feat(database): add new long_term_retention_policy_time_based_immutability and long_term_retention_policy_time_based_immutability_mode variables (#197)

sondresjolyst · hknutsen · web-flow · commit 5ebe019547b8 · 2026-01-27T09:17:01.000+01:00
Co-authored-by: Henrik Knutsen &lt;46495473+hknutsen@users.noreply.github.com&gt;
diff --git a/modules/database/main.tf b/modules/database/main.tf
@@ -60,6 +60,21 @@ resource "azurerm_mssql_database" "this" {
   }
 }
 
+resource "azapi_update_resource" "long_term_retention_policy" {
+  count = var.long_term_retention_policy_time_based_immutability == "Enabled" ? 1 : 0
+
+  type      = "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies@2024-11-01-preview"
+  parent_id = azurerm_mssql_database.this.id
+  name      = "default"
+
+  body = {
+    properties = {
+      timeBasedImmutability     = var.long_term_retention_policy_time_based_immutability
+      timeBasedImmutabilityMode = var.long_term_retention_policy_time_based_immutability_mode
+    }
+  }
+}
+
 resource "azurerm_monitor_diagnostic_setting" "database" {
   name                       = var.diagnostic_setting_name
   target_resource_id         = azurerm_mssql_database.this.id
diff --git a/modules/database/variables.tf b/modules/database/variables.tf
@@ -97,6 +97,26 @@ variable "long_term_retention_policy_week_of_year" {
   default     = 1
 }
 
+variable "long_term_retention_policy_time_based_immutability" {
+  description = "Whether time based immutability backups are enabled for long-term retention policy. Value must be either 'Enabled' or 'Disabled'."
+  type        = string
+  default     = "Disabled"
+  validation {
+    condition     = var.long_term_retention_policy_time_based_immutability == "Enabled" || var.long_term_retention_policy_time_based_immutability == "Disabled"
+    error_message = "The value must be either 'Enabled' or 'Disabled'."
+  }
+}
+
+variable "long_term_retention_policy_time_based_immutability_mode" {
+  description = "The mode of time based immutability for long-term retention policy. Value must be either 'Locked' or 'Unlocked'. Only effective if long_term_retention_policy_time_based_immutability is enabled"
+  type        = string
+  default     = "Unlocked"
+  validation {
+    condition     = var.long_term_retention_policy_time_based_immutability_mode == "Locked" || var.long_term_retention_policy_time_based_immutability_mode == "Unlocked"
+    error_message = "The value must be either 'Locked' or 'Unlocked'."
+  }
+}
+
 variable "identity_ids" {
   description = "A list of user assigned identities to be assigned to this SQL database."
   type        = list(string)
diff --git a/modules/database/versions.tf b/modules/database/versions.tf
@@ -7,5 +7,10 @@ terraform {
       # Version 4.31.0 is required to use the "enabled_metric" argument for the "azurerm_monitor_diagnostic_setting" resource.
       version = ">= 4.31.0"
     }
+
+    azapi = {
+      source  = "azure/azapi"
+      version = ">= 2.0.0"
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,10 @@ terraform {`
`7`	`7`	`# Version 4.31.0 is required to use the "enabled_metric" argument for the "azurerm_monitor_diagnostic_setting" resource.`
`8`	`8`	`version = ">= 4.31.0"`
`9`	`9`	`}`
	`10`	`+`
	`11`	`+ azapi = {`
	`12`	`+ source = "azure/azapi"`
	`13`	`+ version = ">= 2.0.0"`
	`14`	`+ }`
`10`	`15`	`}`
`11`	`16`	`}`