prevent deletion of my rds instance created by modules that I don't own
1,115 views
Skip to first unread message
Pavan K
Jun 18, 2018, 10:06:52 PM6/18/18
to Terraform
Hi: I am relatively new to terraform and could not find answer to my issue. Appreciate any help.
I understand that terraform support prevent_destroy flag at resource level - https://www.terraform.io/docs/configuration/resources.html#prevent_destroy
I understand that terraform support prevent_destroy flag at resource level - https://www.terraform.io/docs/configuration/resources.html#prevent_destroy
But we are consuming aws rds module as described here: https://github.com/terraform-aws-modules/terraform-aws-rds
module "db" { source = "terraform-aws-modules/rds/aws" ......
So how do I add the set prevent_destroy key at module level? Reading the docs this seems to be not supported yet.
Is there a workaround to achieve the same?
Can we override the behavior of the db instance created by above module that I see in below code?
Is there a workaround to achieve the same?
Can we override the behavior of the db instance created by above module that I see in below code?
Alternately can I leverage the depends_on support and create some instance with prevent_destroy set to true and mark the instanace as depends_on to the above db module. Assuming this would prevent accidental or intentional deletion of the rds instance created by the db module above?
I haven't tried fully above options. Thought of reaching out to the forum to see if I am on the right track!
I haven't tried fully above options. Thought of reaching out to the forum to see if I am on the right track!
Sean Hull
Jun 18, 2018, 10:12:29 PM6/18/18
to david.swift via Terraform
That's a very good question Pravan.
I used the terraform rds module.
After I did a terraform destroy, it deleted all my RDS SNAPSHOT BACKUPS!
I was shocked.
I had final_snapshot_identifier set also!
It really scared me. I've never seen behavior like that. Why would it delete old snapshots of your database? That's the whole point of having backup retention set.
I still havn't resolved the cause was, but that is definitely bad news!
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/512f2e5b-5efb-4f50-9534-870f0fa3abb3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Pavan K
Jun 19, 2018, 1:18:22 AM6/19/18
to Terraform
Hi Sean: Yes unfortunately I had similar experience which is why I started this post. One of our production RDS Instance managed by Terraform got deleted when someone accidentally applied a change that involved deletion and creation of new resources.
Here is what we learned which might help you. The skip_final_snapshot should be set to false even though that's the default per the docs here
If one is using the terraform-aws-rds modue, the value of skip_final_snapshot is set to true by default which will override above setting: https://github.com/terraform-aws-modules/terraform-aws-rds/blob/master/modules/db_instance/variables.tf
So set the identifier as well as the skip_final_snapshot boolean to false. Otherwise aws deletes all the automated backups when the rds instance is gone (except the manual snapshots and final snapshot if above flag is set to false.
Hopefully someone in the forum has some feedback on my original question around setting prevent_destroy key
So set the identifier as well as the skip_final_snapshot boolean to false. Otherwise aws deletes all the automated backups when the rds instance is gone (except the manual snapshots and final snapshot if above flag is set to false.
Hopefully someone in the forum has some feedback on my original question around setting prevent_destroy key
Thanks
Pavan
Andrew Jeffree
Jun 19, 2018, 1:39:58 AM6/19/18
to terrafo...@googlegroups.com
Hi Pavan,
The only way I can see to do what you're after would be to maintain your own module that has this parameter set, or alternatively submit a pull request to the module with the relevant changes to it.
-Andrew
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/504ae5d6-3960-48fb-aaa2-f3c9bae469f4%40googlegroups.com.
Andrew Jeffree
Jun 19, 2018, 1:41:24 AM6/19/18
to terrafo...@googlegroups.com
Hi Sean,
On Tue, Jun 19, 2018 at 12:12 PM Sean Hull <hull...@gmail.com> wrote:
That's a very good question Pravan.I used the terraform rds module.After I did a terraform destroy, it deleted all my RDS SNAPSHOT BACKUPS!I was shocked.I had final_snapshot_identifier set also!It really scared me. I've never seen behavior like that. Why would it delete old snapshots of your database? That's the whole point of having backup retention set.I still havn't resolved the cause was, but that is definitely bad news!
So it deleted the final snapshot also? Or just any other remaining automated snapshots? If the later that's default AWS behaviour, hence the final shapshot options.
-Andrew
Sean Hull
Jun 19, 2018, 9:52:12 AM6/19/18
to terrafo...@googlegroups.com
When I clicked into the "snapshots" tab of the RDS dashboard (same region), I saw *NONE*. All the snapshots were gone.
Lucky I am still pre-production and there was little data lost.
I'm still nervous about this.
Is there a termination protection flag? I mean who would want this behavior?
Certainly the behavior above should not be DEFAULT behavior.
-Sean
So it deleted the final snapshot also? Or just any other remaining automated snapshots? If the later that's default AWS behaviour, hence the final shapshot options.-Andrew
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CANX4BJUMpYdhNts0NfRiZu%2B43_mEURdegroE_CgxUZyBd%2BQprA%40mail.gmail.com.
Sean Hull
Jun 19, 2018, 10:09:06 AM6/19/18
to terrafo...@googlegroups.com
On Jun 19, 2018, at 1:18 AM, Pavan K <pavan...@gmail.com> wrote:Hi Sean: Yes unfortunately I had similar experience which is why I started this post. One of our production RDS Instance managed by Terraform got deleted when someone accidentally applied a change that involved deletion and creation of new resources.Here is what we learned which might help you. The skip_final_snapshot should be set to false even though that's the default per the docs hereIf one is using the terraform-aws-rds modue, the value of skip_final_snapshot is set to true by default which will override above setting: https://github.com/terraform-aws-modules/terraform-aws-rds/blob/master/modules/db_instance/variables.tf
So set the identifier as well as the skip_final_snapshot boolean to false. Otherwise aws deletes all the automated backups when the rds instance is gone (except the manual snapshots and final snapshot if above flag is set to false.
Hopefully someone in the forum has some feedback on my original question around setting prevent_destroy key
Thank you Pavan.
Terraform gods are you listening? This default behavior is MAJOR MAJOR scary!
-Sean
Sean Hull :: Devops. Data. Innovation.
Reply all
Reply to author
Forward
0 new messages