In the world of cloud storage, ensuring the safety and availability of your data is crucial. Azure Storage Account offers a variety of backup solutions to cater to different requirements. In this article, we'll focus on how to enable Azure Storage Account operational blob storage backup using Terraform, with a particular emphasis on using blob_properties block in the azurerm_storage_account resource. We'll also discuss the types of backup available, such as vaulted backup and operational backup, and their respective use cases in platform engineering, Microsoft Azure.

What is an Azure Storage Account?

Azure Storage Account is a Microsoft Azure service that provides scalable, secure, and highly available storage solutions for various data types. It supports a wide range of storage services, such as Blob Storage, File Storage, Queue Storage, and Table Storage. Blob Storage, in particular, is designed to store large amounts of unstructured data, like documents, images, and media files.

Types of Backup: Vaulted Backup vs. Operational Backup

There are two primary backup types available for Azure Blob Storage: vaulted backup and operational backup.

  1. Vaulted Backup: This type of backup provides long-term retention of your data. It is typically used for compliance purposes or when you need to preserve data for an extended period. Vaulted backups are stored in a separate, secure location called the Recovery Services vault, which ensures data durability and protection against accidental deletion or corruption.

  2. Operational Backup: This backup type is designed for short-term retention and operational recovery purposes. It is useful for situations where you need to restore data quickly due to accidental deletion or corruption, or when you need a recent snapshot of your data for testing and validation purposes. Operational backups are stored within the same storage account as the original data, making them easily accessible for quick recovery.

When to Use Operational Backup and Vaulted Backup

Platform engineering teams should choose between operational backup and vaulted backup based on their specific requirements:

Use Operational Backup when:

  • You need a short-term backup solution for quick data recovery.
  • You require frequent backups for testing and validation purposes.
  • Your primary focus is on operational efficiency rather than long-term data retention.

Use Vaulted Backup when:

  • You need to store data for an extended period for compliance or archival purposes.
  • You want to ensure data durability and protection against accidental deletion or corruption.
  • Your primary focus is on long-term data retention and security.

Enabling Operational Blob Storage Backup using Terraform and Blob_properties

Terraform is an Infrastructure as Code (IaC) tool that allows you to manage and provision cloud resources using a declarative configuration language. To enable operational backup for your Azure Storage Account Blob Storage, follow these steps:

  1. Install Terraform: If you haven't already, download and install Terraform on your local machine.

  2. Create a Terraform configuration file: Create a new file named and add the following code:

    provider "azurerm" {
      features {}
    resource "azurerm_resource_group" "example" {
      name     = "example-resources"
      location = "West US"
    resource "azurerm_storage_account" "example" {
      name                     = "examplestoracc"
      resource_group_name      =
      location                 = azurerm_resource_group.example.location
      account_tier             = "Standard"
        account_replication_type = "GRS"
      blob_properties {
        delete_retention_policy {
          days    = 30
        versioning_enabled = true
        change_feed_enabled = true
        restore_policy {
          days    = 7
        container_delete_retention_policy {
          days = 7
    resource "azurerm_storage_container" "example" {
      name                  = "example-container"
      storage_account_name  =
      container_access_type = "private"

Here are the explanations for the new properties:

  • versioning_enabled: Enables versioning for the Blob Storage account. This property allows you to keep multiple versions of an object in Blob Storage and restore previous versions if needed.
  • change_feed_enabled: Enables the Change Feed feature, which provides a real-time stream of Blob Storage events like new object creation, modification, or deletion.
  • restore_policy: Defines the retention period for deleted objects. The Restore Policy property allows you to restore deleted objects within a specified time frame.
  • container_soft_delete: Enables soft delete for the Blob Storage account, which allows you to recover deleted containers and objects within a specified retention period.
  • Note:  Point-in-time restore requires that the versioning and  change_feed Azure Storage features be enabled before you can enable point-in-time restore.  After you enable blob versioning for a storage account, every write operation to a blob in that account results in the creation of a new version. For this reason, enabling blob versioning may result in additional costs. To minimize costs, use a lifecycle management policy to automatically delete old versions. For more information about configuring  lifecycle management using terratom, see our previous article: Automating Azure Blob Storage data lifecycle management with Terraform

Using these properties, you can customize the Blob Storage account to meet your specific requirements and ensure data durability and protection against accidental deletion or corruption.

Now proceed with the following commands:

  1. Initialize Terraform: In the terminal, navigate to the directory where you've saved the file and run the command terraform init. This will initialize your Terraform workspace and download the necessary provider plugins.
  2. Apply the Terraform configuration: Run the command terraform apply. This will prompt you to confirm your intention to create the resources described in your configuration file. Type yes and press Enter to proceed. Terraform will create the necessary resources, including the storage account and the container with the operational backup configured.

The blob_properties block in the azurerm_storage_account resource is responsible for configuring the operational backup settings. In this example, we've set the delete_retention_policy to 7 days, which means that any deleted blobs will be retained for 7 days before they are permanently removed. You can adjust this value according to your operational backup needs.


In this article, we've explored how to enable operational blob storage backup using Terraform and blob_properties for Azure Storage Account Blob Storage. We've also discussed the differences between vaulted and operational backups, and when to use them based on your platform engineering requirements. By implementing the right backup strategy and leveraging the power of Terraform, you can ensure your data's safety and availability while optimizing your storage infrastructure for performance and cost efficiency.