Skip to content

Purge Protect App Configuration Stores#

Reliability · App Configuration · Rule · 2022_12

Consider purge protection for app configuration store to ensure store cannot be purged in the retention period.

Description#

With purge protection enabled, soft deleted stores can't be purged in the retention period. If disabled, the soft deleted store can be purged before the retention period expires. Once purge protection is enabled on a store, it can't be disabled.

Purge protection is only available for configuration stores that use the standard SKU.

Recommendation#

Consider enabling purge protection for app configuration stores.

Examples#

Configure with Azure template#

To deploy App Configuration Stores that pass this rule:

  • Set the properties.enablePurgeProtection property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.AppConfiguration/configurationStores",
  "apiVersion": "2023-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "standard"
  },
  "properties": {
    "disableLocalAuth": true,
    "enablePurgeProtection": true,
    "publicNetworkAccess": "Disabled"
  }
}

Configure with Bicep#

To deploy App Configuration Stores that pass this rule:

  • Set the properties.enablePurgeProtection property to true.

For example:

Azure Bicep snippet
resource store 'Microsoft.AppConfiguration/configurationStores@2023-03-01' = {
  name: name
  location: location
  sku: {
    name: 'standard'
  }
  properties: {
    disableLocalAuth: true
    enablePurgeProtection: true
    publicNetworkAccess: 'Disabled'
  }
}

Configure with Bicep Public Registry#

To deploy App Configuration Stores that pass this rule:

  • Set the params.enablePurgeProtection parameter to true.

For example:

Azure Bicep snippet
module br_public_store 'br/public:app/app-configuration:1.1.2' = {
  name: 'store'
  params: {
    skuName: 'Standard'
    disableLocalAuth: true
    enablePurgeProtection: true
    publicNetworkAccess: 'Disabled'
    replicas: [
      {
        name: 'eastus'
        location: 'eastus'
      }
    ]
  }
}

Comments