feat: storage account soft delete (#108)

Author: jaredfholgate

alz/azuredevops/main.tf

@@ -70,6 +70,11 @@ module "azure" {
   container_registry_dockerfile_repository_folder_url       = local.agent_container_instance_dockerfile_url
   custom_role_definitions                                   = var.iac_type == "terraform" ? local.custom_role_definitions_terraform : local.custom_role_definitions_bicep
   role_assignments                                          = var.iac_type == "terraform" ? var.role_assignments_terraform : var.role_assignments_bicep
+  storage_account_blob_soft_delete_enabled                  = var.storage_account_blob_soft_delete_enabled
+  storage_account_blob_soft_delete_retention_days           = var.storage_account_blob_soft_delete_retention_days
+  storage_account_blob_versioning_enabled                   = var.storage_account_blob_versioning_enabled
+  storage_account_container_soft_delete_enabled             = var.storage_account_container_soft_delete_enabled
+  storage_account_container_soft_delete_retention_days      = var.storage_account_container_soft_delete_retention_days
 }
 
 module "azure_devops" {

alz/azuredevops/variables.tf

@@ -645,3 +645,28 @@ variable "apply_alz_archetypes_via_architecture_definition_template" {
   default     = true
   description = "Toggles assignment of ALZ policies. True to deploy, otherwise false. (e.g true)"
 }
+
+variable "storage_account_blob_soft_delete_retention_days" {
+  type    = number
+  default = 7
+}
+
+variable "storage_account_blob_soft_delete_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "storage_account_container_soft_delete_retention_days" {
+  type    = number
+  default = 7
+}
+
+variable "storage_account_container_soft_delete_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "storage_account_blob_versioning_enabled" {
+  type    = bool
+  default = true
+}

alz/github/main.tf

@@ -71,6 +71,11 @@ module "azure" {
   container_registry_dockerfile_repository_folder_url       = local.runner_container_instance_dockerfile_url
   custom_role_definitions                                   = var.iac_type == "terraform" ? local.custom_role_definitions_terraform : local.custom_role_definitions_bicep
   role_assignments                                          = var.iac_type == "terraform" ? var.role_assignments_terraform : var.role_assignments_bicep
+  storage_account_blob_soft_delete_enabled                  = var.storage_account_blob_soft_delete_enabled
+  storage_account_blob_soft_delete_retention_days           = var.storage_account_blob_soft_delete_retention_days
+  storage_account_blob_versioning_enabled                   = var.storage_account_blob_versioning_enabled
+  storage_account_container_soft_delete_enabled             = var.storage_account_container_soft_delete_enabled
+  storage_account_container_soft_delete_retention_days      = var.storage_account_container_soft_delete_retention_days
 }
 
 module "github" {

alz/github/variables.tf

@@ -680,3 +680,28 @@ variable "apply_alz_archetypes_via_architecture_definition_template" {
   default     = true
   description = "Toggles assignment of ALZ policies. True to deploy, otherwise false. (e.g true)"
 }
+
+variable "storage_account_blob_soft_delete_retention_days" {
+  type    = number
+  default = 7
+}
+
+variable "storage_account_blob_soft_delete_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "storage_account_container_soft_delete_retention_days" {
+  type    = number
+  default = 7
+}
+
+variable "storage_account_container_soft_delete_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "storage_account_blob_versioning_enabled" {
+  type    = bool
+  default = true
+}

alz/local/main.tf

@@ -33,24 +33,29 @@ module "files" {
 }
 
 module "azure" {
-  source                                   = "../../modules/azure"
-  count                                    = var.create_bootstrap_resources_in_azure ? 1 : 0
-  user_assigned_managed_identities         = local.managed_identities
-  federated_credentials                    = local.federated_credentials
-  resource_group_identity_name             = local.resource_names.resource_group_identity
-  resource_group_state_name                = local.resource_names.resource_group_state
-  create_storage_account                   = var.iac_type == local.iac_terraform
-  storage_account_name                     = local.resource_names.storage_account
-  storage_container_name                   = local.resource_names.storage_container
-  azure_location                           = var.bootstrap_location
-  target_subscriptions                     = local.target_subscriptions
-  root_parent_management_group_id          = local.root_parent_management_group_id
-  storage_account_replication_type         = var.storage_account_replication_type
-  use_self_hosted_agents                   = false
-  use_private_networking                   = false
-  custom_role_definitions                  = var.iac_type == "terraform" ? local.custom_role_definitions_terraform : local.custom_role_definitions_bicep
-  role_assignments                         = var.iac_type == "terraform" ? var.role_assignments_terraform : var.role_assignments_bicep
-  additional_role_assignment_principal_ids = var.grant_permissions_to_current_user ? { current_user = data.azurerm_client_config.current.object_id } : {}
+  source                                               = "../../modules/azure"
+  count                                                = var.create_bootstrap_resources_in_azure ? 1 : 0
+  user_assigned_managed_identities                     = local.managed_identities
+  federated_credentials                                = local.federated_credentials
+  resource_group_identity_name                         = local.resource_names.resource_group_identity
+  resource_group_state_name                            = local.resource_names.resource_group_state
+  create_storage_account                               = var.iac_type == local.iac_terraform
+  storage_account_name                                 = local.resource_names.storage_account
+  storage_container_name                               = local.resource_names.storage_container
+  azure_location                                       = var.bootstrap_location
+  target_subscriptions                                 = local.target_subscriptions
+  root_parent_management_group_id                      = local.root_parent_management_group_id
+  storage_account_replication_type                     = var.storage_account_replication_type
+  use_self_hosted_agents                               = false
+  use_private_networking                               = false
+  custom_role_definitions                              = var.iac_type == "terraform" ? local.custom_role_definitions_terraform : local.custom_role_definitions_bicep
+  role_assignments                                     = var.iac_type == "terraform" ? var.role_assignments_terraform : var.role_assignments_bicep
+  additional_role_assignment_principal_ids             = var.grant_permissions_to_current_user ? { current_user = data.azurerm_client_config.current.object_id } : {}
+  storage_account_blob_soft_delete_enabled             = var.storage_account_blob_soft_delete_enabled
+  storage_account_blob_soft_delete_retention_days      = var.storage_account_blob_soft_delete_retention_days
+  storage_account_blob_versioning_enabled              = var.storage_account_blob_versioning_enabled
+  storage_account_container_soft_delete_enabled        = var.storage_account_container_soft_delete_enabled
+  storage_account_container_soft_delete_retention_days = var.storage_account_container_soft_delete_retention_days
 }
 
 resource "local_file" "alz" {

alz/local/variables.tf

@@ -486,3 +486,28 @@ variable "apply_alz_archetypes_via_architecture_definition_template" {
   default     = true
   description = "Toggles assignment of ALZ policies. True to deploy, otherwise false. (e.g true)"
 }
+
+variable "storage_account_blob_soft_delete_retention_days" {
+  type    = number
+  default = 7
+}
+
+variable "storage_account_blob_soft_delete_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "storage_account_container_soft_delete_retention_days" {
+  type    = number
+  default = 7
+}
+
+variable "storage_account_container_soft_delete_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "storage_account_blob_versioning_enabled" {
+  type    = bool
+  default = true
+}

modules/azure/storage.tf

@@ -8,6 +8,22 @@ resource "azurerm_storage_account" "alz" {
   allow_nested_items_to_be_public = false
   shared_access_key_enabled       = false
   public_network_access_enabled   = var.use_private_networking && var.use_self_hosted_agents && !var.allow_storage_access_from_my_ip ? false : true
+  blob_properties {
+    dynamic "delete_retention_policy" {
+      for_each = var.storage_account_blob_soft_delete_enabled ? [1] : []
+      content {
+        days = var.storage_account_blob_soft_delete_retention_days
+      }
+    }
+    versioning_enabled = var.storage_account_blob_versioning_enabled
+
+    dynamic "container_delete_retention_policy" {
+      for_each = var.storage_account_container_soft_delete_enabled ? [1] : []
+      content {
+        days = var.storage_account_container_soft_delete_retention_days
+      }
+    }
+  }
   lifecycle {
     ignore_changes = [queue_properties, static_website]
   }

modules/azure/variables.tf

@@ -280,3 +280,28 @@ variable "additional_role_assignment_principal_ids" {
   type    = map(string)
   default = {}
 }
+
+variable "storage_account_blob_soft_delete_retention_days" {
+  type    = number
+  default = 7
+}
+
+variable "storage_account_blob_soft_delete_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "storage_account_container_soft_delete_retention_days" {
+  type    = number
+  default = 7
+}
+
+variable "storage_account_container_soft_delete_enabled" {
+  type    = bool
+  default = true
+}
+
+variable "storage_account_blob_versioning_enabled" {
+  type    = bool
+  default = true
+}