防止使用 destroy 命令删除 terraform s3 后端和 dynamo 数据库表
我正在尝试在aws中创建开发环境。由于我的基础设施不完整,我尝试在一天结束时销毁所有创建的资源,并在第二天早上重新创建它们。
但是,当我使用 terraform destroy 命令销毁资源时,dynamo db 锁定表被删除,并且它还尝试删除后端 s3 存储桶。
由于锁表被删除,当我下次创建/销毁资源时,它无法检索/释放锁。
我的 dynamo db 表和 s3 存储桶是使用 terraform 创建的,而不是使用控制台创建的。因此,这些资源处于地形状态。我认为这就是 terraform 尝试删除它们的原因。
我有这个后端配置:
terraform {
backend "s3" {
bucket = "project-tfstate-dev"
key = "project-dev.tfstate"
region = "us-west-2"
dynamodb_table = "tf-statelock-project-dev"
encrypt = true
acl = "private"
}
}
s3 存储桶和 dynamo 数据库表创建为:
resource "aws_s3_bucket" "tf_remote_state" {
bucket = "dev-tfstate-${var.env_name}"
}
resource "aws_s3_bucket_versioning" "version" {
bucket = aws_s3_bucket.tf_remote_state.bucket
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_acl" "acl" {
bucket = aws_s3_bucket.tf_remote_state.bucket
acl = "private"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
bucket = aws_s3_bucket.tf_remote_state.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_dynamodb_table" "tf_statelock" {
hash_key = "LockID"
name = "tf-statelock-project-${var.env_name}"
billing_mode = "PAY_PER_REQUEST"
attribute {
name = "LockID"
type = "S"
}
}
除了使用控制台手动创建后端资源之外,是否有其他方法可以防止删除锁定表和 s3 存储桶?
I am trying to create dev environment in aws. Since my infra is not complete I try to destroy all the created resources at the end of the day and recreate them the next morning.
However, I when I use terraform destroy command to destroy the resources, the dynamo db lock table is deleted and it also attempts to delete the backend s3 bucket.
Since the lock table is deleted, it fails to retrieve/release lock when I create/destroy the resources the next time.
My dynamo db table and s3 bucket were created using terraform and not by using console. Therefore, those resources are in the terraform state. I think it the reason terraform tries to delete them.
I have this backend config:
terraform {
backend "s3" {
bucket = "project-tfstate-dev"
key = "project-dev.tfstate"
region = "us-west-2"
dynamodb_table = "tf-statelock-project-dev"
encrypt = true
acl = "private"
}
}
The s3 bucket and dynamo db table are created as:
resource "aws_s3_bucket" "tf_remote_state" {
bucket = "dev-tfstate-${var.env_name}"
}
resource "aws_s3_bucket_versioning" "version" {
bucket = aws_s3_bucket.tf_remote_state.bucket
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_acl" "acl" {
bucket = aws_s3_bucket.tf_remote_state.bucket
acl = "private"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
bucket = aws_s3_bucket.tf_remote_state.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_dynamodb_table" "tf_statelock" {
hash_key = "LockID"
name = "tf-statelock-project-${var.env_name}"
billing_mode = "PAY_PER_REQUEST"
attribute {
name = "LockID"
type = "S"
}
}
Is there a way preventing the deletion of the lock table and s3 bucket, other than using the console to create the backend resources manually?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论