This Terraform Module Could Save You from Accidentally Nuking Your Storage Account File Share
Alright, so boom. Imagine this: it’s Friday, you’re cleaning up resources, sipping your third coffee, and before you know it - disaster strikes. You didn’t realize the Storage Account you were deleting was in the Production Subscription and not Development. Yup, the one that had the File Share for those important VMs you guys just stood up. Forever. You didn’t have backups enabled.
Now you’re staring at your terminal, wondering if soft delete was on. It wasn’t. You wonder if there’s a recovery vault somewhere. There isn’t. You check the docs, the audit logs, your Slack messages — anything to justify this to your boss. But let’s be real: the only thing getting restored today is your humility.
We’ve heard horror stories about this kind of scenario, that’s exactly why we built a Terraform module that makes accidental deletion way less catastrophic.
Because if you’re managing infra in Terraform, your backups should be in code too — not as an afterthought, not as a “remind me to turn this on later,” and definitely not something you have to click through the portal to set up manually.
Recovery Vault Overview
Azure Recover Service Vault is a separate storage instance intended to store backups of different kinds of data. It works with Storage Accounts, VMs, and SQL Servers, to name a few. You can also decide how long to keep those backups—whether it's days, months, or years. The vault keeps your backup data secure using encryption and gives you control over who can access it using role-based access. It also has features like soft delete, which protects your backups from being removed by mistake. If you ever lose data or something gets deleted, you can quickly restore it from the vault. It’s a simple but powerful way to protect your data and stay prepared for disasters or outages.
There are two backup tiers for Storage File Shares - "snapshot” and “vault”. With snapshot, the backup service orchestrates when snapshots are taken. These snapshots are stored on the Storage Account itself. This snapshot is fast to create, efficient in terms of storage costs, and allows for quick restores. However, because it still resides within the original storage account, it’s vulnerable to deletion—if the storage account is removed, the snapshot is lost too. To provide stronger protection, Azure then moves the data to the backup tier. In this tier, the backup data is stored inside the Recovery Services Vault itself, which is an isolated and secure location separate from the source storage.
Unfortunately, at the time that I’m writing this, the AzureRM Terraform provider doesn’t support the vault tier, but there is a PR open. Give that a thumbs up so it gets some more attention.
Once you protect your Storage Account with the Recovery Vault, it sets a Resource Lock on the Account, so you do get some protection from accidentally blowing away your Storage Account.
Resource Lock on the Storage Account
What The Module Does
The module is pretty straightforward, it provisions:
A Storage Account
A Recovery Service Vault (or you can provide a reference to a pre-existing one)
A daily snapshot backup policy for file shares
Soft delete for blobs
You drop this module into your stack, and just like that, your storage account isn’t one bad terraform destroy away from disaster. No clicking around the Azure Portal. No scripting backup enrollment after the fact. Just resilience, built in from the start.
Here’s a the code:
Terraform code for Storage, File Share, and Recovery Vault
Terraform code configuring the Backup
Recovering A Deleted File
Now let’s take a look at recovering a file.
First, let’s delete the sample file:
The File share with our file that we’ll delete.
Now that that’s deleted, let’s navigate to our Recovery Services Vault. Once there, we need to navigate to Backup Items. In Backup Items, we pick a Snapshot to restore from.
Recovery Vault Backup items
Recovery Vault snapshot.
Finally, we restore the file and voila! The file is back before your boss had the time to ping you on Teams.
Configure the restore options
Our file restored in the File share
Conclusion
Accidentally deleting a storage account shouldn’t be a career-defining moment — and with this Terraform module, it doesn’t have to be. We’ve shown how to provision a secure Azure Storage Account, back it up with a Recovery Services Vault, and automate the entire protection strategy as code. No clicking around the portal, no post-hoc backup configuration, just a repeatable, auditable setup built for real-world reliability.
If you're part of a team that wants infrastructure that’s not just scalable, but survivable, we should talk. At Pick 2 Solutions, we help organizations build secure, automated cloud environments that actually hold up under pressure.
Ready to use the module?