Delete old audits using a lifecycle policy since built in retention is deprecated

joelverhagen · joelverhagen · commit 9c9fedcfab57 · 2023-09-17T15:53:25.000-04:00
diff --git a/deploy/bicep/storage-and-kv.bicep b/deploy/bicep/storage-and-kv.bicep
@@ -23,10 +23,49 @@ resource leaseContainer 'Microsoft.Storage/storageAccounts/blobServices/containe
   ]
 }
 
-resource containerPolicy 'Microsoft.Storage/storageAccounts/managementPolicies@2019-06-01' = {
-  name: '${storageAccountName}/default'
+resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
+  name: keyVaultName
+  location: location
+  properties: {
+    tenantId: subscription().tenantId
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    enableRbacAuthorization: true
+    accessPolicies: []
+  }
+}
+
+resource keyVaultDiagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = {
+  scope: keyVault
+  name: '${keyVaultName}-diagnostics'
+  properties: {
+    storageAccountId: storageAccount.id
+    logs: [
+      {
+        category: 'AuditEvent'
+        enabled: true
+      }
+    ]
+  }
+}
+
+var auditContainerName = 'insights-logs-auditevent'
+
+resource auditContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
+  name: '${storageAccountName}/default/${auditContainerName}'
+  dependsOn: [
+    storageAccount
+  ]
+}
+
+resource leaseContainerPolicy 'Microsoft.Storage/storageAccounts/managementPolicies@2019-06-01' = {
+  parent: storageAccount
+  name: 'default'
   dependsOn: [
     leaseContainer
+    auditContainer
   ]
   properties: {
     policy: {
@@ -52,39 +91,29 @@ resource containerPolicy 'Microsoft.Storage/storageAccounts/managementPolicies@2
             }
           }
         }
+        {
+          name: 'DeleteOldAudits'
+          type: 'Lifecycle'
+          definition: {
+            actions: {
+              baseBlob: {
+                delete: {
+                  daysAfterModificationGreaterThan: 180
+                }
+              }
+            }
+            filters: {
+              blobTypes: [
+                'blockBlob'
+                'appendBlob'
+              ]
+              prefixMatch: [
+                '${auditContainerName}/'
+              ]
+            }
+          }
+        }
       ]
     }
   }
 }
-
-resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
-  name: keyVaultName
-  location: location
-  properties: {
-    tenantId: subscription().tenantId
-    sku: {
-      family: 'A'
-      name: 'standard'
-    }
-    enableRbacAuthorization: true
-    accessPolicies: []
-  }
-}
-
-resource keyVaultDiagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = {
-  scope: keyVault
-  name: '${keyVaultName}-diagnostics'
-  properties: {
-    storageAccountId: storageAccount.id
-    logs: [
-      {
-        category: 'AuditEvent'
-        enabled: true
-        retentionPolicy: {
-          enabled: true
-          days: 30
-        }
-      }
-    ]
-  }
-}
