Cosmos DB - Configure Seven Day Continuous Backup Retention using Terraform
Executive technology leader responsible for platform reliability, cloud operations, security posture, and enterprise technology risk within an investor-backed fintech environment. I lead technology operations at the intersection of engineering execution, governance, and business outcomes — ensuring platforms are scalable, resilient, and trusted by investors, regulators, and clients.
Currently VP of DevOps at InvestorFlow, where I focus on building board-ready technology operations, strengthening risk and resilience, and shaping long-term platform strategy to support growth and regulatory confidence.
When you create a Cosmos DB instance in Azure with Terraform and set backup to Continuous, you might notice that in the current AzureRM provider (3.27.0), you cannot configure any additional settings. You can only specify Continuous, which will result in 30-day retention being the default.
In this post, I will cover how we can amend the default so you can set 7-day retention. Why move from 30-day retention to 7-day retention, you might be thinking. Well, 7-day retention is free until June 2024, whereas 30-day is billable. Seven days may also be a step up from your current backup setup and might also be long enough for recovery needs.
This post will be relevant until the AzureRM provider is updated to support the ability to choose the retention period.
Configuration
Your current Cosmos DB block may look something like this:
resource "azurerm_cosmosdb_account" "my_cosmos_db" {
name = "my-cosmos-db"
location = "UK South"
resource_group_name = azurerm_resource_group.resource_group.name
offer_type = "Standard"
kind = "MongoDB"
enable_automatic_failover = true
geo_location {
location = "westeurope"
failover_priority = 1
}
geo_location {
location = "uksouth"
failover_priority = 0
}
backup {
type = "Continuous"
}
And you will have the AzureRM provider configured:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.27.0"
}
}
}
provider "azurerm" {}
First, you need to add a new provider called AzAPI. This will be used to configure the seven-day continuous backup. The provider config will look something like this:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.27.0"
}
azapi = {
source = "Azure/azapi"
version = "1.0.0"
}
}
}
provider "azurerm" {}
provider "azapi" {}
Then you want to add the following resource block to set the retention:
resource "azapi_update_resource" "cosmosdb_backup_seven_days" {
type = "Microsoft.DocumentDB/databaseAccounts@2022-08-15-preview"
resource_id = azurerm_cosmosdb_account.my_cosmos_db.id
body = jsonencode({
"properties" = {
"backupPolicy" = {
"type" : "Continuous",
"continuousModeProperties" : {
"tier" : "Continuous7Days"
}
}
}
})
}
You will notice the following is set:
type - This is set to the defined resource Microsoft.DocumentDB/databaseAccounts and API set to version 2022-08-15-preview. It must be the preview version, as the setting to set 7 days of continuous retention is only available in the preview.
Once the config is in and ready, you can run Terraform plan to confirm the new resource actions and then apply.
AzAPI resource
Some information on the resource you are adding.
The azapi_update_resource will create or modify resources. It will detect and replace any changes you make within the resource block. But, if you delete the resource block, it will delete from the state file and not from Azure. This will result in an orphan configuration.
Read more about AzAPI update resource here.
What to do when AzureRM supports configuration retention period
Once the retention period in Continuous Backup can be set, you will want to add the configuration to the Cosmos DB Account resource block. And then delete the AzAPI resource block, which will not delete the configuration as described above.
