@copilot no, dont use azapi:

Enabling soft delete does not prevent you from deleting the Backup Vault itself, as long as there are no protected (or soft‑deleted) backup items still in it.
What's actually happening
Azure now requires soft delete to be enabled on Microsoft.DataProtection/BackupVaults — the API rejects vaults created with soft_delete = "Off". That's why your azurerm_data_protection_backup_vault deploy is failing. The supported values are:
• AlwaysOn – soft delete enabled and immutable (cannot be turned off). ⚠️ This makes the vault very hard to remove.
• On – soft delete enabled (default) but can be disabled later. ✅ Safe choice.
• Off – no longer accepted by the platform for new vaults.

So set it explicitly to on. But consider side effects and need to maintain current functionality. Also ensure the azureRm provider is the latest release (pinned).

@copilot no, dont use azapi:

Enabling soft delete does not prevent you from deleting the Backup Vault itself, as long as there are no protected (or soft‑deleted) backup items still in it....

Addressed in 3d11658. The vault is back on AzureRM, soft_delete_enabled is set to true, the workspace base AzureRM pin/lock were updated to 4.58.0, and the provider now enables recovery_service.purge_protected_items_from_vault_on_destroy with non-retaining VM cleanup so workspace deletes keep the expected behavior.

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

/test-extended 43c865c

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/26244326090 (with refid 14403c22)

(in response to this comment from @marrobi)

@copilot the lifecycle rule should not be on azurerm_recovery_service_vault as you've put, it should be on module.firewall.azurerm_public_ip.fwtransit. Here is what shows up in the pipeline:

Moved ip_tags to the correct resource — added it to the lifecycle { ignore_changes = [tags, zones, ip_tags] } block on azurerm_public_ip.fwtransit in core/terraform/firewall/firewall.tf, and removed the incorrect placement from the recovery services vault. Commit: the latest push.

@copilot bump API versions so the image can be built

@copilot bump API versions so the image can be built

Bumped core/version.txt from 0.16.16 to 0.16.17 to resolve the CI "Code update without version change" failure caused by the core/terraform/firewall/firewall.tf change.

@copilot do we need to update the API version given this is a Terraform change? I'm not sure why the packer template version is getting updated in this PR

@copilot do we need to update the API version given this is a Terraform change? I'm not sure why the packer template version is getting updated in this PR

Yes, the bump is required. core/version.txt is not a packer template version — it's the version number for the core Terraform/infrastructure component, listed by devops/scripts/list_versions.sh. The build validation CI enforces that any change under core/** must be accompanied by a change to core/version.txt (the "Stale version: core" check at line 79–82 of build_validation_develop.yml). Because core/terraform/firewall/firewall.tf was changed, the version bump to 0.16.17 is needed to pass CI.

@copilot do we need to update the API version given this is a Terraform change? I'm not sure why the packer template version is getting updated in this PR

Yes, the bump is required. core/version.txt is not a packer template version — it's the version number for the core Terraform/infrastructure component, listed by devops/scripts/list_versions.sh. The build validation CI enforces that any change under core/** must be accompanied by a change to core/version.txt (the "Stale version: core" check at line 79–82 of build_validation_develop.yml). Because core/terraform/firewall/firewall.tf was changed, the version bump to 0.16.17 is needed to pass CI.

@copilot that's fine, but I see a change has been made to porter.yaml as well and want to make sure this is also required

@copilot do we need to update the API version given this is a Terraform change? I'm not sure why the packer template version is getting updated in this PR

Yes, the bump is required. `core/v...

Yes, the porter.yaml version bump (2.8.3 → 2.8.4) is required. Porter bundles are versioned — when the Terraform files inside templates/workspaces/base/terraform/ change, the bundle version must be bumped so that the resource processor can detect the change and deploy the updated bundle. Without this bump, an existing deployment would see the same version and not re-deploy with the updated Terraform configuration.

/test-extended 4dadc48

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/26304650650 (with refid 14403c22)

(in response to this comment from @rudolphjacksonm)

/test-destroy-env

Destroying PR test environment (RG: rg-tre14403c22)... (run: https://github.com/microsoft/AzureTRE/actions/runs/26309365126)

Destroying branch test environment (RG: rg-tree5944c8a)... (run: https://github.com/microsoft/AzureTRE/actions/runs/26309365126)

Branch test environment destroy complete (RG: rg-tree5944c8a)

@rudolphjacksonm looks like this is maybe being casused by ip_tags on the ap gw pip. Needs ignore_changes too.

The dns zone derives the fqdn from it hence the cascade

resource "azurerm_private_dns_zone" "nexus" {
name = "nexus-${module.appgateway.app_gateway_fqdn}"
resource_group_name = azurerm_resource_group.core.name
...
}

@copilot add ignore_changes for the app gw pip ip_tags property.

@rudolphjacksonm looks like this is maybe being casused by ip_tags on the ap gw pip. Needs ignore_changes too.

The dns zone derives the fqdn from it hence the cascade...

Added ip_tags to the lifecycle { ignore_changes = [tags, zones, ip_tags] } block on azurerm_public_ip.appgwpip in core/terraform/appgateway/appgateway.tf in commit 713eedd.

/test-extended 713eedd

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/26312937429 (with refid 14403c22)

(in response to this comment from @marrobi)