terraform-google-sql-db icon indicating copy to clipboard operation
terraform-google-sql-db copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Postgres instance deletion protection is not applied

Open cnellis101 opened this issue 2 years ago • 1 comments

TL;DR

Noticed an issue where deletion protection for postgres databases is not applied. Even when you explicitly enable or disable deletion_protection, it fails to apply that change and the state refresh does not reflect the current configuration.

Expected behavior

When creating a new database, I expect deletion protection to be enabled. When I explicitly enable deletion protection in terraform configuration, I expect the configuration to match what gcloud is reporting.

Observed behavior

Regardless of the configuration in terraform, changes are not applied even though there are no errors reported. When refreshing the state, terraform returns no changes needed. When looking at the GCP console, deletion protection is not enabled. If I enable it manually, it works, however if I try to disable it in terraform, I still get the same result, "No changes". It appears that this flag may be silently failing and reports no changes needed or applied.

Terraform Configuration

module "google_postgres" {
  source  = "GoogleCloudPlatform/sql-db/google//modules/postgresql"
  version = "10.1.0"

  name       = local.instance_name_postgres
  project_id = var.gcp_project_id

  database_version    = "POSTGRES_12"
  region              = var.gcp_region
  zone                = "us-east1-b"
  availability_type   = "REGIONAL"
  tier                = "db-custom-2-3840"
  read_replicas       = local.read_replicas[var.env]
  deletion_protection = true
}

Terraform Version

Terraform v1.1.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/external v2.1.1
+ provider registry.terraform.io/hashicorp/google v4.27.0
+ provider registry.terraform.io/hashicorp/google-beta v4.27.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.6.1
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.1.3

Additional information

No response

cnellis101 avatar Sep 06 '22 14:09 cnellis101

I confirm the same behavior, Terraform 1.3, darwin_arm64

krupnikola avatar Oct 12 '22 14:10 krupnikola

Also confirmed

Terraform v1.3.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.44.1
+ provider registry.terraform.io/hashicorp/google-beta v4.44.1
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.4.3

ohshazbot avatar Dec 01 '22 20:12 ohshazbot

Also confirmed on Terraform v1.3.5 on Terraform Cloud.

version.tf is ...

terraform {
  required_version = ">= 0.13.0"
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 4.4.0, < 5.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = ">= 4.4.0, < 5.0"
    }
  }
}

s-tokutake avatar Dec 23 '22 00:12 s-tokutake

The Terraform provider recently implemented this in the latest version, which looks like it should resolve the issue: https://github.com/hashicorp/terraform-provider-google/pull/13249

jawnsy avatar Jan 10 '23 15:01 jawnsy

That only provides deletion protection via terraform, it doesn't configure deletion protection in the service

  ~> **NOTE:** This flag only protects instances from deletion within Terraform. To protect your instances from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform), use the API flag `settings.deletion_protection_enabled`.

ohshazbot avatar Jan 10 '23 16:01 ohshazbot

There's two, the note is added to an earlier one; what you're reading is for deletion_protection:

  • deletion_protection - (Optional) Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply command that deletes the instance will fail. Defaults to true.

~> NOTE: This flag only protects instances from deletion within Terraform. To protect your instances from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform), use the API flag settings.deletion_protection_enabled.

However, as mentioned in the note and in the paragraph you copied, the deletion_protection_enabled setting does enforce at the server side, afaict:

  • deletion_protection_enabled - (Optional) Enables protection of an instance from accidental deletion protection across all surfaces (API, gcloud, Cloud Console and Terraform). Defaults to false.

I have not tested this, but it looks promising...

jawnsy avatar Jan 10 '23 22:01 jawnsy

Even with the terraform deletion protection enabled, it's still trying to force replace my database when trying to do a database_version upgrade. Will the new flag fix that? And how do I apply it?

ETA: actually this new flag is perfect and fixed my issue, the original flag did nothing useful imho

angelsk avatar Jan 13 '23 11:01 angelsk

Can confirm that deletion_protection_enabled properly toggles deletion protection in the console with 14.0.1

ohshazbot avatar Feb 16 '23 18:02 ohshazbot

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Apr 17 '23 23:04 github-actions[bot]