Postgres instance deletion protection is not applied

[cnellis101]

TL;DR

Noticed an issue where deletion protection for postgres databases is not applied. Even when you explicitly enable or disable deletion_protection, it fails to apply that change and the state refresh does not reflect the current configuration.

Expected behavior

When creating a new database, I expect deletion protection to be enabled. When I explicitly enable deletion protection in terraform configuration, I expect the configuration to match what gcloud is reporting.

Observed behavior

Regardless of the configuration in terraform, changes are not applied even though there are no errors reported. When refreshing the state, terraform returns no changes needed. When looking at the GCP console, deletion protection is not enabled. If I enable it manually, it works, however if I try to disable it in terraform, I still get the same result, "No changes". It appears that this flag may be silently failing and reports no changes needed or applied.

Terraform Configuration

module "google_postgres" {
  source  = "GoogleCloudPlatform/sql-db/google//modules/postgresql"
  version = "10.1.0"

  name       = local.instance_name_postgres
  project_id = var.gcp_project_id

  database_version    = "POSTGRES_12"
  region              = var.gcp_region
  zone                = "us-east1-b"
  availability_type   = "REGIONAL"
  tier                = "db-custom-2-3840"
  read_replicas       = local.read_replicas[var.env]
  deletion_protection = true
}

Terraform Version

Terraform v1.1.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/external v2.1.1
+ provider registry.terraform.io/hashicorp/google v4.27.0
+ provider registry.terraform.io/hashicorp/google-beta v4.27.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.6.1
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.1.3

Additional information

No response

[krupnikola]

I confirm the same behavior, Terraform 1.3, darwin_arm64

[ohshazbot]

Also confirmed

Terraform v1.3.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.44.1
+ provider registry.terraform.io/hashicorp/google-beta v4.44.1
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.4.3

[s-tokutake]

Also confirmed on Terraform v1.3.5 on Terraform Cloud.

version.tf is ...

terraform {
  required_version = ">= 0.13.0"
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 4.4.0, < 5.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = ">= 4.4.0, < 5.0"
    }
  }
}

[jawnsy]

The Terraform provider recently implemented this in the latest version, which looks like it should resolve the issue: hashicorp/terraform-provider-google#13249

[ohshazbot]

That only provides deletion protection via terraform, it doesn't configure deletion protection in the service

  ~> **NOTE:** This flag only protects instances from deletion within Terraform. To protect your instances from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform), use the API flag `settings.deletion_protection_enabled`.

[jawnsy]

There's two, the note is added to an earlier one; what you're reading is for deletion_protection:

• deletion_protection - (Optional) Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply command that deletes the instance will fail. Defaults to true.

~> NOTE: This flag only protects instances from deletion within Terraform. To protect your instances from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform), use the API flag settings.deletion_protection_enabled.

However, as mentioned in the note and in the paragraph you copied, the deletion_protection_enabled setting does enforce at the server side, afaict:

• deletion_protection_enabled - (Optional) Enables protection of an instance from accidental deletion protection across all surfaces (API, gcloud, Cloud Console and Terraform). Defaults to false.

I have not tested this, but it looks promising...

[angelsk]

Even with the terraform deletion protection enabled, it's still trying to force replace my database when trying to do a database_version upgrade. Will the new flag fix that? And how do I apply it?

ETA: actually this new flag is perfect and fixed my issue, the original flag did nothing useful imho

[ohshazbot]

Can confirm that deletion_protection_enabled properly toggles deletion protection in the console with 14.0.1

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days