Blob soft delete protects an individual blob, snapshot, or version from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time. During the retention period, you can restore a soft-deleted object to its state at the time it was deleted. After the retention period has expired, the object is permanently deleted.
— Azure Documentation - Soft delete for blobs [1]
Besides enabling Blob soft delete, Microsoft recommends enabling further data protection features:
- Container soft delete, to restore a container that has been deleted [2].
- Blob versioning, to automatically maintain previous versions of a blob [3].
The Azure Portal has the settings under Data Protection -> Enable soft delete for blobs
However, the Azure Storage Account REST API has the same configuration as DeleteRetentionPolicy
[4] and terraform uses a similar wording with delete_retention_policy
with their azurerm_storage_account resource [5].
The setting can be configured as part of the blob_properties
block of the azurerm_storage_account
resource. For example, if we wanted to enable soft delete with a retention time of 5 days, the setting could be:
blob_properties {
delete_retention_policy {
days = 5
The full configuration with a resource group and storage account could be like this:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
provider "azurerm" {
features {}
resource "random_id" "deployment_id" {
byte_length = 8
resource "azurerm_resource_group" "rg" {
location = "westeurope"
name = "rg-${lower(random_id.deployment_id.hex)}"
tags = {
environment = "test"
resource "azurerm_storage_account" "storage_acct" {
name = "stg${lower(random_id.deployment_id.hex)}"
resource_group_name =
location = azurerm_resource_group.rg.location
account_kind = "StorageV2"
account_tier = "Standard"
account_replication_type = "LRS"
access_tier = "Hot"
min_tls_version = "TLS1_2"
enable_https_traffic_only = true
blob_properties {
last_access_time_enabled = true
delete_retention_policy {
days = 5
tags = {
environment = "test"
output "storage_account_blob_uri" {
value = azurerm_storage_account.storage_acct.primary_blob_endpoint
description = "Primary Blob Endpoint"
Above configuration would create a resource group and storage account with a random number as suffix. Furthermore, the primary blob endpoint is added as output to the console.
Once applied, the setting should be reflected in the Azure Portal as well.
# | Title | URL | Accessed-On |
1 | Soft delete for blobs | | 2023-01-26 |
2 | Enable and manage soft delete for containers | | 2023-01-26 |
3 | Enable and manage blob versioning | | 2023-01-26 |
4 | Azure REST API - Set Blob Service Properties | | 2023-01-26 |
5 | azurerm_storage_account | | 2023-01-26 |