Terraform: Terraform deletion prevention when removing resource from config
Is there a way to prevent the deletion of a resource if it accidentally gets removed from the terraform config? 'prevent_destroy' in the lifecycle block seems to only stop resources from being deleted when their changes require deletion, it doesn't seem to have any effect if you accidentally delete the resource from the config and then apply.
Thoughts?
spicykoala
All 10 comments
resource "aws_sqs_queue" "terraform_queue" {
name = "terraform-example-queue"
delay_seconds = 90
max_message_size = 2048
message_retention_seconds = 86400
receive_wait_time_seconds = 10
lifecycle {
prevent_destroy = true
}
}
resource "aws_sqs_queue" "terraform_queue_two" {
name = "terraform-example-queue-two"
delay_seconds = 90
max_message_size = 2048
message_retention_seconds = 86400
receive_wait_time_seconds = 10
lifecycle {
prevent_destroy = true
}
}
changing to:
resource "aws_sqs_queue" "terraform_queue_two" {
name = "terraform-example-queue-two"
delay_seconds = 90
max_message_size = 2048
message_retention_seconds = 86400
receive_wait_time_seconds = 10
lifecycle {
prevent_destroy = true
}
}
will remove terraform_queue from amazon.
spicykoala
on 9 Oct 2015
This doesn't directly answer your question, but we have adjusted the IAM of the terraform user so that it is unable to delete resources we never want deleted.
erichmond
on 19 Nov 2015
Thanks for the reply - that is the approach we've taken as well. In fact, even if terraform had an option, we'd likely keep it that way as an extra layer of protection. I just wanted to know if it was intended functionality.
spicykoala
on 19 Nov 2015
Would be great if this feature gets implemented at some point!
onysan
on 11 Jan 2017
I don't really see the point of prevent_destroy if it doesn't prevent this sort of thing.
Even with prevent_destroy, your resources will still get destroyed if you terraform apply after:
renaming them (and accidentally forget to use state-mv on them)
moving them into a module (and accidentally forget to use state-mv on them)
accidentally deleting them from the tf file
veqryn
on 21 Apr 2017
So, I have taken a quick look:
- Currently no meta attributes are persisted into state. We could either persist all of them (I think it would be cool but maybe overhead.) or specifically persist a prevent_permanent_destroy meta attribute.
- We only need to run that check for orphan resources (node_resource_plan_orphan.go) so that should not be too much complex.
roidelapluie
on 31 Aug 2017
Potentially duplicated by #17599
tdmalone
on 2 Jul 2018
Guys I would really appreciate if you fix this.
I think that this is currently one of the biggest issues with Terraform.
heidemn
on 6 Jul 2018
This does indeed seem to be the same thing as #17599. Thanks for pointing that out, @tdmalone! I'm going to close this one to consolidate the discussion over there.
apparentlymart
on 7 Jul 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 4 Apr 2020
Related issues
rkulagowski
ยท
3Comments
rjinski
ยท
3Comments
sprokopiak
ยท
3Comments
darron
ยท
3Comments
c4milo
ยท
3Comments
Most helpful comment
I don't really see the point of prevent_destroy if it doesn't prevent this sort of thing.
Even with prevent_destroy, your resources will still get destroyed if you terraform apply after:
renaming them (and accidentally forget to use state-mv on them)
moving them into a module (and accidentally forget to use state-mv on them)
accidentally deleting them from the tf file