feat(terraform): agregar lifecycle prevent_destroy a recursos críticos

- VPC: prevent_destroy = true - EC2: prevent_destroy + ignore_changes ami - RDS: prevent_destroy = true - S3 frontend/artifacts: prevent_destroy = true - Prevenir destrucción accidental de infraestructura PROD
2026-05-07 11:09:55 -06:00
parent 41b2347a33
commit 557feb02e0
1 changed files with 104 additions and 11 deletions
@@ -18,6 +18,11 @@ resource "aws_vpc" "main" {
  tags = {
    Name = "${var.project_name}-vpc-${var.environment}"
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes  = [tags]
  }
 }
 resource "aws_internet_gateway" "main" {
@@ -81,12 +86,21 @@ resource "aws_route_table" "public" {
  tags = {
    Name = "${var.project_name}-public-rt-${var.environment}"
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes  = [tags]
  }
 }
 resource "aws_route_table_association" "public" {
  count          = length(aws_subnet.public)
  subnet_id      = aws_subnet.public[count.index].id
  route_table_id = aws_route_table.public.id
  lifecycle {
    prevent_destroy = true
  }
 }
 resource "aws_route_table" "private" {
@@ -100,12 +114,21 @@ resource "aws_route_table" "private" {
  tags = {
    Name = "${var.project_name}-private-rt-${var.environment}"
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes  = [tags]
  }
 }
 resource "aws_route_table_association" "private" {
  count          = length(aws_subnet.private)
  subnet_id      = aws_subnet.private[count.index].id
  route_table_id = aws_route_table.private.id
  lifecycle {
    prevent_destroy = true
  }
 }
 # -------------------------------------------------------------------------------
@@ -196,6 +219,8 @@ resource "aws_security_group" "ec2_api" {
  }
  lifecycle {
    prevent_destroy       = true
    ignore_changes        = [tags]
    create_before_destroy = true
  }
 }
@@ -226,6 +251,8 @@ resource "aws_security_group" "rds" {
  }
  lifecycle {
    prevent_destroy       = true
    ignore_changes        = [tags]
    create_before_destroy = true
  }
 }
@@ -250,12 +277,21 @@ resource "aws_iam_role" "ec2_role" {
  tags = {
    Name = "${var.project_name}-ec2-role"
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes  = [tags]
  }
 }
 resource "aws_iam_role_policy" "ec2_policy" {
  name = "${var.project_name}-ec2-policy-${var.environment}"
  role = aws_iam_role.ec2_role.id
  lifecycle {
    prevent_destroy = true
  }
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
@@ -314,6 +350,11 @@ resource "aws_iam_instance_profile" "ec2_profile" {
  tags = {
    Name = "${var.project_name}-ec2-profile"
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes  = [tags]
  }
 }
 # -------------------------------------------------------------------------------
@@ -344,14 +385,12 @@ resource "aws_instance" "api" {
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes = [
      ami,
      iam_instance_profile,
      user_data,
-      tags["AutoStart"],
+      tags,
      tags["AutoStop"],
      tags["Schedule"],
      tags["ScheduleHours"],
      tags["ScheduleTimezone"],
    ]
  }
 }
@@ -366,6 +405,11 @@ resource "aws_db_subnet_group" "rds" {
  tags = {
    Name = "${var.project_name}-rds-subnet-group"
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes  = [tags]
  }
 }
 resource "aws_db_instance" "main" {
@@ -396,12 +440,9 @@ resource "aws_db_instance" "main" {
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes  = [
-      tags["AutoStart"],
+      tags,
      tags["AutoStop"],
      tags["Schedule"],
      tags["ScheduleHours"],
      tags["ScheduleTimezone"],
    ]
  }
 }
@@ -415,6 +456,11 @@ resource "aws_s3_bucket" "frontend" {
  tags = {
    Name = "${var.project_name}-frontend"
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes  = [tags]
  }
 }
 resource "aws_s3_bucket_versioning" "frontend" {
@@ -423,6 +469,10 @@ resource "aws_s3_bucket_versioning" "frontend" {
  versioning_configuration {
    status = "Enabled"
  }
  lifecycle {
    prevent_destroy = true
  }
 }
 resource "aws_s3_bucket_public_access_block" "frontend" {
@@ -432,6 +482,10 @@ resource "aws_s3_bucket_public_access_block" "frontend" {
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
  lifecycle {
    prevent_destroy = true
  }
 }
 resource "aws_s3_bucket_website_configuration" "frontend" {
@@ -444,6 +498,10 @@ resource "aws_s3_bucket_website_configuration" "frontend" {
  error_document {
    key = "index.html"
  }
  lifecycle {
    prevent_destroy = true
  }
 }
 resource "aws_s3_bucket" "artifacts" {
@@ -452,6 +510,10 @@ resource "aws_s3_bucket" "artifacts" {
  tags = {
    Name = "${var.project_name}-artifacts"
  }
  lifecycle {
    prevent_destroy = true
  }
 }
 resource "aws_s3_bucket_versioning" "artifacts" {
@@ -460,6 +522,10 @@ resource "aws_s3_bucket_versioning" "artifacts" {
  versioning_configuration {
    status = "Enabled"
  }
  lifecycle {
    prevent_destroy = true
  }
 }
 resource "aws_s3_bucket_public_access_block" "artifacts" {
@@ -469,6 +535,10 @@ resource "aws_s3_bucket_public_access_block" "artifacts" {
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
  lifecycle {
    prevent_destroy = true
  }
 }
 # -------------------------------------------------------------------------------
@@ -480,6 +550,10 @@ resource "aws_cloudfront_origin_access_control" "frontend" {
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
  lifecycle {
    prevent_destroy = true
  }
 }
 resource "aws_s3_bucket_policy" "frontend" {
@@ -504,6 +578,10 @@ resource "aws_s3_bucket_policy" "frontend" {
  })
  depends_on = [aws_s3_bucket_public_access_block.frontend]
  lifecycle {
    prevent_destroy = true
  }
 }
 # -------------------------------------------------------------------------------
@@ -519,6 +597,8 @@ resource "aws_acm_certificate" "main" {
  }
  lifecycle {
    prevent_destroy       = true
    ignore_changes        = [tags]
    create_before_destroy = true
  }
 }
@@ -536,6 +616,10 @@ resource "aws_acm_certificate_validation" "main" {
  provider                = aws.us_east_1
  certificate_arn         = aws_acm_certificate.main.arn
  validation_record_fqdns = [aws_route53_record.cert_validation.fqdn]
  lifecycle {
    prevent_destroy = true
  }
 }
 # -------------------------------------------------------------------------------
@@ -555,6 +639,10 @@ resource "aws_route53_record" "main" {
  name    = var.domain_name
  type    = "A"
  lifecycle {
    prevent_destroy = true
  }
  alias {
    name                   = aws_cloudfront_distribution.main.domain_name
    zone_id                = aws_cloudfront_distribution.main.hosted_zone_id
@@ -648,4 +736,9 @@ resource "aws_cloudfront_distribution" "main" {
  tags = {
    Name = "${var.project_name}-cdn"
  }
  lifecycle {
    prevent_destroy = true
    ignore_changes  = [tags]
  }
 }