Handle cleanup for leased and encrypted storage accounts. Reduce throttling (#23602)

Co-authored-by: Ben Broderick Phillips <bebroder@microsoft.com>
This commit is contained in:
Azure SDK Bot 2024-10-18 07:53:33 -07:00 коммит произвёл GitHub
Родитель 3fd8754d42
Коммит 1cbed27ebf
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
1 изменённых файлов: 39 добавлений и 13 удалений

Просмотреть файл

@ -247,19 +247,40 @@ function Remove-WormStorageAccounts() {
if (!$hasContainers) { continue }
$ctx = New-AzStorageContext -StorageAccountName $account.StorageAccountName
$containers = $ctx | Get-AzStorageContainer
$blobs = $containers | Get-AzStorageBlob
$immutableBlobs = $ctx `
| Get-AzStorageContainer `
$immutableBlobs = $containers `
| Where-Object { $_.BlobContainerProperties.HasImmutableStorageWithVersioning } `
| Get-AzStorageBlob
try {
foreach ($blob in $immutableBlobs) {
Write-Host "Removing legal hold - blob: $($blob.Name), account: $($account.StorageAccountName), group: $($group.ResourceGroupName)"
$blob | Set-AzStorageBlobLegalHold -DisableLegalHold | Out-Null
# We can't edit blobs with customer encryption without using that key
# so just try to delete them fully instead. It is unlikely they
# will also have a legal hold enabled.
if (($blob | Get-Member 'ListBlobProperties') `
-and $blob.ListBlobProperties.Properties.CustomerProvidedKeySha256) {
Write-Host "Removing customer encrypted blob: $($blob.Name), account: $($account.StorageAccountName), group: $($group.ResourceGroupName)"
$blob | Remove-AzStorageBlob -Force
continue
}
if (!($blob | Get-Member 'BlobProperties')) {
continue
}
if ($blob.BlobProperties.LeaseState -eq 'Leased') {
Write-Host "Breaking blob lease: $($blob.Name), account: $($account.StorageAccountName), group: $($group.ResourceGroupName)"
$blob.ICloudBlob.BreakLease()
}
if ($blob.BlobProperties.HasLegalHold) {
Write-Host "Removing legal hold - blob: $($blob.Name), account: $($account.StorageAccountName), group: $($group.ResourceGroupName)"
$blob | Set-AzStorageBlobLegalHold -DisableLegalHold | Out-Null
}
}
}
catch {
Write-Warning "User must have 'Storage Blob Data Owner' RBAC permission on subscription or resource group"
} catch {
Write-Warning "Ensure user has 'Storage Blob Data Owner' RBAC permission on subscription or resource group"
Write-Error $_
throw
}
@ -273,13 +294,19 @@ function Remove-WormStorageAccounts() {
}
try {
Write-Host "Removing immutability policies - account: $($ctx.StorageAccountName), group: $($group.ResourceGroupName)"
$null = $ctx | Get-AzStorageContainer | Get-AzStorageBlob | Remove-AzStorageBlobImmutabilityPolicy
foreach ($blob in $blobs) {
if ($blob.BlobProperties.ImmutabilityPolicy.PolicyMode) {
Write-Host "Removing immutability policy - blob: $($blob.Name), account: $($ctx.StorageAccountName), group: $($group.ResourceGroupName)"
$null = $blob | Remove-AzStorageBlobImmutabilityPolicy
}
}
}
catch {}
try {
$ctx | Get-AzStorageContainer | Get-AzStorageBlob | Remove-AzStorageBlob -Force
foreach ($blob in $blobs) {
$blob | Remove-AzStorageBlob -Force
}
$succeeded = $true
}
catch {
@ -290,9 +317,8 @@ function Remove-WormStorageAccounts() {
try {
# Use AzRm cmdlet as deletion will only work through ARM with the immutability policies defined on the blobs
$ctx | Get-AzStorageContainer | ForEach-Object { Remove-AzRmStorageContainer -Name $_.Name -StorageAccountName $ctx.StorageAccountName -ResourceGroupName $group.ResourceGroupName -Force }
}
catch {
$containers | ForEach-Object { Remove-AzRmStorageContainer -Name $_.Name -StorageAccountName $ctx.StorageAccountName -ResourceGroupName $group.ResourceGroupName -Force }
} catch {
Write-Warning "Container removal failed. Ignoring the error and trying to delete the storage account."
Write-Warning $_
}