How to evaluate the `prevent_destroy` argument

Hi, I am developing a wrapper program that executes terraform destroy command with golang, but if resource has prevent_destroy = true argument, the command will fail. So I want to skip execution in the program. Is there a way to evaluate prevent_destroy ?

I tried to parse .tf files using hclparse, but found it difficult to implement the logic if modules are used in tf files…

Hi @ryysud,

I don’t think Terraform currently exposes that information in a way that’s suitable for straightforward machine consumption.

It is in principle possible to parse and decode the configuration yourself, but to do so would probably require re-implementing Terraform’s logic for finding child modules so that you can search those too, since any module could potentially contain this setting. I think that would be far too much work for such a straightforward requirement.

There are also various other reasons why terraform destroy could fail. For example, we typically recommend that folks use policy mechanisms in the target system to prevent sensitive objects from being destroyed on the server side rather than on the client side, and in that case there isn’t any way to know just from the Terraform configuration whether destroying will be possible.

Based on your requirement I would suggest designing a format specific to your software for configuring this “don’t try to destroy this” behaviour independently of Terraform’s own language. For example, you could create a convention that the root module can contain an extra configuration file designed only for your tool (not a .tf file, so Terraform will ignore it) and let that file specify that a particular root module is not destroyable, regardless of exactly why the module isn’t destroyable.

1 Like

Thanks for your reply!
I will consider the logic based on your advice :slight_smile: