DEV Community

Brian Mengo
Brian Mengo

Posted on

Terraform LifeCycle Rules

Day 9 of the 30 Days of AWS Terraform series focuses on Terraform Lifecycle Rules — powerful controls that decide how Terraform creates, updates, replaces, and destroys resources.

What Terraform LifeCycle meta arguments are
Lifecycle meta arguments allow us to control how Terraform behaves when it creates, updates, or destroys resources.

They help us:

  • Avoid downtime
  • Protect important resources
  • Handle changes made outside Terraform
  • Validate configurations before and after deployment
  • Enforcing compliance
  • Controlling replacement behavior

Lifecycle rules allow us to override default behavior safely.

Lifecycle rules are Terraform-native controls applied inside a resource block:

lifecycle {
...
}

Lifecycle Rules Covered
1️⃣ create_before_destroy — Zero Downtime Updates
Problem:
Terraform destroys the old resource before creating the new one → downtime.

Solution:
lifecycle {
create_before_destroy = true
}

Behavior:

New resource is created first
Old resource is destroyed only after
Ensures zero downtime

2️⃣ prevent_destroy — Protect Critical Resources
This setting prevents Terraform from deleting a resource.

Example

If Terraform tries to destroy this resource, it will fail with an error.

This is useful for:

Production databases
State storage buckets
Important data resources

3️⃣ ignore_changes — Allow External Modifications
Problem:
Terraform overwrites manual or automated external changes.

Solution:
lifecycle {
ignore_changes = [desired_capacity]
}

Demo:
Auto Scaling Group desired capacity modified manually in AWS Console
terraform apply did not revert the change

Behavior:
Terraform ignores changes for specified attributes.

✅ Use for:
Auto Scaling Groups
Resources modified by external systems
Ops-driven configurations

4️⃣ replace_triggered_by — Replace When Dependency Changes
Problem:
Changing a dependency doesn’t always recreate dependent resources.

Solution:
lifecycle {
replace_triggered_by = [aws_security_group.main]
}

Behavior:
When security group changes
EC2 instance is automatically replaced
This enforces dependency-driven replacement.

✅ Use for:
Security groups
AMI changes
Config-dependent resources

5️⃣ Preconditions & Postconditions — Policy Enforcement
Problem:
Terraform allows invalid or non-compliant infrastructure.

Solution:
lifecycle {
precondition {
condition = contains(keys(var.tags), "compliance")
error_message = "Compliance tag is required"
}
}

Behavior:
Precondition → validated before resource creation
Postcondition → validated after resource creation
Deployment fails if conditions are not met

Demo:
Missing mandatory tag caused Terraform to fail
Fixing tag allowed successful deployment

✅ Use for:
Compliance
Security policies
Organizational standards

Key Learning points
Terraform lifecycle controls how resources change over time.

  • create before destroy helps avoid downtime.
  • prevent destroy protects critical resources.
  • ignore changes allows external systems to manage attributes.
  • replace triggered by helps maintain consistency.
  • precondition and postcondition help validate configurations.

Top comments (0)