prevent planning a resource deletion when deletion_protection = true is set

[antdking]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

When running a plan to delete a resource that has deletion_protection = true (or where it's not set and the default is true), the plan shows the resource will be deleted.

It's not until the plan is applied that the deletion is prevented.

This leads to confusion to end users, especially where apply happens in a CI environment.

The expected behaviour is that when a resource with deletion_protection = true set is marked for recreation or deletion, the plan should fail.

New or Affected Resource(s)

• google_workflows_workflow
• google_cloud_run_v2_service
• Potentially others that implement deletion_protection

Potential Terraform Configuration

References

No response

[BBBmau]

Note: We don't think this is something that can be handled in the provider

Ideally core would support deletion_protection on resources, perhaps supporting a lifecycle parameter?

[melinath]

Alternatively, if there were a hook we could use to raise an error at plan time consistently (for both deletion and recreation), potentially without suppressing the display of the diff - that could work. We don't think CustomizeDiff would be sufficient in its current form. I'm not clear on whether plugin framework has better options.