Day 9 - Terraform Lifecycle Meta Arguments in AWS

Introduction

In the previous days, I focused on creating resources using Terraform.
Today was different.

Day 09 helped me understand how Terraform manages changes over time.
Instead of only creating infrastructure, I learned how to control what happens when something is updated, replaced, or removed.

This is important because real environments are always changing.

What are lifecycle meta arguments

Lifecycle meta arguments allow us to control how Terraform behaves when it creates, updates, or destroys resources.

They help us:

  • Avoid downtime
  • Protect important resources
  • Handle changes made outside Terraform
  • Validate configurations before and after deployment

create before destroy

By default, Terraform destroys a resource first and then creates a new one.

With create before destroy, Terraform creates the new resource first and then removes the old one.

Example

lifecycle {
  create_before_destroy = true
}

This is useful when downtime is not acceptable, such as application servers or production systems.

terraform apply 

Made changes to bucket name and ran terraform apply. Terraform creates the new resource first and only then removes the old one, ensuring no gap in availability.


prevent destroy

This setting prevents Terraform from deleting a resource.

Example

lifecycle {
  prevent_destroy = true
}

If Terraform tries to destroy this resource, it will fail with an error.

This is useful for:

  • Production databases
  • State storage buckets
  • Important data resources

In this screenshot, Terraform blocks the destroy operation because prevent_destroy is enabled. This protects critical resources from accidental deletion.


ignore changes

Sometimes resources are modified by other systems such as auto scaling or monitoring tools.

In such cases, Terraform can ignore specific changes.

Example

lifecycle {
  ignore_changes = [tags["Owner"]]
}

This prevents Terraform from trying to revert those changes.

In this screenshot, I manually changed a tag in AWS, but Terraform did not detect any changes when i ran terraform plan because ignore_changes is configured for that attribute.




replace triggered by

This forces Terraform to replace a resource when another resource changes.

Example

lifecycle {
  replace_triggered_by = [random_pet.deployment_version]
}

Even if the resource itself is not modified, Terraform will recreate it when the dependent resource changes.

This is useful for maintaining consistency.

In this screenshot, the S3 bucket is replaced even though I did not modify it directly. This happens because replace_triggered_by forces recreation when the dependent resource changes.




Changes in AWS Console


precondition

Precondition is used to validate conditions before Terraform creates or updates a resource.

Example

precondition {
  condition     = contains(var.allowed_regions, data.aws_region.current.name)
  error_message = "Invalid region"
}

If the condition is not met, Terraform stops before creating the resource.

In this screenshot, Terraform stops the deployment before creating the resource because the region is not in the allowed list. This helps prevent invalid configurations.

Made below changes to terraform.tfvars file


Ran terraform apply


postcondition

Postcondition validates a resource after it is created.

Example

postcondition {
  condition     = contains(keys(self.tags), "Environment")
  error_message = "Missing Environment tag"
}

Even if the resource is created successfully, Terraform will fail if the condition is not satisfied.

Made below changes to main.tf file


Ran terraform apply. In this screenshot, Terraform successfully creates the resource but then fails because the required Environment tag is missing. This shows how postcondition validates the resource after creation.

Key learnings

  • Terraform lifecycle controls how resources change over time
  • create before destroy helps avoid downtime
  • prevent destroy protects critical resources
  • ignore changes allows external systems to manage attributes
  • replace triggered by helps maintain consistency
  • precondition and postcondition help validate configurations

Conclusion

Today I learned that Terraform is not just about creating infrastructure.
It is about managing change safely.

Lifecycle meta arguments give more control and help build reliable and production ready environments.

Video reference


Jay

Comments

Post a Comment

Popular posts from this blog

ASM Integrity check failed with PRCT-1225 and PRCT-1011 errors while creating database using DBCA on Exadata 3 node RAC

Image
  Error: The error message PRCT-1225: failed to verify Oracle Automatic Storage Management (Oracle ASM) user credentials using the command 'asmcmd credverify' indicates that the asmcmd credverify command failed to verify the Oracle ASM user credentials. This can happen for a number of reasons, including: The user credentials are incorrect. The user credentials file is corrupted. The user does not have the necessary permissions to run the asmcmd credverify command. There is a problem with the Oracle ASM instance. To troubleshoot this error, you can try the following: Make sure that the user credentials are correct. You can do this by trying to log in to the Oracle ASM instance using the same credentials. Check the user credentials file for errors. You can do this by using a text editor to open the file and inspect the contents. Make sure that the user has the necessary permissions to run the asmcmd credverify command. You can do this by checking the user's permissi...
Read more

Lock Tables in MariaDB

Whether or not you need to lock tables while backing up MariaDB depends on a few factors, including the type of backup you are performing and the tools you are using. If you are performing a full backup , you should lock the tables to ensure that the backup is consistent. This is because a full backup copies all of the data in the database, including any data that is currently being modified by transactions. If you do not lock the tables, it is possible that the backup could contain inconsistent data. If you are performing a differential backup or an incremental backup , you may not need to lock the tables. Differential and incremental backups only copy the data that has changed since the previous backup. This means that the data is already consistent, so there is no need to lock the tables. However, some backup tools may require you to lock the tables, even if you are performing a differential or incremental backup. This is because these tools may need to modify the database in some ...
Read more

Life is beautiful

Image
Life brings unexpected tragedies that are beyond our control. It's heartbreaking to witness people facing circumstances they never chose. We react with tears and inevitably wonder, "What if that happens to me?" As humans, we naturally focus on the positive and avoid dwelling on such thoughts—and that's healthy. But this perspective has shaped how I approach life: Am I prepared for these scenarios? Are my loved ones protected if something goes wrong? If I were to die, I couldn't be there to tell them to stay strong—they'd have to face that grief alone. But I can give them financial security through proper planning, wills, and trusts. These are tangible ways to care for them even when I'm gone. Beyond that, what else can I control? I don't waste energy worrying about an uncertain past or future. Instead, I choose to spread peace, truly listen to others, and share genuine smiles. I embrace the principle of living fully while letting others do the same. ...
Read more