From a5a1483e3f75ca7bdd1aa1939ec0924dffa9e8f1 Mon Sep 17 00:00:00 2001
From: Maciej Murawski <maciej.murawski@nordcloud.com>
Date: Tue, 24 Feb 2026 21:26:39 +0000
Subject: [PATCH 1/3] feat: data protection options with variables validation
 for storage account module

---
 infrastructure/modules/storage/main.tf      | 34 +++++++++++++++++++++
 infrastructure/modules/storage/variables.tf | 24 +++++++++++++++
 2 files changed, 58 insertions(+)

diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf
index 7841a866..0890fec4 100644
--- a/infrastructure/modules/storage/main.tf
+++ b/infrastructure/modules/storage/main.tf
@@ -16,10 +16,44 @@ resource "azurerm_storage_account" "storage_account" {
       days = var.blob_properties_delete_retention_policy
     }
     versioning_enabled = var.blob_properties_versioning_enabled
+
+    container_delete_retention_policy {
+      days = var.container_delete_retention_policy_days
+    }
+
+    change_feed_enabled = var.blob_properties_change_feed_enabled
+
+    dynamic "restore_policy" {
+      for_each = var.blob_properties_restore_policy_days != null ? [1] : []
+      content {
+        days = var.blob_properties_restore_policy_days
+      }
+    }
+  }
+
+  dynamic "share_properties" {
+    for_each = var.share_properties_retention_policy_days != null ? [1] : []
+    content {
+      retention_policy {
+        days = var.share_properties_retention_policy_days
+      }
+    }
   }
 
   lifecycle {
     ignore_changes = [tags]
+
+    # Validation 1: Prevent the Change Feed / Restore Policy mismatch
+    precondition {
+      condition     = var.blob_properties_restore_policy_days == null || var.blob_properties_change_feed_enabled == true
+      error_message = "Invalid configuration: If blob_properties_restore_policy_days is set, blob_properties_change_feed_enabled must be explicitly set to true."
+    }
+
+    # Validation 2: Prevent the Days limit mismatch
+    precondition {
+      condition     = var.blob_properties_restore_policy_days == null ? true : (var.blob_properties_restore_policy_days < var.blob_properties_delete_retention_policy)
+      error_message = "Invalid configuration: blob_properties_restore_policy_days must be strictly less than blob_properties_delete_retention_policy."
+    }
   }
 }
 
diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
index d6e98811..07ffdc87 100644
--- a/infrastructure/modules/storage/variables.tf
+++ b/infrastructure/modules/storage/variables.tf
@@ -184,6 +184,30 @@ variable "queue_transactions_high_threshold" {
   default     = 1000
 }
 
+variable "container_delete_retention_policy_days" {
+  description = "Specifies the number of days that the container should be retained. Defaulting to 7 for baseline data protection."
+  type        = number
+  default     = 7
+}
+
+variable "blob_properties_change_feed_enabled" {
+  description = "Is the blob service properties for change feed events enabled? Required for Point-in-Time Restore."
+  type        = bool
+  default     = false
+}
+
+variable "blob_properties_restore_policy_days" {
+  description = "Specifies the number of days that the blob can be restored. Set to null to disable by default. Note: Must be less than blob and container delete retention policy days."
+  type        = number
+  default     = null
+}
+
+variable "share_properties_retention_policy_days" {
+  description = "Specifies the number of days that the file share should be retained. Set to null to disable by default, or provide a number to enable."
+  type        = number
+  default     = null
+}
+
 locals {
   alert_frequency_map = {
     PT5M  = "PT1M"

From b87a9382c878facb09d316312eac4ae6226c99c4 Mon Sep 17 00:00:00 2001
From: Maciej Murawski <maciej.murawski@nordcloud.com>
Date: Mon, 2 Mar 2026 13:22:07 +0000
Subject: [PATCH 2/3] fix: check the variable value

---
 infrastructure/modules/storage/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
index 07ffdc87..98242bc1 100644
--- a/infrastructure/modules/storage/variables.tf
+++ b/infrastructure/modules/storage/variables.tf
@@ -44,7 +44,7 @@ variable "access_tier" {
 variable "blob_properties_delete_retention_policy" {
   type        = number
   description = "The value set for blob properties delete retention policy."
-  default     = null
+  default     = 8
 }
 
 variable "blob_properties_versioning_enabled" {

From 3c642e88a7667b0fa49bca5c4b72b70c6087ee48 Mon Sep 17 00:00:00 2001
From: Maciej Murawski <maciej.murawski@nordcloud.com>
Date: Mon, 2 Mar 2026 16:38:06 +0000
Subject: [PATCH 3/3] fix: check the variable value

---
 infrastructure/modules/storage/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
index 98242bc1..07ffdc87 100644
--- a/infrastructure/modules/storage/variables.tf
+++ b/infrastructure/modules/storage/variables.tf
@@ -44,7 +44,7 @@ variable "access_tier" {
 variable "blob_properties_delete_retention_policy" {
   type        = number
   description = "The value set for blob properties delete retention policy."
-  default     = 8
+  default     = null
 }
 
 variable "blob_properties_versioning_enabled" {