Add 'purge_protection_enable' attribute for Cognitive_Account resource deletion in Terraform

[tissem31]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Description

Using Terraform with a service principal to create OpenAI resources, I noticed a problem when deleting and recreating these resources.

Currently, when I delete a resource via Terraform, it is moved to OpenAI's "Manage Deleted Resources", requiring manual action to purge or recover it from the Azure portal.

I suggest adding a new attribute, for example "purge_protection_enable", to the Cognitive_accoutn Terraform resource. This would allow users to choose to enable or disable purge protection when deleting a resource, offering greater flexibility in resource management.

This feature would be aligned with similar practices seen in other resources, such as Azure's Key Vault Terraform resource.

Recource Key vault

resource "azurerm_key_vault" "aml_kv" { name = "keyvault01" location = var.location resource_group_name = var.resource_group tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "standard" purge_protection_enabled = false <----- #SUCH AS THIS ATTRIBUTE }

Manage deleted resources "Azure Portal"

Terraform Configuration Files

Terraform Version

v1.4

AzureRM Provider Version

v3.88.0

Provider

provider "azurerm" { subscription_id = var.subscription_id skip_provider_registration = true features { cognitive_account { purge_soft_delete_on_destroy = false } key_vault { purge_soft_delete_on_destroy = false recover_soft_deleted_key_vaults = false } } }

example of a cognitive service resource

resource "random_integer" "this" { max = 999999 min = 100000 }

resource "azurerm_cognitive_account" "OpenAI" { name = var.openai_name location = var.location resource_group_name = var.resource_group kind = "OpenAI" custom_subdomain_name = "azure-openai-${random_integer.this.result}"

sku_name = "S0" }

Error Terraform

│ Error: creating Account (Subscription: "XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX" │ Resource Group Name: "rg-test" │ Account Name: "openai01-ic-pe"): unexpected status 409 with error: FlagMustBeSetForRestore: An existing resource with ID '/****s/XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/rg-test/providers/Microsoft.CognitiveServices/accounts/openai01-ic-pe' has been soft-deleted. To restore the resource, you must specify 'restore' to be 'true' in the property. If you don't want to restore existing resource, please purge it first. │ │ with azurerm_cognitive_account.Cognitives["Language_Service"], │ on main.tf line 438, in resource "azurerm_cognitive_account" "Cognitives": │ 438: resource "azurerm_cognitive_account" "Cognitives" {

New or Affected Resource(s)/Data Source(s)

azurerm_cognitive_account

Potential Terraform Configuration

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cognitive_account
resource "random_integer" "this" {
  max = 999999
  min = 100000
}

# OpenAI Service
resource "azurerm_cognitive_account" "OpenAI" {
  name                     = var.openai_name
  location                 = var.location
  resource_group_name      = var.resource_group
  kind                     = "OpenAI"
  custom_subdomain_name    = "azure-openai-${random_integer.this.result}"
  purge_protection_enabled = false

  sku_name = "S0"
}

References

No response

[buddhamangler-cbre]

For possibly good reasons my company limits ability to purge accounts, this paints me into a corner when I go to recreate a resource as it complains it already exists. Why not just do what keyvault did and have something similar to recover_soft_deleted_key_vaults? This would get me out of the corner I am forced into.

[liuwuliuyun]

Hello everyone, if you're still keen on incorporating this feature into the AzureRM provider, kindly follow the setup provided and check if it meets your requirements.

provider "azurerm" {
  features {
    cognitive_account {
      purge_soft_delete_on_destroy = true
    }
  }
}

Property purge_soft_delete_on_destroy defaults to true and I tested with following template.

provider "azurerm" {
  features {
    cognitive_account {
      purge_soft_delete_on_destroy = true
    }
  }
}

resource "azurerm_resource_group" "example" {
  name     = "yunliutest"
  location = "eastus"
}

resource "azurerm_cognitive_account" "example" {
  name                = "yunliutest222"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  kind                = "SpeechServices"
  sku_name            = "S0"
}

I executed terraform apply to set up the cognitive account, followed by terraform destroy to completely remove it. Subsequently, I ran terraform apply once more and encountered no errors.

This setup is globally enabled and will apply to all of your cognitive accounts. The reason we haven't implemented purge_protection_enabled similar to Key Vault for now is because the Cognitive REST API does not have a corresponding property to KeyVault's EnablePurgeProtection.

If you hope to restore the soft-deleted accounts, please refer to https://learn.microsoft.com/en-us/azure/ai-services/recover-purge-resources?tabs=rest-api#recover-a-deleted-resource