GCP Cloud SQL failed to delete instance because `deletion_protection` is set to true - gcloud toggle?

Question

Error message:

terraform destroy

module.application.google_sql_database_instance.sql-db-xxx: Destroying... [id=db-xxx]

Error: Error, failed to delete instance because deletion_protection is set to true. Set it to false to proceed with instance deletion

The terraform solution is here:

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance

On newer versions of the provider, you must explicitly set deletion_protection=false (and run terraform >apply to write the field to state) in order to destroy an instance. It is recommended to not set this >field (or set it to true) until you're ready to destroy the instance and its databases.

Question:

I do NOT want to make changes to the terraform script. I would rather toggle the deletion protection flag via gcloud, then destroy as per usual. For gcloud VMs there is a deletion protection flag I can toggle. However, I cannot find the corresponding flag for the database:

cloud sql instances describe db-xxx

• Is this deletion_protection flag meta data within terraform itself?

• If not, what is the gcloud command to toggle it?

• If so, how can I override it via terraform without modifying the code; ie command line parameter?

I have insufficient 'points' to add to the existing thread of a similar title.

Answer 1

Terraform way

As per the latest docs, You can set cloudsql instance deletion protection via settings in terraform.

So now we've two flags i.e. deletion_protection which is terraform metadata and settings.deletion_protection_enabled which is for setting deletion protection on cloudsql instance itself.

deletion_protection - (Optional) Whether or not to allow Terraform to destroy the instance. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply command that deletes the instance will fail. Defaults to true.

NOTE: This flag only protects instances from deletion within Terraform. To protect your instances from accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform), use the API flag settings.deletion_protection_enabled.

deletion_protection_enabled - (Optional) Enables deletion protection of an instance at the GCP level. Enabling this protection will guard against accidental deletion across all surfaces (API, gcloud, Cloud Console and Terraform) by enabling the GCP Cloud SQL instance deletion protection. Terraform provider support was introduced in version 4.48.0. Defaults to false.

Reference : https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#deletion_protection_enabled

Gcloud Way

If not, what is the gcloud command to toggle it?

You can enable deletion protection for CloudSQL instance using gcloud command now.

Create new CloudSQL instance with deletion protection enabled

gcloud sql instances create [INSTANCE_NAME] \
    --deletion-protection

Update existing CloudSQL instance with deletion protection enabled

gcloud sql instances patch [INSTANCE_NAME] \
    --deletion-protection

Disable deletion protection for existing CloudSQL instance

gcloud sql instances patch [INSTANCE_NAME] \
    --no-deletion-protection

References : PostgreSQL CloudSQL : https://cloud.google.com/sql/docs/postgres/deletion-protection

Answer 2

To answer your questions:

1. From Terraform docs:

deletion_protection - Whether or not to allow Terraform to destroy the instance.

So yes, this is within Terraform itself. Deletion protection flag on GCP is currently only available on Compute Engine instances, not Cloud SQL instances.

2. Currently, deletion protection can only be toggled on a Compute Engine Instance.

3. You may consider using input variables like this:

terraform apply -var="deletion_protection=false"
terraform destroy

There are also other ways to use input variables. For more reference, here's the link.