Enable azure storage soft-delete for container/blobs

[matthawley]

There have been incidents where developers have accidentally deleted the azure storage container / blob that contains our state files. When this occurs, those developers are required to re-import the state manually. If the azure storage accounts could be setup to automatically enable (or opt-in) soft-delete for containers and blobs, that would be much easier than having to run our own tasks to ensure this.

The command we're issuing in a subsequent task after tf init are

az storage account blob-service-properties update \
    --account-name ${{ parameters.backendAzureRmStorageAccountName }} \
    --container-delete-retention-days 30 \
    --enable-container-delete-retention true \
    --delete-retention-days 30 \
    --enable-delete-retention

[charleszipp]

@matthawley thanks for suggesting this. I agree this would be a great protection measure for what you are describing. The challenge with this will be making sure that existing storage accounts are not modified beyond adding the delete retention. This may need to be sequenced with #189

[jason-johnson]

ensureBackend is a convenience function. It is not the real purpose of this extension and cannot be made to be robust enough for production use. For production use cases we recommend creating the storage account outside of the pipeline or at least in some previous pipeline task. For this specific case, the solution described above is also an option.