Fail terraform plan that would result in the deletion of aiven_kafka_topic that has termination_protection enabled

[apjm]

What happened?

With provider version = "4.9.3"

For an aiven_kafka_topic resource with termination_protection = true, remove the config for the topic. Run terraform plan to produce a valid plan including the destruction of the topic, eg.

# module.module_id.aiven_kafka_topic.this["x"] will be destroyed
  # (because key ["x"] is not in for_each map)
  - resource "aiven_kafka_topic" "this" {
      - id                     = "topic_id" -> null
      - partitions             = 3 -> null
      - project                = "project_id" -> null
      - replication            = 3 -> null
      - service_name           = "service_id" -> null
      - termination_protection = true -> null
      - topic_name             = "x" -> null

      - config {
        ...
        }

    }

Running tf apply for the same plan errors with

Error: cannot delete kafka topic when termination_protection is enabled

What did you expect to happen?

Terraform plan should error if it would include destroy for a topic that has termination protection enabled.

What else do we need to know?

Terraform version 1.6.5

[byashimov]

Hey @apjm! Thanks for the report. I'm afraid Terraform doesn't let us know if resource is going to be destroyed. https://github.com/hashicorp/terraform-plugin-sdk/issues/411#issuecomment-1069528108 What's more curious, when you run plan command with protected by terraform resource, it doesn't warn you either. It protects resources only when destroy command is called.

[byashimov]

@Serpentiel I think it is totally valid, yet we can't implement it. Not sure if even possible on the plugin framework.

[Serpentiel]

@byashimov well, yes, but what we can't do—we can't do 🙁