Support for azurerm_recovery_services_vault Enable Always-on soft delete

DevopsMercenary commented 11 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Please add support for the new checkbox 'Enable Always-on soft delete'

When in the console this is under Recovery Services vault / Settings / Properties / Security Settings

https://learn.microsoft.com/en-us/rest/api/recoveryservices/vaults/create-or-update?tabs=HTTP#softdeletestate

Possiblily changing soft_delete_enabled = true. to soft_delete_state = "AlwaysON"

New or Affected Resource(s)/Data Source(s)

azurerm_recovery_services_vault

Potential Terraform Configuration

azurerm_recovery_services_vault "example" {

...

soft_delete_state = "AlwaysON"

...

}

References

No response

rcskosir commented 11 months ago

@DevopsMercenary Thank you for taking the time to open this feature request!

degerrit commented 3 months ago

The current terraform setting soft_delete_enabled = true seems to have a strange effect when the Vault is already set to true and Always Enabled in the Azure Portal (the output implies that terraform maps anything other than true to false?).

This would be another reason to support this flag, like the immutability vault option (already implemented).

Our config/setting:

 resource "azurerm_recovery_services_vault" "REDACTED" {
    name                = "REDACTED"
    location            = var.location
    resource_group_name = var.resource_group
    sku                 = "Standard"
    soft_delete_enabled = true

Terraform output:

$ terraform version
Terraform v1.8.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.105.0
...
# module.REDACTED.azurerm_recovery_services_vault.REDACTED will be updated in-place
  ~ resource "azurerm_recovery_services_vault" "REDACTED" {
        id                                 = "/subscriptions/REDACTED"
        name                               = "REDACTED"
      ~ soft_delete_enabled                = false -> true
        tags                               = {}
        # (8 unchanged attributes hidden)
    }
...
Error: backupresourcevaultconfigs.BackupResourceVaultConfigsClient#Update: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BMSUserErrorSoftDeleteStateAlwaysOn" Message="Soft delete cannot be disabled on this vault since it is configured to be ‘Always on’. This vault has soft delete in ‘Always on’ state, which prevents soft delete from being disabled. Learn more here: https://go.microsoft.com/fwlink/?linkid=2226845 "
│ 
│   with module.REDACTED.azurerm_recovery_services_vault.REDACTED,
│   on common/backup-recovery-services/main.tf line 35, in resource "azurerm_recovery_services_vault" "REDACTED":
│   35: resource "azurerm_recovery_services_vault" "REDACTED" {

zachgalvin commented 3 months ago

This would be really helpful! When I use "soft_delete_enabled = true", it sets the "Enable soft delete and security settings for hybrid workloads" setting, but it doesn't set "Enable soft delete for cloud workloads" or "Enable Always-on soft delete" (where the former is a pre-requisite for the latter), so it would be great if all of those could be exposed via Terraform.

adrianbolboceanu commented 1 month ago

Hi, any update here?

hashicorp / terraform-provider-azurerm