Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protection of core resources #4306

Open
TonyWildish-BH opened this issue Feb 4, 2025 · 6 comments
Open

Protection of core resources #4306

TonyWildish-BH opened this issue Feb 4, 2025 · 6 comments
Labels
feature

Comments

@TonyWildish-BH
Copy link
Contributor

We frequently deploy TREs for development alongside our production TRE, which comes with the risk that we may accidentally delete the production TRE if we're in the wrong terminal session when we type the deletion command. It would be great if the management and core resource groups could be locked against accidental deletion once they're deployed, with a flag in the config file to say if you want it locked or not.

I imagine that can be done without impeding the operation of the TRE. Any thoughts?
@West-P
Copy link

West-P commented Feb 4, 2025
edited
Loading

Terraform doesn't deal with removing resource locks particularly well from memory.
An alternative could be to use the CI/CD version and implement DevOps practices such as pipeline approval processes and PR reviewers etc to prevent erroneous code entering production or running the wrong processes. I have found this a much better approach to prevent "user error" when using the manual deployment steps and manually running the make commands.

@TonyWildish-BH
Copy link
Contributor Author

Thanks for the suggestion, @West-P. I was thinking more of locks at the Azure level, with separate make tre-lock and make tre-unlock targets, or something like that. It doesn't have to be terraform that deals with the locking, it could be vanilla az commands. Could that not work?

@marrobi
Copy link
Member

marrobi commented Feb 4, 2025

Feel free to add the locks if you are looking to prevent deletion via the portal.

However as per @West-P 's comment Terraform just destroys the locks (ignores them).

@marrobi
Copy link
Member

marrobi commented Feb 4, 2025

I see what you are saying, lock at the Azure level, not sure what Terraform would do in that case. @TonyWildish-BH have you tried this approach? Added a lock, and tried a terraform destroy?

@TonyWildish-BH
Copy link
Contributor Author

No, haven't tried that. Was hoping to tap into the expertise here to see if someone had already tried anything.

@marrobi
Copy link
Member

marrobi commented Feb 4, 2025

The issue I see is, in a production environment, typically manual commands are not run - its managed using IaC. Hence this "locking" this would need to be added to CI/CD, along with the removal and then it's of limited value and similar to the terraform implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marrobi @TonyWildish-BH @West-P