Add ability to force delete pingone_population resources if it contains users

[patrickcping]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When running a destroy on an environment with user data in it, or removing a population that contains users (in both cases the users must be created naturally and not through the pingone_user resource), the current behaviour is that removal of the population will be blocked by the PingOne platform until all users are removed first.

While this is good protection for environments of the "production" type, it adds additional manual overhead when spinning up development/testing environments that are of type "sandbox".

The enhancement is to, under specific conditions, be able to override the platform's restriction and automatically empty the populations of users allowing the destroy to take place successfully.

Proposed conditions are (both numbered conditions must be met):

1. Environment level protection. One of the following bullet points must be met:

• The environment is of type SANDBOX. Usage on a PRODUCTION environment with the force_delete_production_type provider parameter set to false requires the HCL writer to first downgrade the environment to SANDBOX and then re-attempt.
• The environment is of type PRODUCTION and the force_delete_production_type provider parameter is set to true.

2. A parameter prevent_destroy_with_data is added to the pingone_population resource (and the pingone_environment resource for the default population) and the HCL writer explicitly sets this value to false. The default value would be true.

New or Affected Resource(s)

• pingone_population
• pingone_population_default

Potential Terraform Configuration

SANDBOX type:

provider "pingone" {
  # ... other options

  force_delete_production_type = false
}

resource "pingone_population" "my_population" {
  environment_id = pingone_environment.my_environment.id

  name        = "My second population"
  description = "My new population"

  prevent_destroy_with_data = false
}

PRODUCTION type:

provider "pingone" {
  # ... other options

  force_delete_production_type = true
}

resource "pingone_population" "my_population" {
  environment_id = pingone_environment.my_environment.id

  name        = "My second population"
  description = "My new population"

  prevent_destroy_with_data = false
}

References

[mjspi]

Upvote to the approach with one minor consideration. Instead of the double-negative on the population parameter to allow a population w/users to be deleted (prevent_destroy_with_data = false) , my lean is to follow similar naming as the environment-level parameter force_delete_production_type.

Perhaps consider a modification to require the HCL writer to explicitly state that deleting a population with users is permitted: force_destroy_with_data = true. ("As an HCL writer, I am allowing a population with user data to be deleted.")