0
0
Terraformcloud~5 mins

Prevent_destroy lifecycle rule in Terraform - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Sometimes you want to make sure important resources are never deleted by accident. Terraform has a rule called prevent_destroy that stops you from deleting a resource unless you remove the rule first.
When you have a database that should never be deleted accidentally.
When you manage critical infrastructure like a production server or network.
When you want to protect resources shared by many teams from accidental removal.
When you want to avoid downtime caused by deleting important resources.
When you want to enforce safety checks in your infrastructure automation.
Config File - main.tf
main.tf
resource "aws_s3_bucket" "example_bucket" {
  bucket = "my-example-bucket-terraform"

  lifecycle {
    prevent_destroy = true
  }
}

This Terraform file creates an AWS S3 bucket named my-example-bucket-terraform. The lifecycle block with prevent_destroy = true tells Terraform to block any attempt to delete this bucket unless the rule is removed first.

Commands
This command initializes the Terraform working directory and downloads necessary provider plugins.
Terminal
terraform init
Expected OutputExpected
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized!
This command applies the Terraform configuration to create the S3 bucket with the prevent_destroy rule.
Terminal
terraform apply -auto-approve
Expected OutputExpected
aws_s3_bucket.example_bucket: Creating... aws_s3_bucket.example_bucket: Creation complete after 3s [id=my-example-bucket-terraform] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
-auto-approve - Automatically approve the apply without asking for confirmation
This command tries to destroy the resources but will fail because of the prevent_destroy rule.
Terminal
terraform destroy -auto-approve
Expected OutputExpected
Error: Instance cannot be destroyed on main.tf line 2, in resource "aws_s3_bucket" "example_bucket": 2: resource "aws_s3_bucket" "example_bucket" { Resource aws_s3_bucket.example_bucket has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed. To proceed, either remove lifecycle.prevent_destroy or override with the -destroy-allow-untracked flag.
-auto-approve - Automatically approve the destroy without asking for confirmation
This command shows the plan to destroy resources, which will be blocked by prevent_destroy.
Terminal
terraform plan -destroy
Expected OutputExpected
Error: Instance cannot be destroyed on main.tf line 2, in resource "aws_s3_bucket" "example_bucket": 2: resource "aws_s3_bucket" "example_bucket" { Resource aws_s3_bucket.example_bucket has lifecycle.prevent_destroy set, but the plan calls for this resource to be destroyed.
Key Concept

If you remember nothing else from this pattern, remember: prevent_destroy stops Terraform from deleting a resource unless you remove the rule first.

Common Mistakes
Trying to destroy a resource with prevent_destroy set without removing the rule first.
Terraform will block the destroy and show an error, preventing accidental deletion.
Remove or comment out the prevent_destroy line in the lifecycle block before running terraform destroy.
Setting prevent_destroy on resources that need to be replaced or deleted regularly.
This causes frustration and blocks legitimate changes, slowing down development.
Use prevent_destroy only on critical resources that must not be deleted accidentally.
Summary
Use the lifecycle block with prevent_destroy = true to protect important resources from deletion.
Run terraform apply to create resources with this protection in place.
Terraform will block destroy commands on these resources until you remove the prevent_destroy rule.