Resource block to protect and control any harmfull action on the infrastructure.

[thcp]

Current Terraform Version

v0.12.26

Use-cases

This could be applied for any cloud provider, but for Azure, we want the hability to control specific permission aspects of the resources regarding creation,destruction, plan, and state manipulation. At the moment, as stated on the referenced issues, we dont have a reliable or safe approach to control and avoid resource deletion even if the given resource block is commented. My suggestion would consist on using a resource that would receive the ID to control and manage the resource permission even if the object is commented. For additional security, if the resource that is being protected by the permission_control is commented, the output message as warning would inform that plan executed with success but apply only would happen with the protected resource uncommitted.

Attempted Solutions

Currently, lifecycle { prevent_destroy } doesn't work as expected. We don't have a acceptable workaround for this .

Proposal

resource "terraform.resource.permission_control" "abcde" {
  name               = "test123"        # mandatory
  resource_id        = data.resource.id # mandatory
  allow_plan         = false            # Optional, defaults to false
  allow_apply        = false            # Optional, defaults to false
  allow_state_import = false            # Optional, defaults to false
  allow_state_delete = false            # Optional, defaults to false
}

References

• Make it harder to destroy resources #24658
• prevent_destroy does not prevent destruction when removing a resource from the configuration #17599