@@ -247,19 +247,40 @@ function Remove-WormStorageAccounts() {
247247 if (! $hasContainers ) { continue }
248248
249249 $ctx = New-AzStorageContext - StorageAccountName $account.StorageAccountName
250+ $containers = $ctx | Get-AzStorageContainer
251+ $blobs = $containers | Get-AzStorageBlob
250252
251- $immutableBlobs = $ctx `
252- | Get-AzStorageContainer `
253+ $immutableBlobs = $containers `
253254 | Where-Object { $_.BlobContainerProperties.HasImmutableStorageWithVersioning } `
254255 | Get-AzStorageBlob
255256 try {
256257 foreach ($blob in $immutableBlobs ) {
257- Write-Host " Removing legal hold - blob: $ ( $blob.Name ) , account: $ ( $account.StorageAccountName ) , group: $ ( $group.ResourceGroupName ) "
258- $blob | Set-AzStorageBlobLegalHold - DisableLegalHold | Out-Null
258+ # We can't edit blobs with customer encryption without using that key
259+ # so just try to delete them fully instead. It is unlikely they
260+ # will also have a legal hold enabled.
261+ if (($blob | Get-Member ' ListBlobProperties' `
262+ -and $blob.ListBlobProperties.Properties.CustomerProvidedKeySha256 ) {
263+ Write-Host " Removing customer encrypted blob: $ ( $blob.Name ) , account: $ ( $account.StorageAccountName ) , group: $ ( $group.ResourceGroupName ) "
264+ $blob | Remove-AzStorageBlob - Force
265+ continue
266+ }
267+
268+ if (! ($blob | Get-Member ' BlobProperties'
269+ continue
270+ }
271+
272+ if ($blob.BlobProperties.LeaseState -eq ' Leased'
273+ Write-Host " Breaking blob lease: $ ( $blob.Name ) , account: $ ( $account.StorageAccountName ) , group: $ ( $group.ResourceGroupName ) "
274+ $blob.ICloudBlob.BreakLease ()
275+ }
276+
277+ if ($blob.BlobProperties.HasLegalHold ) {
278+ Write-Host " Removing legal hold - blob: $ ( $blob.Name ) , account: $ ( $account.StorageAccountName ) , group: $ ( $group.ResourceGroupName ) "
279+ $blob | Set-AzStorageBlobLegalHold - DisableLegalHold | Out-Null
280+ }
259281 }
260- }
261- catch {
262- Write-Warning " User must have 'Storage Blob Data Owner' RBAC permission on subscription or resource group"
282+ } catch {
283+ Write-Warning " Ensure user has 'Storage Blob Data Owner' RBAC permission on subscription or resource group"
263284 Write-Error $_
264285 throw
265286 }
@@ -273,13 +294,19 @@ function Remove-WormStorageAccounts() {
273294 }
274295
275296 try {
276- Write-Host " Removing immutability policies - account: $ ( $ctx.StorageAccountName ) , group: $ ( $group.ResourceGroupName ) "
277- $null = $ctx | Get-AzStorageContainer | Get-AzStorageBlob | Remove-AzStorageBlobImmutabilityPolicy
297+ foreach ($blob in $blobs ) {
298+ if ($blob.BlobProperties.ImmutabilityPolicy.PolicyMode ) {
299+ Write-Host " Removing immutability policy - blob: $ ( $blob.Name ) , account: $ ( $ctx.StorageAccountName ) , group: $ ( $group.ResourceGroupName ) "
300+ $null = $blob | Remove-AzStorageBlobImmutabilityPolicy
301+ }
302+ }
278303 }
279304 catch {}
280305
281306 try {
282- $ctx | Get-AzStorageContainer | Get-AzStorageBlob | Remove-AzStorageBlob - Force
307+ foreach ($blob in $blobs ) {
308+ $blob | Remove-AzStorageBlob - Force
309+ }
283310 $succeeded = $true
284311 }
285312 catch {
@@ -290,9 +317,8 @@ function Remove-WormStorageAccounts() {
290317
291318 try {
292319 # Use AzRm cmdlet as deletion will only work through ARM with the immutability policies defined on the blobs
293- $ctx | Get-AzStorageContainer | ForEach-Object { Remove-AzRmStorageContainer - Name $_.Name - StorageAccountName $ctx.StorageAccountName - ResourceGroupName $group.ResourceGroupName - Force }
294- }
295- catch {
320+ $containers | ForEach-Object { Remove-AzRmStorageContainer - Name $_.Name - StorageAccountName $ctx.StorageAccountName - ResourceGroupName $group.ResourceGroupName - Force }
321+ } catch {
296322 Write-Warning " Container removal failed. Ignoring the error and trying to delete the storage account."
297323 Write-Warning $_
298324 }
0 commit comments