Terraform attempts to destroy existing `aws_db_instance` when trying to add `storage_encrypted = true` argument


I have a aws_db_instance that is already created, and wanted to now encrypt the DB by adding the storage_encrypted = true argument, but upon doing a terraform plan, the plan attempts to destroy the database, which is what I definitely do not want. How can I get around this and not destroy the DB, and add encryption?:

resource "aws_db_instance" "postgres" {
  allocated_storage   = var.db_allocated_storage
  storage_type        = "gp2"
  engine              = "postgres"
  storage_encrypted = true # new argument I am trying to add
  instance_class      = var.db_instance_class
  name                = var.db_name
  username            = var.db_username
  skip_final_snapshot = true
  password            = random_password.db_password.result
  deletion_protection   = true
  vpc_security_group_ids = [aws_security_group.my_security_group.id]
  db_subnet_group_name = aws_db_subnet_group.my_subnet_group.id
  copy_tags_to_snapshot = true
  multi_az            = terraform.workspace == "prod" ? true : false
  lifecycle {
     prevent_destroy = true

The terraform plan attempt gives this:

Resource aws_db_instance.postgres has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To avoid this error and continue with the plan, either disable lifecycle.prevent_destory or reduce the scope of the plan using the -target flag

well, I wasn’t trying to destroy the db instance, but does adding the storage_encrypted = true mean that has to happen for the encryption to occur? I am just trying to figure out a way to work around this.

I have little AWS experience, so I can’t comment on whether this is a hard requirement of AWS, but certainly terraform-provider-aws has been written to destroy and recreate this resource type, when that attribute changes - that’s the meaning of ForceNew set in the code here: terraform-provider-aws/instance.go at ac1f4b3bfe3e727aa8fe9b555fa2d48eef8ca8c6 · hashicorp/terraform-provider-aws · GitHub

1 Like