Support for Point in Time on `azurerm_storage_account` for Blob storage

[aristosvo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Make Point in Time Restore for Blob storage available in Terraform

New or Affected Resource(s)

• azurerm_storage_account

Potential Terraform Configuration

resource "azurerm_storage_account" "example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  blob_properties {
    change_feed_enabled = true
    versioning_enabled  = true

    restore_policy {
      days = 2
    }
    delete_retention_policy {
      days = 3
    }
  }
}

References

• @tombuildsstuff will add functionality this week to toggle between Resource Manager and Data Plane APIs
• Make sure functionality only available to Resource Manager APIs is well documented and errors well handled to not disturb users
• I can pick this issue up myself if the necessary functionality is implemented

[aristosvo]

Waiting for https://github.com/terraform-providers/terraform-provider-azurerm/pull/6147 or similar functionality

[aristosvo]

https://github.com/terraform-providers/terraform-provider-azurerm/pull/9277 already implements this functionality without the toggle .

[dhirschfeld]

Related: #8268

[rwiglenda]

Hey i just deployed this feature with the tf resource "azurerm_resource_group_template_deployment". Here is the sample code, this might help someone:

 resource "azurerm_storage_account" "pointintimerestore" {
  name                = "yourstorageaccountname"
  resource_group_name = azurerm_resource_group.your_resource_group.name

  location                 = azurerm_resource_your_resource_group.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  blob_properties {
    change_feed_enabled     = "true"
    versioning_enabled      = "true"
    delete_retention_policy {
      days = 8 #this value has to be greater than ARM value restorePolicy.days
    }
    container_delete_retention_policy {
        days                    = "30"
    }
  }
}

resource "azurerm_resource_group_template_deployment" "pointintimerestore" {
    name                = "point-in-time-restore-deploy"
    resource_group_name = azurerm_resource_group.your_resource_group.name
    deployment_mode     = "Incremental"

    template_content = <<TEMPLATE

  {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "StorageAccountName": {
            "type": "String"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/blobServices",
            "apiVersion": "2021-04-01",
            "name": "[concat(parameters('StorageAccountName'), '/default')]",
            "properties": {
                "restorePolicy": {
                    "enabled": true,
                    "days": 7
                }
            }
        }     
    ]
}

  TEMPLATE

  parameters_content = jsonencode({
       "StorageAccountName" = {
          value = azurerm_storage_account.pointintimerestore.name
       }
    })
}

[reespozzi]

Is this still being worked on to add restore_policy { days = 2 } into a potential terraform storage_account config? I see all last PRs closed

[aristosvo]

@reespozzi This is dependent on an upstream issue.

Last try can be found here, but it really depends on the upstream fixes.

[tamademicheli]

any news , it would be nice to have that as well

[PPACI]

Note that as a workaround, you can achieve the desired effect via Azure Backup Vault.

https://docs.microsoft.com/en-us/azure/backup/blob-backup-overview

When you configure backup for a storage account and assign a backup policy with a retention of ‘n’ days, the underlying properties are set as described below. You can view these properties in the Data protection tab of the blob service in your storage account.

Point-in-time restore: Set to ‘n’ days, as defined in the backup policy. If the storage account already had point-in-time enabled with a retention of, say ‘x’ days, before configuring backup, the point-in-time restore duration will be set to the greater of the two values, that is max(n,x). If you had already enabled point-in-time restore and specified the retention to be greater than that in the backup policy, it will remain unchanged.

Soft delete: Set to ‘n+5’ days, that is, five days in addition to the duration specified in the backup policy. If the storage account that is being configured for operational backup already had soft delete enabled with a retention of, say ‘y’ days, then the soft delete retention will be set to the maximum of the two values, that is, max(n+5,y). If you had already enabled soft delete and specified the retention to be greater than that according to the backup policy, it will remain unchanged.

Versioning for blobs and blob change feed: Versioning and change feed are enabled for storage accounts that have been configured for operational backup.

Delete Lock: Configuring operational backup on a storage account also applies a Delete Lock on the storage account. The Delete Lock applied by Backup can be viewed under the Locks tab of the storage account.

You need to create a Backup Vault, a Blob backup olicy and then to instantiate it on your blob. https://docs.microsoft.com/en-us/azure/backup/blob-backup-configure-manage

Have a look at

• https://registry.terraform.io/providers/hashicorp/azurerm/2.99.0/docs/resources/data_protection_backup_vault
• https://registry.terraform.io/providers/hashicorp/azurerm/2.99.0/docs/resources/data_protection_backup_policy_blob_storage
• https://registry.terraform.io/providers/hashicorp/azurerm/2.99.0/docs/resources/data_protection_backup_instance_blob_storage

[jlegido]

I tried https://github.com/hashicorp/terraform-provider-azurerm/issues/9020#issuecomment-1100169975 but the result was not the same as if doing from "Data protection" option in Azure portal

[mkemmerz]

so is this implemented? I am a bit confused reading trough this issue.

I only want to set this checkbox. On Azure Portal it doesn't require any Backup Vault as (@PPACI suggested to use) so I would really like to use it without the Vault.

[jlegido]

@mkemmerz I implemented with a workaround, below excerpt:

main.tf

# Ugly workaround for container PITR

module "storage_account_solution_pitr_containers" {
  account_name = module.storage_account_solution.name
  delete_retention_days = local.container_delete_retention_policy_days
  // IMPORTANT: mandatory
  depends_on = [
    module.storage_account_solution
  ]
  subscription = local.subscription_id
  resource_group = module.resource_group_solution.name
  restore_days = local.restore_days
  source = "./modules/local-exec-storage-account-pitr-containers"
}

modules/local-exec-storage-account-pitr-containers/variables.tf

variable "account_name" {
  description = "Storage Account name"
  type = string
}

variable "delete_retention_days" {
  description = "Storage account setting 'Keep deleted blobs for (in days)', in terraforms is 'container_delete_retention_policy_days'"
  type = string
}

variable "subscription" {
  description = "Subscription name or ID"
  type = string
}

variable "resource_group" {
  description = "Resource Group name"
  type = string
}

variable "restore_days" {
  description = "Storage account setting 'Maximum restore point (days ago)'"
  type = string
}

modules/local-exec-storage-account-pitr-containers/main.tf

resource "null_resource" "storage_account_pitr_containers" {
  provisioner "local-exec" {
    command = <<-EOL
    az account set \
      --subscription '${var.subscription}' \
      && \
      az storage account blob-service-properties update \
      --resource-group ${var.resource_group} \
      --account-name ${var.account_name}  \
      --enable-delete-retention true \
      --delete-retention-days ${var.delete_retention_days} \
      --enable-versioning true \
      --enable-change-feed true \
      --enable-restore-policy true \
      --restore-days ${var.restore_days}
    EOL
    when = create
  }
}

[louiseunice]

I asked Azure support, they said that the issue mentioned in the GitHub issue https://github.com/Azure/azure-rest-api-specs/issues/11237 has been fixed in the new version of REST API released after 2022-05-01. So maybe this PR can be merged now.

[aristosvo]

Fixed by #19644 (blob_properties.0.restore_policy)

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.