[Backup] az backup item set-policy: Add warning message for migration from Standard to Enhanced Policy (#28317)

Author: zubairabid

src/azure-cli/azure/cli/command_modules/backup/_params.py

@@ -207,6 +207,7 @@ def load_arguments(self, _):
         c.argument('backup_management_type', backup_management_type)
         c.argument('workload_type', workload_type)
         c.argument('tenant_id', help='ID of the tenant if the Resource Guard protecting the vault exists in a different tenant.')
+        c.argument('yes', options_list=['--yes', '-y'], help='Skip confirmation when updating Standard to Enhanced Policies.', action='store_true')
 
     with self.argument_context('backup item list') as c:
         c.argument('vault_name', vault_name_type, id_part=None)

src/azure-cli/azure/cli/command_modules/backup/custom.py

@@ -8,6 +8,7 @@
 from datetime import datetime, timedelta, timezone
 # pylint: disable=too-many-lines
 from knack.log import get_logger
+from knack.prompting import prompt_y_n
 from azure.mgmt.core.tools import is_valid_resource_id
 
 from azure.mgmt.recoveryservicesbackup.activestamp import RecoveryServicesBackupClient
@@ -126,6 +127,12 @@
 os_linux = 'Linux'
 password_offset = 33
 password_length = 15
+vm_policy_type_map = {
+    'v2': 'enhanced',
+    'v1': 'standard'
+}
+enhanced_policy_type = "v2"
+standard_policy_type = "v1"
 # pylint: disable=too-many-function-args
 
 
@@ -173,9 +180,9 @@ def create_vault(client, vault_name, resource_group_name, location, tags=None,
                        "to their default values. It is recommended to use az backup vault update instead.")
 
         # If the vault exists, we move to the update flow instead
-        update_vault(client, vault_name, resource_group_name, tags, public_network_access,
-                     immutability_state, cross_subscription_restore_state, classic_alerts,
-                     azure_monitor_alerts_for_job_failures)
+        return update_vault(client, vault_name, resource_group_name, tags, public_network_access,
+                            immutability_state, cross_subscription_restore_state, classic_alerts,
+                            azure_monitor_alerts_for_job_failures)
     except CoreResourceNotFoundError:
         vault_properties = VaultProperties()
 
@@ -983,7 +990,7 @@ def list_items(cmd, client, resource_group_name, vault_name, container_name=None
 
 
 def update_policy_for_item(cmd, client, resource_group_name, vault_name, item, policy, tenant_id=None,
-                           is_critical_operation=False):
+                           is_critical_operation=False, yes=False):
     if item.properties.backup_management_type != policy.properties.backup_management_type:
         raise CLIError(
             """
@@ -1004,16 +1011,33 @@ def update_policy_for_item(cmd, client, resource_group_name, vault_name, item, p
     vm_item_properties.policy_id = policy.id
     vm_item_properties.source_resource_id = item.properties.source_resource_id
     vm_item = ProtectedItemResource(properties=vm_item_properties)
+    existing_policy = common.show_policy(protection_policies_cf(cmd.cli_ctx), resource_group_name, vault_name,
+                                         item.properties.policy_name)
+
     if is_critical_operation:
-        existing_policy = common.show_policy(protection_policies_cf(cmd.cli_ctx), resource_group_name, vault_name,
-                                             item.properties.policy_name)
         if cust_help.is_retention_duration_decreased(existing_policy, policy, "AzureIaasVM"):
             # update the payload with critical operation and add auxiliary header for cross tenant case
             if tenant_id is not None:
                 client = get_mgmt_service_client(cmd.cli_ctx, RecoveryServicesBackupClient,
                                                  aux_tenants=[tenant_id]).protected_items
             vm_item.properties.resource_guard_operation_requests = [cust_help.get_resource_guard_operation_request(
                 cmd.cli_ctx, resource_group_name, vault_name, "updateProtection")]
+
+    # Raise warning for standard->enhanced policy
+    try:
+        existing_policy_type = existing_policy.properties.policy_type.lower()
+        new_policy_type = policy.properties.policy_type.lower()
+        if (not yes and
+                new_policy_type in vm_policy_type_map and vm_policy_type_map[new_policy_type] == 'enhanced' and
+                existing_policy_type in vm_policy_type_map and vm_policy_type_map[existing_policy_type] == 'standard'):
+            warning_prompt = ('Upgrading to enhanced policy can incur additional charges. Once upgraded to the enhanced '
+                              'policy, it is not possible to revert back to the standard policy. Do you want to continue?')
+            if not prompt_y_n(warning_prompt):
+                logger.warning('Cancelling policy update operation')
+                return None
+    except (AttributeError):
+        logger.warning("Unable to fetch policy type for either existing or new policy. Proceeding with update.")
+
     # Update policy
     result = client.create_or_update(vault_name, resource_group_name, fabric_name,
                                      container_uri, item_uri, vm_item, cls=cust_help.get_pipeline_response)

src/azure-cli/azure/cli/command_modules/backup/custom_base.py

@@ -208,7 +208,7 @@ def disable_protection(cmd, client, resource_group_name, vault_name, item_name,
 
 
 def update_policy_for_item(cmd, client, resource_group_name, vault_name, container_name, item_name, policy_name,
-                           workload_type=None, backup_management_type=None, tenant_id=None):
+                           workload_type=None, backup_management_type=None, tenant_id=None, yes=None):
 
     items_client = backup_protected_items_cf(cmd.cli_ctx)
     item = show_item(cmd, items_client, resource_group_name, vault_name, container_name, item_name,
@@ -226,7 +226,7 @@ def update_policy_for_item(cmd, client, resource_group_name, vault_name, contain
 
     if item.properties.backup_management_type.lower() == "azureiaasvm":
         return custom.update_policy_for_item(cmd, client, resource_group_name, vault_name, item, policy, tenant_id,
-                                             is_critical_operation)
+                                             is_critical_operation, yes)
 
     if item.properties.backup_management_type.lower() == "azurestorage":
         return custom_afs.update_policy_for_item(cmd, client, resource_group_name, vault_name, item, policy, tenant_id,