feat: data protection options with variables validation for storage account module

MacMur85 · MacMur85 · commit 9e320c30ff8d · 2026-03-06T11:14:34.000Z
diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf
@@ -16,10 +16,44 @@ resource "azurerm_storage_account" "storage_account" {
       days = var.blob_properties_delete_retention_policy
     }
     versioning_enabled = var.blob_properties_versioning_enabled
+
+    container_delete_retention_policy {
+      days = var.container_delete_retention_policy_days
+    }
+
+    change_feed_enabled = var.blob_properties_change_feed_enabled
+
+    dynamic "restore_policy" {
+      for_each = var.blob_properties_restore_policy_days != null ? [1] : []
+      content {
+        days = var.blob_properties_restore_policy_days
+      }
+    }
+  }
+
+  dynamic "share_properties" {
+    for_each = var.share_properties_retention_policy_days != null ? [1] : []
+    content {
+      retention_policy {
+        days = var.share_properties_retention_policy_days
+      }
+    }
   }
 
   lifecycle {
     ignore_changes = [tags]
+
+    # Validation 1: Prevent the Change Feed / Restore Policy mismatch
+    precondition {
+      condition     = var.blob_properties_restore_policy_days == null || var.blob_properties_change_feed_enabled == true
+      error_message = "Invalid configuration: If blob_properties_restore_policy_days is set, blob_properties_change_feed_enabled must be explicitly set to true."
+    }
+
+    # Validation 2: Prevent the Days limit mismatch
+    precondition {
+      condition     = var.blob_properties_restore_policy_days == null ? true : (var.blob_properties_restore_policy_days < var.blob_properties_delete_retention_policy)
+      error_message = "Invalid configuration: blob_properties_restore_policy_days must be strictly less than blob_properties_delete_retention_policy."
+    }
   }
 }
 
diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
@@ -184,6 +184,30 @@ variable "queue_transactions_high_threshold" {
   default     = 1000
 }
 
+variable "container_delete_retention_policy_days" {
+  description = "Specifies the number of days that the container should be retained. Defaulting to 7 for baseline data protection."
+  type        = number
+  default     = null
+}
+
+variable "blob_properties_change_feed_enabled" {
+  description = "Is the blob service properties for change feed events enabled? Required for Point-in-Time Restore."
+  type        = bool
+  default     = false
+}
+
+variable "blob_properties_restore_policy_days" {
+  description = "Specifies the number of days that the blob can be restored. Set to null to disable by default. Note: Must be less than blob and container delete retention policy days."
+  type        = number
+  default     = null
+}
+
+variable "share_properties_retention_policy_days" {
+  description = "Specifies the number of days that the file share should be retained. Set to null to disable by default, or provide a number to enable."
+  type        = number
+  default     = null
+}
+
 locals {
   alert_frequency_map = {
     PT5M  = "PT1M"
