Protection of core resources

[TonyWildish-BH]

We frequently deploy TREs for development alongside our production TRE, which comes with the risk that we may accidentally delete the production TRE if we're in the wrong terminal session when we type the deletion command. It would be great if the management and core resource groups could be locked against accidental deletion once they're deployed, with a flag in the config file to say if you want it locked or not.

I imagine that can be done without impeding the operation of the TRE. Any thoughts?

[West-P]

Terraform doesn't deal with removing resource locks particularly well from memory.
An alternative could be to use the CI/CD version and implement DevOps practices such as pipeline approval processes and PR reviewers etc to prevent erroneous code entering production or running the wrong processes. I have found this a much better approach to prevent "user error" when using the manual deployment steps and manually running the make commands.

[TonyWildish-BH]

Thanks for the suggestion, @West-P. I was thinking more of locks at the Azure level, with separate make tre-lock and make tre-unlock targets, or something like that. It doesn't have to be terraform that deals with the locking, it could be vanilla az commands. Could that not work?

[marrobi]

Feel free to add the locks if you are looking to prevent deletion via the portal.

However as per @West-P 's comment Terraform just destroys the locks (ignores them).

[marrobi]

I see what you are saying, lock at the Azure level, not sure what Terraform would do in that case. @TonyWildish-BH have you tried this approach? Added a lock, and tried a terraform destroy?

[TonyWildish-BH]

No, haven't tried that. Was hoping to tap into the expertise here to see if someone had already tried anything.

[marrobi]

The issue I see is, in a production environment, typically manual commands are not run - its managed using IaC. Hence this "locking" this would need to be added to CI/CD, along with the removal and then it's of limited value and similar to the terraform implementation.