Preventing Accidental Deletions: Secure Cloud Management With Terraform

Managing cloud infrastructure using Infrastructure as Code (IaC) like Terraform offers unparalleled efficiency. However, it also comes with the risk of unintentional actions, such as deleting critical resources. Accidental deletions can lead to significant downtime, data loss, and operational disruptions. Fortunately, Terraform provides a robust solution to this problem: delete resource protection.

In this guide, we’ll explore how to use Terraform’s delete resource protection feature to safeguard your cloud infrastructure. We’ll also touch on advanced options like Sentinel and Open Policy Agent (OPA) policies for additional governance and compliance. Whether you're managing a small project or a large-scale production environment, these strategies will help you maintain a stable and secure infrastructure.

Understanding Delete Resource Protection in Terraform

Delete resource protection is a mechanism in Terraform that prevents specific resources from being deleted, even if they’re marked for deletion in your code. This feature acts as a failsafe, ensuring that critical infrastructure components—such as databases, virtual machines, or networking components—aren’t accidentally removed due to configuration errors or missteps during deployment.

When delete protection is enabled, Terraform blocks any attempt to delete a protected resource and generates an error message instead. This is particularly crucial in production environments where infrastructure reliability and continuity are paramount.

Benefits of Delete Resource Protection

Implementing delete resource protection offers several key benefits:

• Prevention of accidental deletions: Safeguards critical resources like databases, VMs, and networking components from inadvertent removal.

• Enhanced security: Maintains the availability of essential services, reducing the risk of downtime due to configuration changes.

• Operational efficiency: Minimizes disruptions, allowing teams to focus on building and scaling rather than recovering deleted resources.

Implementing Delete Resource Protection in Terraform

Terraform’s delete resource protection can be implemented using the prevent_destroy lifecycle rule within the resource block. Here’s an example:

provider "ibm" {
ibmcloud_api_key = var.ibmcloud_api_key
region = "us-south"
}

resource "ibm_is_instance" "web_server" {
name = "web-server-instance"
profile = "bx2-2x8"
zone = "us-south-1"
image = "ibm-centos-7-6-minimal-amd64-1"
primary_network_interface {
id = ibm_is_virtual_network_interface.example.id
security_groups = ["security_group_id"]
}

lifecycle {
prevent_destroy = true
}
}

In this example, the prevent_destroy = true line within the lifecycle block prevents Terraform from deleting the web_server instance, even if it’s marked for deletion in future plans.

Using a Variable to Control Delete Protection

In some scenarios, you may need to temporarily disable delete protection, such as during upgrades or decommissioning. Terraform allows you to dynamically manage delete protection using variables. Here’s how:

provider "ibm" {
ibmcloud_api_key = var.ibmcloud_api_key
region = "us-south"
}

resource "ibm_is_instance" "web_server" {
name = "web-server-instance"
profile = "bx2-2x8"
zone = "us-south-1"
image = "ibm-centos-7-6-minimal-amd64-1"
primary_network_interface {
id = ibm_is_virtual_network_interface.example.id
security_groups = ["security_group_id"]
}

lifecycle {
prevent_destroy = var.deletion_protection
}
}

With this setup, you can control delete protection at runtime by setting the deletion_protection variable in the terraform apply command.

Temporarily Disabling Delete Protection

To disable delete protection temporarily, run the following command:

terraform apply -var="deletion_protection=false"

This command overrides the deletion_protection variable, setting it to false for this specific run. Once the process is complete, you can re-enable delete protection by running:

terraform apply -var="deletion_protection=true"

This flexibility allows you to maintain protection in production environments while granting controlled access for updates or decommissioning.

Best Practices for Delete Resource Protection

To ensure delete resource protection is effectively integrated into your infrastructure, follow these best practices:

1. Enable protection for critical resources only: Apply prevent_destroy to crucial resources like databases and production servers.

2. Review resource dependencies: Carefully manage resources with dependencies to avoid unintended side effects.

3. Document protection status: Ensure team members know which resources are protected and why.

4. Use variables for flexibility: Toggle prevent_destroy for different environments using variables.

5. Plan before deleting: Always run terraform plan to understand the impact of deletions.

6. Test configurations regularly: Ensure delete protection is set up correctly and won’t interfere with planned updates.

Advanced Options: Sentinel and OPA Policies

For additional governance and compliance, Terraform offers advanced options like Sentinel policies and Open Policy Agent (OPA) policies. These tools provide robust guardrails for enforcing rules around resource management, including preventing the deletion of critical resources.

Sentinel Policies

Sentinel is a policy-as-code framework integrated into Terraform Enterprise and Terraform Cloud. Here’s an example Sentinel policy to prevent resource deletion:

import "tfplan/v2" as tfplan

main = rule {
all tfplan.resource_changes as resource {
"delete" not in resource.change.actions or
(resource.before.tags is set and not ("critical" in resource.before.tags))
}
}

This policy checks for deletion actions and blocks the Terraform plan if any critical resources are marked for deletion.

OPA Policies

OPA is an open-source policy engine that integrates with Terraform. Here’s an example OPA policy in Rego to block all deletions:

deny[msg] {
some resource
input.resource_changes[resource].type == "test_vpc"
input.resource_changes[resource].change.actions[_] == "delete"
msg := sprintf("Deletion is not allowed for VPC resource: %v", [input.resource_changes[resource].address])
}

This policy scans for deletion actions and denies the apply if any are found.

Conclusion

Delete resource protection in Terraform is a powerful feature that enhances the security and reliability of your cloud infrastructure. By configuring prevent_destroy and following best practices, you can minimize the risk of service disruptions and protect sensitive data. For advanced governance, consider leveraging Sentinel and OPA policies.

At ZippyOPS, we provide expert consulting, implementation, and management services for DevOps, DevSecOps, DataOps, Cloud, Automated Ops, AI Ops, ML Ops, Microservices, Infrastructure, and Security. Explore our services, products, and solutions. For demos and videos, check out our YouTube playlist. If this seems interesting, email us at [email protected] for a call.

By implementing delete resource protection and adopting best practices, you can build a resilient and secure cloud infrastructure that supports your business goals.