From 728deca901ba8af57588e81d9394b9f156c19412 Mon Sep 17 00:00:00 2001 From: Ben Broderick Phillips Date: Thu, 27 Jul 2023 16:53:50 -0400 Subject: [PATCH] Explicitly handle legal holds when cleaning up storage accounts --- eng/scripts/Remove-WormStorageAccounts.ps1 | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/eng/scripts/Remove-WormStorageAccounts.ps1 b/eng/scripts/Remove-WormStorageAccounts.ps1 index 60d0099cfc8..98ffd0ca46e 100644 --- a/eng/scripts/Remove-WormStorageAccounts.ps1 +++ b/eng/scripts/Remove-WormStorageAccounts.ps1 @@ -6,6 +6,8 @@ param( [string]$GroupPrefix ) +$ErrorActionPreference = 'Stop' + # Be a little defensive so we don't delete non-live test groups via naming convention if (!$groupPrefix -or !$GroupPrefix.StartsWith('rg-')) { Write-Error "The -GroupPrefix parameter must start with 'rg-'" @@ -25,6 +27,20 @@ foreach ($group in $groups) { Write-Host "Removing $($account.StorageAccountName) in $($account.ResourceGroupName)" } $ctx = New-AzStorageContext -StorageAccountName $account.StorageAccountName + $immutableBlobs = $ctx ` + | Get-AzStorageContainer ` + | Where-Object { $_.BlobContainerProperties.HasImmutableStorageWithVersioning } ` + | Get-AzStorageBlob + try { + foreach ($blob in $immutableBlobs) { + Write-Host "Removing legal hold - blob: $($blob.Name), account: $($account.StorageAccountName), group: $($group.ResourceGroupName)" + $blob | Set-AzStorageBlobLegalHold -DisableLegalHold | Out-Null + } + } catch { + Write-Warning "User must have 'Storage Blob Data Owner' RBAC permission on subscription or resource group" + Write-Error $_ + throw + } $ctx | Get-AzStorageContainer | Get-AzStorageBlob | Remove-AzStorageBlob -Force # Use AzRm cmdlet as deletion will only work through ARM with the immutability policies defined on the blobs $ctx | Get-AzStorageContainer | % { Remove-AzRmStorageContainer -Name $_.Name -StorageAccountName $ctx.StorageAccountName -ResourceGroupName $group.ResourceGroupName -Force }