Terraform: prevent_destroy fails to prevent targeted destroy of the protected resource

$ terraform version
Terraform v0.7.4

Summary

While testing behavior of the prevent_destroy parameter I discovered that, while setting prevent_destroy on a resource (e.g. module.network.aws_nat_gateway.mod) will prevent destruction when I run terraform plan -destroy it does not prevent destruction when I run terraform plan -destroy resource=module.network.aws_nat_gateway.mod.

Configuration

resource "aws_nat_gateway" "mod" {
  count = "${length(compact(split(",", var.private_subnets)))}"
  allocation_id = "${element(aws_eip.mod.*.id, count.index)}"
  subnet_id = "${element(aws_subnet.public.*.id, count.index)}"

  lifecycle {
    prevent_destroy = true
  }
}

Expected Behavior

I would expect that a targeted destroy would yield the same error as a full destroy

Full

$ terraform plan -destroy
...
...
Error running plan: 1 error(s) occurred:

* aws_nat_gateway.mod: the plan would destroy this resource, but it currently has lifecycle.prevent_destroy set to true. To avoid this error and continue with the plan, either disable lifecycle.prevent_destroy or adjust the scope of the plan using the -target flag.

Targeted

$ terraform plan -target=module.network.aws_nat_gateway.mod -destroy
...
...
Error running plan: 1 error(s) occurred:

* aws_nat_gateway.mod: the plan would destroy this resource, but it currently has lifecycle.prevent_destroy set to true. To avoid this error and continue with the plan, either disable lifecycle.prevent_destroy or adjust the scope of the plan using the -target flag.

Actual Behavior

$ terraform plan -target=module.network.aws_nat_gateway.mod -destroy
...
...
- module.network.aws_nat_gateway.mod

- module.network.aws_route.private-default


Plan: 0 to add, 0 to change, 2 to destroy.

To confirm it wasn't just a plan related issue, I actually ran the destroy command and it destroyed the resource.

$ terraform destroy -target=module.network.aws_nat_gateway.mod
Do you really want to destroy?
  Terraform will delete the following infrastructure:
    module.network.aws_nat_gateway.mod
  There is no undo. Only 'yes' will be accepted to confirm

  Enter a value: yes

module.network.aws_route.private-default: Refreshing state... (ID: r-rtb-df499ab81080289494)
module.network.aws_nat_gateway.mod: Refreshing state... (ID: nat-0410d9e8785eae0c3)
module.network.aws_route.private-default: Destroying...
module.network.aws_route.private-default: Destruction complete
module.network.aws_nat_gateway.mod: Destroying...
module.network.aws_nat_gateway.mod: Still destroying... (10s elapsed)
module.network.aws_nat_gateway.mod: Still destroying... (20s elapsed)
module.network.aws_nat_gateway.mod: Still destroying... (30s elapsed)
module.network.aws_nat_gateway.mod: Still destroying... (40s elapsed)
module.network.aws_nat_gateway.mod: Destruction complete

Destroy complete! Resources: 2 destroyed.

It's worth noting that this is somewhat of a contrived example. I was initially testing whether targeted destruction of a resource that a protected resource depended on would work when I discovered this unexpected (to me, at least) behavior. Appreciate the review/feedback.

Cheers!