How to set Immutable storage for Azure Blob storage

Hi, today I want to talk to you about immutable storage. Immutable Storage is an Azure Blob Storage capability that allows you to store business-critical data in a WORM state (write once, read many). This state is set at the container level, and through policies, you can set time-based retention, extend retention intervals, and set and remove legal holds. These policies apply to all blobs in the container, both existing and new. Immutable storage supports two policy types:

Once explained the characteristics of the Azure Immutable storage we can begin this tutorial. In this post, I’ll show you how to list, create, update, lock, and extend immutability policies in your Azure Blob storage using Azure CLI.

Prerequisites

This tutorial assumes that you already have a Microsoft Azure account configured.
You can use an existing Storage Account, or you can create a new one. If you want to know how to create a Storage Account using PowerShell, check out this link.

Azure CLI Workaround>

Azure CLI Workaround #

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.

resourceGroupName="RG-DEMO-NE"
storageAccount="stoaccountcli"
container="importantfiles"

Time-based retention policy>

Time-based retention policy #

First, use the following command to list the commands available to work with the immutability policies.

az storage container immutability-policy \
--help

Gets the existing immutability policies>

Gets the existing immutability policies #

If you want to see the existing immutability policies, you should use the following command.

az storage container immutability-policy show \
--account-name $storageAccount \
--container-name $container

Creates an immutability policy>

Creates an immutability policy #

To create an immutability policy for a container, you should use the following command.

az storage container immutability-policy create \
--account-name $storageAccount \
--container-name $container \
--period 1

--period: The time period must be indicated in days.

The immutability policies are always created with the unlock state.

Updates an immutability policy>

Updates an immutability policy #

As long as the state of the policy is unlocked, you can modify it. In the following example, the policy is modified to allow the creation of new blobs in the container.

az storage container immutability-policy create \
--account-name $storageAccount \
--container-name $container \
--allow-protected-append-writes

Set the Immutability Policy to Locked state>

Set the Immutability Policy to Locked state #

Important: Keep in mind that once the policy is established, its deletion is not allowed and you must wait for the period of time stipulated in the policy to be able to delete both the container and the storage account. To lock the immutability policies, we will first use the $etag variable to store the ETag value of the policy you want to lock and then use the following command to lock the policy.

etag=$(az storage container immutability-policy show \
--account-name $storageAccount \
--container-name $container \
--query "etag" \
-o tsv)

az storage container immutability-policy lock \
--account-name $storageAccount \
--container-name $container \
--if-match $etag

Extend the immutability Period>

Extend the immutability Period #

If you want to extend the policy period, use the following command. As for the lock command, you should use the ETag value of the policy.

etag=$(az storage container immutability-policy show \
--account-name $storageAccount \
--container-name $container \
--query "etag" \
-o tsv)

az storage container immutability-policy extend \
--account-name $storageAccount \
--container-name $container \
--if-match $etag \
--period 2

Legal holds Policy>

Legal holds Policy #

First, use the following command to list the commands available to work with the legal hold policies.

az storage container legal-hold \
--help

Get the legal hold properties>

Get the legal hold properties #

If you want to see the properties of existing legal hold policies, you should use the following command.

az storage container legal-hold show \
--account-name $storageAccount \
--container-name $container

Set a legal hold>

Set a legal hold #

To set a legal retention policy you must use the following command. The --tag parameter is used as a named identifier, such as a case ID or event, to categorize and describe the purpose of the hold.

az storage container legal-hold set \
--account-name $storageAccount \
--container-name $container \
--tag "caseID1234"

Clear a legal hold>

Clear a legal hold #

Finally, to delete the policy, you must use the following command, indicating in your request the associated tags that you want to remove.

az storage container legal-hold clear \
--account-name $storageAccount \
--container-name $container \
--tag "caseID1234"

Thanks for reading my post. I hope you find it useful.

If you want to know more about immutable storage, check out this link.