Terragrunt for Beginners
Terragrunt Attributes
prevent destroy Attribute
Overview: Preventing Unintentional Resource Deletion
In this article, we dive into the prevent_destroy attribute within Terragrunt. This powerful flag helps protect critical infrastructure from accidental destruction, ensuring higher stability and data integrity in your Terraform workflows.
Why Enable prevent_destroy?
Cloud environments often involve complex, interdependent resources. A single inadvertent terraform destroy can trigger cascading failures, leading to downtime and data loss. By setting prevent_destroy = true, you instruct Terraform to refuse any destroy operation on the designated resource or module.
Warning
Be cautious when enabling prevent_destroy globally. It can block legitimate operations that require a full teardown, so apply it selectively to high-value resources.
Attribute Details
| Value | Description |
|---|---|
| true | Prohibit resource destruction |
| false | Allow resource destruction (default) |
Use Case: Protecting a VPC Module
Let's walk through a step-by-step example. We will provision a VPC using a Terragrunt module and then lock it down to prevent accidental teardown.
1. Provision the VPC
Create a terragrunt.hcl file with the following configuration:
terraform {
source = "tfr://terraform-aws-modules/vpc/aws//?version=5.8.1"
}
include "root" {
path = find_in_parent_folders()
expose = true
}
inputs = {
name = "KodeKloud-VPC"
cidr = "10.100.0.0/16"
}
download_dir = "../.terragrunt-kodekloud"
Run the provisioning command:
terragrunt apply
Confirm the prompt to create your VPC.
2. Enable prevent_destroy
Modify the same terragrunt.hcl file to include the prevent_destroy attribute:
terraform {
source = "tfr://terraform-aws-modules/vpc/aws//?version=5.8.1"
}
include "root" {
path = find_in_parent_folders()
expose = true
}
inputs = {
name = "KodeKloud-VPC"
cidr = "10.100.0.0/16"
}
download_dir = "../.terragrunt-kodekloud"
prevent_destroy = true
3. Verify Destruction Is Blocked
Attempt to destroy the VPC:
terragrunt destroy
You will encounter an error:
Error: Operation prevented due to prevent_destroy
on terragrunt.hcl line 12:
12: prevent_destroy = true
4. Removing the Protection
When you need to tear down the VPC, simply set prevent_destroy = false or remove the attribute, then run:
terragrunt destroy
You should see a successful plan and destruction:
Plan: 0 to add, 0 to change, 1 to destroy.
Do you really want to destroy all resources? yes
Best Practices
| Practice | Description |
|---|---|
| Selective Protection | Apply prevent_destroy only to mission-critical resources |
| Review Before Changes | Use terragrunt plan to detect potential conflicts early |
| Documentation | Tag protected resources clearly in your repository |
Note
For more details on Terragrunt attributes, refer to the Terragrunt Documentation.
References
Watch Video
Watch video content