Disable_api_termination not honored on destroy of AWS EC2 instance

Why does terraform destroy tear down an EC2 instance when the disable_api_termination value is set to true? When I set the value I am unable to delete the EC2 instance via the AWS console and the AWS cli. However, when I run terraform destroy the EC2 instance is terminated. I would assume it would fail.

Here is a subset of the output of the terraform state of the instance.

resource "aws_instance" "ec2" {
    ami                                  = "ami-00ee3c71ce62c4e12"
    arn                                  = "arn:aws:ec2:us-east-2:ACCOUNT_ID:instance/i-0228a4e284c4d0629"
    associate_public_ip_address          = true
    availability_zone                    = "us-east-2c"
    cpu_core_count                       = 2
    cpu_threads_per_core                 = 1
    disable_api_stop                     = false
    disable_api_termination              = true   <------------ HERE
    ebs_optimized                        = false
    get_password_data                    = false
    hibernation                          = false
    iam_instance_profile                 = "test-instance-profile"
    id                                   = "i-0228a4e284c4d0629"

When I attempt to delete from the web console I get

Failed to terminate an instance: The instance 'i-0228a4e284c4d0629' may not be terminated. Modify its 'disableApiTermination' instance attribute and try again.

When I attempt to delete from the AWS CLI I get

 ❯ aws ec2 terminate-instances --instance-ids i-0228a4e284c4d0629 --region us-east-2

An error occurred (OperationNotPermitted) when calling the TerminateInstances operation: The instance 'i-0228a4e284c4d0629' may not be terminated. Modify its 'disableApiTermination' instance attribute and try again.

Here is the Terraform destroy output

aws_instance.ec2: Destroying... [id=i-0228a4e284c4d0629]
aws_iam_role_policy_attachment.this_ssm: Destruction complete after 1s
aws_iam_role_policy_attachment.this_s3: Destruction complete after 1s
aws_iam_policy.this: Destroying... [id=arn:aws:iam::847375646079:policy/test-instance-profile]
aws_security_group_rule.egress_one: Destruction complete after 1s
aws_security_group_rule.egress_two: Destruction complete after 1s
aws_iam_policy.this: Destruction complete after 0s
aws_security_group_rule.ingress_one: Destruction complete after 1s
aws_security_group_rule.ingress_two: Destruction complete after 1s
aws_instance.ec2: Still destroying... [id=i-0228a4e284c4d0629, 10s elapsed]
aws_instance.ec2: Still destroying... [id=i-0228a4e284c4d0629, 20s elapsed]
aws_instance.ec2: Still destroying... [id=i-0228a4e284c4d0629, 30s elapsed]
aws_instance.ec2: Still destroying... [id=i-0228a4e284c4d0629, 40s elapsed]
aws_instance.ec2: Still destroying... [id=i-0228a4e284c4d0629, 50s elapsed]
aws_instance.ec2: Destruction complete after 51s
random_shuffle.subnet: Destroying... [id=-]
aws_iam_instance_profile.this: Destroying... [id=test-instance-profile]
aws_security_group.this_two: Destroying... [id=sg-0c94d041efee34325]
aws_security_group.this_one: Destroying... [id=sg-0b44682ed8b69cab6]
random_shuffle.subnet: Destruction complete after 0s
aws_iam_instance_profile.this: Destruction complete after 0s
aws_iam_role.this: Destroying... [id=test-instance-profile]
aws_iam_role.this: Destruction complete after 0s
aws_security_group.this_one: Destruction complete after 0s
aws_security_group.this_two: Destruction complete after 0s

Destroy complete! Resources: 13 destroyed.

Hi @mike.plemmons,

There seems to be some disagreement among users of the provider as to what they expect this argument to do: some interpret it as you do – “fail destroy unless I first apply an update to disable the production” – and others interpret it as currently implemented, where it’s there to stop tools other than Terraform from terminating the instance.

Some history in these issues:

The first of these requests the current behavior, and the second requests the behavior you wanted.

Given that, I would suggest adding a comment to the second issue to describe your use-case so that the provider development team can consider it. Perhaps there’s a compromise design that could support both interpretations, but deciding that will probably require some additional examples of situations where the current behavior is insufficient.

@apparentlymart Thank you for the response. For me, knowing this is the behavior is enough for now but it seems that the documentation ought to have a note that says “Terraform can still destroy the resource when this option is set to True.” I assume if a note like that existed confusion would be avoided.

I was not depending on this functionality before so this did not change how I was working but it seemed unexpected which is why I came here rather than open a bug report first.

Interesting finding and not related to EC2 but it appears that there is an inconsistency between different resource deletion protection. On a network load balancer, when I turn on deletion protection on a load balancer, terraform cannot destroy it.