Is there a way to stop Terraform – or require some sort of command line option – from destroying persistent data volumes that are part of a deployment when using the destroy command? We (Gracenote) use Terraform to manage AWS resources, and our persistent volumes are part of the Terraform code that instantiates our various services in AWS. Destroy has become a dangerous – well OK it is dangerous, but shouldn’t be in this way – command for us and particularly for some of our folks that are just users of the Terraform and not developers.
I know we could separate out the persistent volumes into a different deployments, but to me that seems hacky and problematical in its own right. The persistent data really belongs to the instances we are standing up. We’re talking about TiBs of data, by the way.
Is there some feature that already exists that I don’t know about which provides what I’m asking about? If not, would HashiCorp consider adding Terraform language to specify something like this in the deployment code?
If you set this, then Terraform will refuse to create a plan that includes the destruction or replacement of the associated object as long as you keep this setting in the configuration. That includes both explicitly running terraform destroyand running terraform apply with a change to that resource that would require its associated object to be replaced. (For completeness: it does not include explicitly removing that resource block from the configuration, because Terraform understands that as explicit intent to destroy that object in particular.)
That is AWESOME. I didn’t know about that lifecycle property. We will look into that. That is exactly what I was looking for.
So, if – in fact – you actually do want to destroy a volume along with the other resources, can you just remove that “lifecyclce” setting from the terraform and then do a destroy? Or will that still be prevented?
I’m hard-pressed to think we’ll actually need that ability, but wanted to know for completeness.
Please consider also adding other techniques to prevent infrastructure destroy by Terraform so AWS will never delete an RDS or an Instance in case of human error.
Indeed, if you remove prevent_destroy = true (or set it to false) before running terraform destroy then Terraform will allow the object to be destroyed.
Changes to resources that have prevent_destroy are something deserving of extra attention during code review for this reason: Terraform will protect against the resource being destroyed by running terraform destroy on an unmodified configuration, but it can’t itself protect against a configuration change that removes or changes that setting because it can’t know the intent of such a change: generally-speaking, Terraform’s design assumes that configuration changes are being made intentionally and are subject to human code review.