Skip to content

Purge Protect App Configuration Stores#

Reliability · App Configuration · Rule · 2022_12 · Important

Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.

Description#

With purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires. Once purge protection is enabled on a store, it can't be disabled.

Purge protection is only available for configuration stores that use the standard SKU.

Recommendation#

Consider enabling purge protection for app configuration stores.

Examples#

Configure with Azure template#

To deploy App Configuration Stores that pass this rule:

  • Set the properties.enablePurgeProtection property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.AppConfiguration/configurationStores",
  "apiVersion": "2023-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "standard"
  },
  "properties": {
    "disableLocalAuth": true,
    "enablePurgeProtection": true,
    "publicNetworkAccess": "Disabled"
  }
}

Configure with Bicep#

To deploy App Configuration Stores that pass this rule:

  • Set the properties.enablePurgeProtection property to true.

For example:

Azure Bicep snippet
resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {
  name: name
  location: location
  sku: {
    name: 'standard'
  }
  properties: {
    disableLocalAuth: true
    enablePurgeProtection: true
    publicNetworkAccess: 'Disabled'
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/app-configuration/configuration-store:<version>

To use the latest version:

br/public:avm/res/app-configuration/configuration-store:0.5.2

Comments