Add force_delete to aws_backup_vault resource

[igoratencompass]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.12.8

Affected Resource(s)

• aws_backup_vault

Debug Output

Error: error deleting Backup Vault (backup-vault): InvalidRequestException: Backup vault cannot be deleted (contains 1 recovery points)
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "7c3c5f84-4a9d-40fd-a72e-00d929b1c85e"
  },
  Code_: "ERROR_9101",
  Context: "1",
  Message_: "Backup vault cannot be deleted (contains 1 recovery points)"
}

Expected Behavior

Expect to be able to force delete the resource.

Actual Behavior

See error above.

Steps to Reproduce

Create and try to destroy destroy aws_backup_vault resource with existing recovery points.

[ryno75]

This.
Please! 😄

I envision this to be an implementation very similar to the S3 "force_destroy" attribute that deletes all bucket objects when a bucket is deleted. Pretty clear example of that implementation in the code for aws_s3_bucket. If I get a little time I'll implement it, but I'm more than happy if someone else does it before me!

[tianqiliu-RBLX]

Following..

[RachelleAtEncompass]

Following... 100 votes for this one.

[mattjtodd]

"Slightly" 😉 dangerous but would be useful to have.

[VladoPortos]

How to deal with this ? The whole destroy operation just crashes because of this. Cant remove RDS, EC2 ... but I don't care if there are backups or not, if I'm calling destroy and that include backup vault and plans it should all go away...

[VladoPortos]

I needed to add this as step before terraform destroy:

for ARN in $(aws backup list-recovery-points-by-backup-vault --backup-vault-name "backup_vault" --query 'RecoveryPoints[].RecoveryPointArn' --output text); do aws backup delete-recovery-point --backup-vault-name "backup_vault" --recovery-point-arn "${ARN}"; done

Wish there was a toggle for this inside Terraform.

[quentin9696]

Hi,

I'm also interest about this feature.
I know it can be dangerous, but since we can lock a backup, it can be secure on production stuff

[HiGein]

Also interested in that.

[apushnov]

I'm also interested in that.

[CMarriaga]

Hi everyone, I might have found a workaround for this while the issue is closed.

First we create a script, in my case in the file location ./scripts/delete_vault_backups.sh such as:

existing_arns=$(aws backup list-recovery-points-by-backup-vault --backup-vault-name "$1" --region "$2" --query 'RecoveryPoints[].RecoveryPointArn' --output text)
existing_arns_amount=$(echo $existing_arns | wc -w)

for arn in $existing_arns; do 
  echo "deleting ${arn} ..."
  aws backup delete-recovery-point --backup-vault-name "$1" --region "$2" --recovery-point-arn "${arn}"
done

while [[ $existing_arns_amount -gt 0 ]] ; 
  do
  sleep 3
  existing_arns_amount=$(aws backup list-recovery-points-by-backup-vault --backup-vault-name "$1" --region "$2" --query 'RecoveryPoints[].RecoveryPointArn' --output text | wc -w)
done

Then, in our Terraform we add a "local-exec" provisioner on the aws_backup_vault resource such as

resource "aws_backup_vault" "this" {
  #...
  provisioner "local-exec" {
    command = format(
      "bash ./scripts/delete_vault_backups.sh %s %s",
      self.name,
      split(":", self.arn)[3]
    )
    when = destroy
  }
}

This will make sure that all Vault Recovery Points are delete before the aws_backup_vault resource is deleted

[volenpopov]

@CMarriaga thanks for the workaround!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.