Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
prevent_destroy should allow plan to succeed #16392
I would like to know why it wants to destroy it. This is provided when
Plan is interrupted before any useful information is displayed.
Steps to Reproduce
Current workaround is to turn
You're not wrong @beanaroo!
Quite a few people have the same issue, but unfortunately the mod's don't seem to agree it is actually a problem
This was referenced
Jan 31, 2018
Prevent destroy only works if the resource is still included in the script, also dangerous.
I've been using it for CodeCommit repositories to have consistent Git repos, but there is no way to prevent it from destructively wiping out an entire Git repo or all of the repos with a mistake.
Otherwise resources that have user content that is hard to restore should never be put in Terraform, which is a shame.
referenced this issue
Jul 22, 2018
I would like to throw my support behind this being a bug and not merely a desirable enhancement. In my case I have a stateful machine (postgres) that suddenly decided that it needed to be destroyed. I have no idea why since there are no changes in the commit history to anything that affects postgres that I can see. Unfortunately, it is very difficult to debug since I don't know what property it thinks changed. Please mark this as a bug, prevent_destroy is worse than useless as is, it makes terraform actively difficult to use and debug (but is a safety measure that I can't live without, unfortunately).
Agreed with the consensus in here. If it's not a bug then it's a poorly designed feature that could use some improvement. My team at work tried using it in the past to protect particular resources (like RDS) but the planning issue mentioned above made it useless. It definitely will act as a last line of defense, but it seems implied that you should never try destroying any root module that can reference a prevent_destroy resource in the first place so it's useless. We ended up preventing it with safety checks in our build script and ensuring that we had no production deployments configured to destroy those resources.
The other issue with prevent_destroy that we encountered is that you can't selectively apply it to a resource. In one of our applications, we had a Terraform module for an RDS cluster which we wanted to prevent_destroy in production; however, for non-production (testing/staging/etc) accounts, we wanted to reference the same module but allow being destroyed since testing environments can come and go.
I think my biggest grievance with this bug is that I had to come to Github Issues to find enough information on this. In the documentation on the Terraform website, there are no warnings that I have seen of "Hey, you can include pre-existing S3 buckets and other stateful resources in your Terraform plan. If you do that, Terraform can destroy and recreate those resources if it wants to, or - if you are using
If this isn't a bug (which it sounds like it is?), there should be a section in the docs for how to deal with this use-case (immutable stateful storage) and a breakdown of your options: