Deletion protection

[steshaw]

I like the idea of the termination_protection for services, but since this cannot prevent disasters for production services, I was wondering if there's a way to enable deletion protection for resources such as databases, topics, etc.

[ivan-savciuc]

Hi,

yes, it is possible to do so by utilizing Terraform prevent_destroy - This flag provides extra protection against the destruction of a given resource. When this is set to true, any plan that includes a destroy of this resource will return an error message.

Example:

resource "aiven_service" "kafka-service1" {
  project = aiven_project.project1.project
  cloud_name = "google-europe-west1"
  plan = "business-4"
  service_name = "kafka1"
  service_type = "kafka"

  kafka_user_config {
    kafka_version = "2.4"
    kafka {
      group_max_session_timeout_ms = 70000
      log_retention_bytes = 1000000000
    }
  }

  lifecycle {
    prevent_destroy = true
  }
}

Ivan

[steshaw]

Hi Ivan, Terraform has a problem that prevent_destroy does not warn of the impending deletion of resources in all cases.

hashicorp/terraform#17599

We host one of our most crucial databases on Aiven. I want a to find a way to configure it so that Terraform cannot destroy it for any reason — i.e. that destruction, if required, needs manual intervention. As context, our organisation has had disasters caused by Terraform's deletion and recreation of resources in the past and so are rightfully wary of taking up Terraform in the present. I want to put safety barriers in place so that we can safely adopt it once more.

[ivan-savciuc]

Hi,

Unfortunately, I cannot offer anything better than using termination_protection and prevent_destroy=true right now, and it looks like you are already using both of them. And we do not have anything like that on the pipeline, and I will create a ticket in our internal issue tracking system. And such a feature should be implemented on the Aiven API side and will be exposed through our Terraform provider when available.

Ivan

[ivan-savciuc]

Well, I was wrong and did some experiments, it is possible to prevent the deletion of a resource. We will create a separate resource field, and if it is set to the true resource would be impossible to delete via terraform but of course, can be removed via UI. Or perhaps we can enable this logic based on termination_protection value. I will come back to you soon with a solution.

[steshaw]

@ivan-savciuc That's really great news. Thank you!

[ivan-savciuc]

@steshaw we did some tests and termination_protection option when enabled prevents on API level from deletion of termination of service. Even if Terraform attempts to delete this resource use will get 403 error response from the server referring to termination_protection enabled. We decided not to add any new login to our TF provider but added all the necessary checks to our acceptance tests plan, which we run before every release. Regarding other types of Aiven TF resources, we will add client-side protection as mentioned before, where it is missing.