DEV Community

holger
holger

Posted on

How to enable 'Soft Delete' for Blobs in Azure Storage Accounts using Terraform

What is Blob Soft Delete?

Blob soft delete protects an individual blob, snapshot, or version from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time. During the retention period, you can restore a soft-deleted object to its state at the time it was deleted. After the retention period has expired, the object is permanently deleted.

Azure Documentation - Soft delete for blobs [1]

Besides enabling Blob soft delete, Microsoft recommends enabling further data protection features:

How can I configure Blob Soft Delete through Terraform?

The Azure Portal has the settings under Data Protection -> Enable soft delete for blobs.

Azure Portal Blob Soft Delete Settings

However, the Azure Storage Account REST API has the same configuration as DeleteRetentionPolicy [4] and terraform uses a similar wording with delete_retention_policy with their azurerm_storage_account resource [5].

The setting can be configured as part of the blob_properties block of the azurerm_storage_account resource. For example, if we wanted to enable soft delete with a retention time of 5 days, the setting could be:



  blob_properties {
    delete_retention_policy {
      days = 5
    }
  }


Enter fullscreen mode Exit fullscreen mode

The full configuration with a resource group and storage account could be like this:



terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
    }
  }
}

provider "azurerm" {
  features {}
}

resource "random_id" "deployment_id" {
  byte_length = 8
}

resource "azurerm_resource_group" "rg" {
  location = "westeurope"
  name     = "rg-${lower(random_id.deployment_id.hex)}"
  tags = {
    environment = "test"
  }
}

resource "azurerm_storage_account" "storage_acct" {
  name = "stg${lower(random_id.deployment_id.hex)}"
  resource_group_name = azurerm_resource_group.rg.name
  location = azurerm_resource_group.rg.location

  account_kind             = "StorageV2"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  access_tier              = "Hot"

  min_tls_version           = "TLS1_2"
  enable_https_traffic_only = true

  blob_properties {
    last_access_time_enabled = true
    delete_retention_policy {
      days = 5
    }
  }

  tags = {
    environment = "test"
  }
}

output "storage_account_blob_uri" {
  value = azurerm_storage_account.storage_acct.primary_blob_endpoint
  description = "Primary Blob Endpoint"
}


Enter fullscreen mode Exit fullscreen mode

Above configuration would create a resource group and storage account with a random number as suffix. Furthermore, the primary blob endpoint is added as output to the console.

Once applied, the setting should be reflected in the Azure Portal as well.

Azure Portal - Soft Delete

References

Top comments (0)