountResourceId": "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{sa}",
+              "blobContainerName": "my-backup-container"
+            }
+"""

src/dataprotection/azext_dataprotection/manual/_params.py

@@ -42,7 +42,8 @@
     get_permission_scope_values,
     get_resource_type_values,
     get_persistent_volume_restore_mode_values,
-    get_conflict_policy_values
+    get_conflict_policy_values,
+    get_all_backup_strategies,
 )
 
 vault_name_type = CLIArgumentType(help='Name of the backup vault.', options_list=['--vault-name', '-v'], type=str)
@@ -182,6 +183,27 @@ def load_arguments(self, _):
         c.argument('restore_request_object', type=validate_file_or_dict, help='Request body for operation "Restore" Expected value: '
                    'json-string/@json-file. Required when --operation is Restore')
 
+    # Enable Backup command
+    with self.argument_context('dataprotection enable-backup trigger') as c:
+        c.argument('datasource_type', type=str, help="The type of datasource to be backed up. Supported values: AzureKubernetesService.")
+        c.argument('datasource_id', type=str, help="The full ARM resource ID of the datasource to be backed up.")
+        c.argument('backup_strategy', arg_type=get_enum_type(get_all_backup_strategies()),
+                   help="Backup strategy preset (daily incremental backups). "
+                        "For AzureKubernetesService: "
+                        "Week (7-day operational store retention), "
+                        "Month (30-day operational store retention), "
+                        "DisasterRecovery (7-day operational + 90-day vault store retention), "
+                        "Custom (bring your own vault/policy). Default: Week.")
+        c.argument('backup_configuration_file', type=validate_file_or_dict,
+                   options_list=['--backup-configuration-file', '-f'],
+                   help="Path to a JSON backup configuration file. "
+                        "Supports backupVaultId and backupPolicyId "
+                        "(required for Custom strategy). "
+                        "For workload-specific settings, "
+                        "refer to the documentation.")
+        c.argument('yes', options_list=['--yes', '-y'], action='store_true',
+                   help='Do not prompt for confirmation.')
+
     with self.argument_context('dataprotection job show') as c:
         c.argument('resource_group_name', resource_group_name_type)
         c.argument('vault_name', vault_name_type, id_part='name')

src/dataprotection/azext_dataprotection/manual/aks/__init__.py

@@ -0,0 +1,4 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------