renaming a module breaks lifecycle.prevent_destroy (and possibly aws_efs_file_system)

[floomy]

Terraform Version

Terraform v0.8.0-dev

Affected Resources

• module
• lifecycle.prevent_destroy
• aws_efs_file_system

main.tf (first apply)

module "foo" {
  source = "./test"
}

main.tf (second apply)

# renamed to bar
module "bar" {
  source = "./test"
}

test/main.tf

data "aws_vpc" "vpc" {
  default = true
}

data "aws_subnet" "subnet" {
  availability_zone = "us-east-1a"
  vpc_id            = "${data.aws_vpc.vpc.id}"
}

resource "aws_efs_mount_target" "efs_mount_target" {
  file_system_id = "${aws_efs_file_system.efs_file_system.id}"

  lifecycle {
    # will be ignored after renaming the module
    prevent_destroy = true
  }

  subnet_id = "${data.aws_subnet.subnet.id}"
}

resource "aws_efs_file_system" "efs_file_system" {}

resource "null_resource" "null_resource" {
  provisioner "local-exec" {
    command = "echo ${aws_efs_mount_target.efs_mount_target.dns_name}"
  }

  depends_on = [
    "aws_efs_mount_target.efs_mount_target"
  ]
}

Debug Output

Error applying plan:

1 error(s) occurred:

• aws_efs_file_system.efs_file_system: Error waiting for EFS file system ("...") to delete: timeout while waiting for resource to be gone (last state: 'available', timeout: 10m0s)

Expected Behavior

• warn about destroying a protected resource
• aws_efs_mount_target and aws_efs_file_system left untouched

Actual Behavior

• aws_efs_mount_target gets destroyed
• timeout on deleting aws_efs_file_system
• aws_efs_file_system gets destroyed next run

Steps to Reproduce

1. terraform get
2. terraform apply
3. rename module from foo to bar
4. terraform get
5. terraform apply

[mitchellh]

prevent_destroy as it is right now only prevents destroy if you don't change the configuration. Specifically, only if a plan would result in that resource being destroyed while prevent destroy is set on that resource. Changing the module name changed the resource to a completely new one, so the old one inspected the configuration and saw it was safe to destroy.

There is a feature request to have an even stricter version of prevent destroy where it cannot be destroyed no matter what (or perhaps prevent destroy being set explicitly false, we haven't decided yet), but this isn't supported yet. There is an issue open somewhere for that though but sorry I don't have the link.

We are interested in that feature though, so I would expect it not too far away.

[darinmcgill]

Any movement on this? There appears to be no way to prevent terraform from destroying an essential resource (e.g. a database) when there's a seemingly trivial change like it's identifier.

[tdmalone]

The other ticket referred to above could possibly be #3468 or #17599.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.