How to block Terraform from deleting an imported resource?

1
votes

I'm brand new to Terraform so I'm sure i'm missing something, but the answers i'm finding don't seem to be asking the same question I have.

I have an AWS VPC/Security Group that we need our EC2 instances to be created under and this VPC/SG is already created. To create an EC2 instance, Terraform requires that if I don't have a default VPC, I must import my own. But once I import and apply my plan, when I wish to destroy it, its trying to destroy my VPC as well. How do I encapsulate my resources so when I run "terraform apply", I can create an EC2 instance with my imported VPC, but when I run "terraform destroy" I only destroy my EC2 instance?

In case anyone wants to mention, I understand that:

lifecycle = {
    prevent_destroy = true
}

is not what I'm looking for.

Here is my current practice code.

resource "aws_vpc" "my_vpc" {
  cidr_block = "xx.xx.xx.xx/24"
}

provider "aws" {
  region = "us-west-2"
}


data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
  }

  owners = ["099720109477"] # Canonical
}


resource "aws_instance" "web" {

  ami           = "${data.aws_ami.ubuntu.id}"
  instance_type = "t3.nano"

  vpc_security_group_ids = ["sg-0e27d851dxxxxxxxxxx"]
  subnet_id              = "subnet-0755c2exxxxxxxx"

  tags = {
    Name = "HelloWorld"
  }
}
2
amazon-web-servicesamazon-ec2terraformamazon-vpc
It sounds like what you really want is for your Terraform config to be aware of the VPC, but not actively manage it. Is that correct? Otherwise, I assume you want to manage the VPC, but prevent it from being destroyed.Matt Schuchard
Correct on your first assumption. I want to place my EC2 instance into my non-default pre made VPC but not have this VPC managed by Terraform.Jacob C

2 Answers

0
votes

Terraform should not require you to deploy or import a VPC in order to deploy an EC2 instance into it. You should be able to reference the VPC, subnets and security groups by id so TF is aware of your existing network infrastructure just like you've already done for SGs and subnets. All you should need to deploy the EC2 instance "aws_instance" is give it an existing subnet id in the existing VPC like you already did. Why do you say deploying or importing a VPC is required by Terraform? What error or issue do you have deploying without the VPC and just using the existing one?

You can protect the VPC through AWS if you really wanted to, but I don't think you really want to import the VPC into your Terraform state and let Terraform manage it here. Sounds like you want the VPC to service other resources, maybe applications manually deployed or through other TF stacks, and the VPC to live independent of anyone application deployment.

0
votes

To answer the original question, you can use a data source and match your VPC by id or tag name :

data "aws_vpc" "main" {
  tags = {
    Name = "main_vpc"
  }
}

Or

data "aws_vpc" "main" {
  id = "vpc-nnnnnnnn"
}

Then refer to it with : data.aws_vpc.main

Also, if you already included your VPC but would like not to destroy it while remove it from your state, you can manage to do it with the terraform state command : https://www.terraform.io/docs/commands/state/index.html