terraform-provider-hcloud
terraform-provider-hcloud copied to clipboard
hetznercloud
[Bug]: Possible to terraform destroy resource that has protection enabled
In versions of the terraform provider before support for enable and disable protection was added (@Adi146 @LKaemmerling https://github.com/hetznercloud/terraform-provider-hcloud/pull/432), if you enabled protection you could be sure the resources would be safe from 3 things: terraform destroy, web console actions and api calls. You would have to explicitly remove protection before you would be able to delete the resource in any way. This was correct because the point of protecting a resource is to make it impossible to accidentally remove it.
But now because the provider manages enabling and disabling protection, protected resources are only safe from 2 things: web console actions and api calls, but not terraform destroy which will destroy all protected resources! If you try to destroy a protected resource from terraform it must fail.
If it's not technically possible to do this in terraform then the provider should completely remove the ability to disable protection. In fact this would be good to do in any case.
Enabling protection from terraform is useful, but disabling it is unexpected and dangerous. Disabling protection must be something you do explicitly and deliberately. Having it done automatically as part of terraform destroy is not explicit (you're not typing disable protection anywhere like you would in an api call or clicking a button to remove protection in the web console) and it's not deliberate (people have an expectation terraform destroy will remove unprotected resources only, otherwise what is the point of protection!).
Wow, I had no idea that terraform-enabled protection didn't protect against terraform destroy! Yikes!
Hi! I had the same issue and we just follow the approach named in this thread : https://github.com/hashicorp/terraform/issues/3640 https://github.com/hashicorp/terraform/issues/3116
This emulate blocks destruction https://github.com/hashicorp/terraform/issues/18367#issuecomment-1107817883
Read the docs:
"Since this argument must be present in configuration for the protection to apply, note that this setting does not prevent the remote object from being destroyed if the resource block were removed from configuration entirely: in that case, the prevent_destroy setting is removed along with it, and so Terraform will allow the destroy operation to succeed."
https://www.terraform.io/language/meta-arguments/lifecycle
But it definitely makes no sense.
This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I do believe that different people have different use-cases for the deletion protection and expect different things when using it. There is no way to make everyone happy.
Having it done automatically as part of terraform destroy is not explicit (you're not typing disable protection anywhere like you would in an api call or clicking a button to remove protection in the web console) and it's not deliberate (people have an expectation terraform destroy will remove unprotected resources only, otherwise what is the point of protection!).
You do explicitly delete the resource as well as the protection, this is outlined in the plan that Terraform shows for you to approve.
You still have the benefit that the protection is applied in the API & Web Console.
I think we should add some docs for this, so users are aware of how the protection works when you delete the Terraform resource. I am going to prepare a PR for this.
I do believe that different people have different use-cases for the deletion protection and expect different things when using it. There is no way to make everyone happy.
A configuration value would help so people who want more protection can have it and it doesn't delete unexpected things.