I have a variable defined locally, called local.protect, and defined in variables.tf with default = true and type = bool. How do I get around the use of variables constraint on the prevent_destroy argument? I thought I could local.ize it (eg, locals {protect = var.protect}) but that doesn't work, either.
│ Error: Variables not allowed
│
│ on main.tf line 105, in resource "aws_eip" "backend_eip":
│ 105: prevent_destroy = local.protect
│
│ Variables may not be used here.
╵
╷
│ Error: Unsuitable value type
│
│ on main.tf line 105, in resource "aws_eip" "backend_eip":
│ 105: prevent_destroy = local.protect
│
│ Unsuitable value: value must be known
In main.tf:
resource "aws_eip" "backend_eip" {
vpc = true
depends_on = [module.vpc.igw_id]
lifecycle {
prevent_destroy = local.protect # line 105
}
}
In variables.tf:
variable "protect" {
type = bool
description = "Whether (true) or not (false) to protect EIP from deletion via `terraform destroy`."
default = true
}
Use case here is being able to set this flag at runtime, for a set of resources (like five EIP), all at once.
As @jordanm said,
You can't. github.com/hashicorp/terraform/issues/22544 the last comment here contains a workaround, but not a great one.
EDIT:
The not-great workaround in question is:
As a workaround, since we use the S3 backend for managing our Terraform workspaces, I block the access to the Terraform workspace S3 bucket for the Terraform IAM user in my shell script after Terraform has finished creating the prod resources. This effectively locks down the infrastructure in the workspace and requires a IAM policy change to re-enable it.