labadmin/proyectosacc-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(terraform): agregar lifecycle prevent_destroy a recursos críticos

Browse Source 
- VPC: prevent_destroy = true
- EC2: prevent_destroy + ignore_changes ami
- RDS: prevent_destroy = true
- S3 frontend/artifacts: prevent_destroy = true
- Prevenir destrucción accidental de infraestructura PROD
This commit is contained in:
Evert Daniel Romero Garrido
2026-05-07 11:09:55 -06:00
parent 41b2347a33
commit 557feb02e0
1 changed files with 104 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
terraform/main.tf
+103 -10
View File
@@ -18,6 +18,11 @@ resource "aws_vpc" "main" {
tags = {
Name = "${var.project_name}-vpc-${var.environment}"
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
}
}
resource "aws_internet_gateway" "main" {
@@ -81,12 +86,21 @@ resource "aws_route_table" "public" {
tags = {
Name = "${var.project_name}-public-rt-${var.environment}"
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
}
}
resource "aws_route_table_association" "public" {
count = length(aws_subnet.public)
subnet_id = aws_subnet.public[count.index].id
route_table_id = aws_route_table.public.id
lifecycle {
prevent_destroy = true
}
}
resource "aws_route_table" "private" {
@@ -100,12 +114,21 @@ resource "aws_route_table" "private" {
tags = {
Name = "${var.project_name}-private-rt-${var.environment}"
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
}
}
resource "aws_route_table_association" "private" {
count = length(aws_subnet.private)
subnet_id = aws_subnet.private[count.index].id
route_table_id = aws_route_table.private.id
lifecycle {
prevent_destroy = true
}
}
# -------------------------------------------------------------------------------
@@ -196,6 +219,8 @@ resource "aws_security_group" "ec2_api" {
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
create_before_destroy = true
}
}
@@ -226,6 +251,8 @@ resource "aws_security_group" "rds" {
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
create_before_destroy = true
}
}
@@ -250,12 +277,21 @@ resource "aws_iam_role" "ec2_role" {
tags = {
Name = "${var.project_name}-ec2-role"
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
}
}
resource "aws_iam_role_policy" "ec2_policy" {
name = "${var.project_name}-ec2-policy-${var.environment}"
role = aws_iam_role.ec2_role.id
lifecycle {
prevent_destroy = true
}
policy = jsonencode({
Version = "2012-10-17"
Statement = [
@@ -314,6 +350,11 @@ resource "aws_iam_instance_profile" "ec2_profile" {
tags = {
Name = "${var.project_name}-ec2-profile"
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
}
}
# -------------------------------------------------------------------------------
@@ -344,14 +385,12 @@ resource "aws_instance" "api" {
}
lifecycle {
prevent_destroy = true
ignore_changes = [
ami,
iam_instance_profile,
user_data,
tags["AutoStart"],
tags["AutoStop"],
tags["Schedule"],
tags["ScheduleHours"],
tags["ScheduleTimezone"],
tags,
]
}
}
@@ -366,6 +405,11 @@ resource "aws_db_subnet_group" "rds" {
tags = {
Name = "${var.project_name}-rds-subnet-group"
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
}
}
resource "aws_db_instance" "main" {
@@ -396,12 +440,9 @@ resource "aws_db_instance" "main" {
}
lifecycle {
prevent_destroy = true
ignore_changes = [
tags["AutoStart"],
tags["AutoStop"],
tags["Schedule"],
tags["ScheduleHours"],
tags["ScheduleTimezone"],
tags,
]
}
}
@@ -415,6 +456,11 @@ resource "aws_s3_bucket" "frontend" {
tags = {
Name = "${var.project_name}-frontend"
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
}
}
resource "aws_s3_bucket_versioning" "frontend" {
@@ -423,6 +469,10 @@ resource "aws_s3_bucket_versioning" "frontend" {
versioning_configuration {
status = "Enabled"
}
lifecycle {
prevent_destroy = true
}
}
resource "aws_s3_bucket_public_access_block" "frontend" {
@@ -432,6 +482,10 @@ resource "aws_s3_bucket_public_access_block" "frontend" {
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
lifecycle {
prevent_destroy = true
}
}
resource "aws_s3_bucket_website_configuration" "frontend" {
@@ -444,6 +498,10 @@ resource "aws_s3_bucket_website_configuration" "frontend" {
error_document {
key = "index.html"
}
lifecycle {
prevent_destroy = true
}
}
resource "aws_s3_bucket" "artifacts" {
@@ -452,6 +510,10 @@ resource "aws_s3_bucket" "artifacts" {
tags = {
Name = "${var.project_name}-artifacts"
}
lifecycle {
prevent_destroy = true
}
}
resource "aws_s3_bucket_versioning" "artifacts" {
@@ -460,6 +522,10 @@ resource "aws_s3_bucket_versioning" "artifacts" {
versioning_configuration {
status = "Enabled"
}
lifecycle {
prevent_destroy = true
}
}
resource "aws_s3_bucket_public_access_block" "artifacts" {
@@ -469,6 +535,10 @@ resource "aws_s3_bucket_public_access_block" "artifacts" {
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
lifecycle {
prevent_destroy = true
}
}
# -------------------------------------------------------------------------------
@@ -480,6 +550,10 @@ resource "aws_cloudfront_origin_access_control" "frontend" {
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
lifecycle {
prevent_destroy = true
}
}
resource "aws_s3_bucket_policy" "frontend" {
@@ -504,6 +578,10 @@ resource "aws_s3_bucket_policy" "frontend" {
})
depends_on = [aws_s3_bucket_public_access_block.frontend]
lifecycle {
prevent_destroy = true
}
}
# -------------------------------------------------------------------------------
@@ -519,6 +597,8 @@ resource "aws_acm_certificate" "main" {
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
create_before_destroy = true
}
}
@@ -536,6 +616,10 @@ resource "aws_acm_certificate_validation" "main" {
provider = aws.us_east_1
certificate_arn = aws_acm_certificate.main.arn
validation_record_fqdns = [aws_route53_record.cert_validation.fqdn]
lifecycle {
prevent_destroy = true
}
}
# -------------------------------------------------------------------------------
@@ -555,6 +639,10 @@ resource "aws_route53_record" "main" {
name = var.domain_name
type = "A"
lifecycle {
prevent_destroy = true
}
alias {
name = aws_cloudfront_distribution.main.domain_name
zone_id = aws_cloudfront_distribution.main.hosted_zone_id
@@ -648,4 +736,9 @@ resource "aws_cloudfront_distribution" "main" {
tags = {
Name = "${var.project_name}-cdn"
}
lifecycle {
prevent_destroy = true
ignore_changes = [tags]
}
}