Search code examples
terraformterraform-provider-azure

Can't make feature prevent_deletion_if_contains_resources working in Terraform

Context

Trying to understand how is working feature prevent_deletion_if_contains_resources in AzureRm on Terraform:

provider "azurerm" {
  features {
    resource_group {
      prevent_deletion_if_contains_resources = true
    }
  }
}

The documentation:

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/features-block#resource_group

Says:

Should the azurerm_resource_group resource check that there are no Resources within the Resource Group during deletion? This means that all Resources within the Resource Group must be deleted prior to deleting the Resource Group. Defaults to true.

My issue

Whatever the value of prevent_deletion_if_contains_resources this never happens.

  • Terraform destroy work as fine
  • I can delete the Resource Group from the portal

What I did

This is the full script:

provider "azurerm" {
  features {
    resource_group {
      prevent_deletion_if_contains_resources = true
    }
  }
}

provider "azurerm" {
  alias = "autreChoix"
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }
  }
}

resource "azurerm_resource_group" "rg2" {
  name     = "rg2"
  location = "northeurope"

  provider = azurerm.autreChoix
}

resource "azurerm_resource_group" "rg" {
  name     = "rg1"
  location = "westeurope"
}

resource "azurerm_storage_account" "sa" {
  name                     = "mystor1"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}


resource "azurerm_storage_account" "sa2" {
  name                     = "mystor2"
  resource_group_name      = azurerm_resource_group.rg2.name
  location                 = azurerm_resource_group.rg2.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

Creates 2 RG. On with each value of prevent_deletion_if_contains_resources.

What I need

Does anybody tells me what I am missing?

Thanks

Solution

  • The main problem prevent_deletion_if_contains_resources solves is throwing a warning to the Terraform user when there are additional Resources within a Resource Group that it is trying to remove that it does not manage, since those Resources will also be deleted when the Resource Group is deleted by Terraform.
    Here is the original issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/1608, and later the default behavior in the provider was changed to be true as a result of this other issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/13777.

    That setting only applies to using Terraform. It does not prevent users in the Azure portal from deleting the Resource Group. However, I suspect that if you create the Resource Group using Terraform, then add a new Resource within that Resource Group using the Azure portal, and then finally perform a terraform destroy on that Resource Group, you should see an Terraform error if you have prevent_deletion_if_contains_resources set to true.