feat: add deletion protection for ddb tables

sgtoj · sgtoj · commit 466df863a7ab · 2025-04-29T17:33:25.000-04:00
diff --git a/main.tf b/main.tf
@@ -167,8 +167,10 @@ module "node_servers" {
 resource "aws_dynamodb_table" "state" {
   count = local.enabled ? 1 : 0
 
-  name             = "${module.teleport_cluster_label.id}-state"
-  billing_mode     = "PAY_PER_REQUEST"
+  name                        = "${module.teleport_cluster_label.id}-state"
+  billing_mode                = "PAY_PER_REQUEST"
+  deletion_protection_enabled = var.ddb_deletion_protection_enabled
+
   hash_key         = "HashKey"
   range_key        = "FullPath"
   stream_enabled   = "true"
@@ -206,10 +208,12 @@ resource "aws_dynamodb_table" "state" {
 resource "aws_dynamodb_table" "events" {
   count = local.enabled ? 1 : 0
 
-  name         = "${module.teleport_cluster_label.id}-events"
-  billing_mode = "PAY_PER_REQUEST"
-  hash_key     = "SessionID"
-  range_key    = "EventIndex"
+  name                        = "${module.teleport_cluster_label.id}-events"
+  billing_mode                = "PAY_PER_REQUEST"
+  deletion_protection_enabled = var.ddb_deletion_protection_enabled
+
+  hash_key  = "SessionID"
+  range_key = "EventIndex"
 
   point_in_time_recovery {
     enabled = true
@@ -263,9 +267,11 @@ resource "aws_dynamodb_table" "events" {
 resource "aws_dynamodb_table" "locks" {
   count = local.enabled ? 1 : 0
 
-  name         = "${module.teleport_cluster_label.id}-locks"
-  billing_mode = "PAY_PER_REQUEST"
-  hash_key     = "Lock"
+  name                        = "${module.teleport_cluster_label.id}-locks"
+  billing_mode                = "PAY_PER_REQUEST"
+  deletion_protection_enabled = var.ddb_deletion_protection_enabled
+
+  hash_key = "Lock"
 
 
   lifecycle {
diff --git a/variables.tf b/variables.tf
@@ -57,6 +57,14 @@ variable "logs_bucket_name" {
   default     = ""
 }
 
+# ---------------------------------------------------------------------- ddb ---
+
+variable "ddb_deletion_protection_enabled" {
+  type        = bool
+  description = "Toggle deletion protection mode for all DynamoDB tables"
+  default     = true
+}
+
 # ---------------------------------------------------------------------- dns ---
 
 variable "dns_parent_zone_id" {
