Adds force_destroy attribute

gdavison · gdavison · commit f0afdb2be4a5 · 2025-09-22T15:09:09.000-07:00
diff --git a/internal/service/dsql/cluster.go b/internal/service/dsql/cluster.go
@@ -70,6 +70,11 @@ func (r *clusterResource) Schema(ctx context.Context, request resource.SchemaReq
 				Default:  booldefault.StaticBool(false),
 			},
 			"encryption_details": framework.ResourceComputedListOfObjectsAttribute[encryptionDetailsModel](ctx),
+			names.AttrForceDestroy: schema.BoolAttribute{
+				Optional: true,
+				Computed: true,
+				Default:  booldefault.StaticBool(false),
+			},
 			names.AttrIdentifier: framework.IDAttribute(),
 			"kms_encryption_key": schema.StringAttribute{
 				Optional: true,
@@ -313,6 +318,19 @@ func (r *clusterResource) Delete(ctx context.Context, request resource.DeleteReq
 
 	conn := r.Meta().DSQLClient(ctx)
 
+	if data.ForceDestroy.ValueBool() {
+		input := dsql.UpdateClusterInput{
+			Identifier:                data.Identifier.ValueStringPointer(),
+			DeletionProtectionEnabled: aws.Bool(false),
+			ClientToken:               aws.String(sdkid.UniqueId()),
+		}
+		// Changing DeletionProtectionEnabled is instantaneous, no need to wait.
+		if _, err := conn.UpdateCluster(ctx, &input); err != nil {
+			response.Diagnostics.AddError(fmt.Sprintf("disabling deletion protection for Aurora DSQL Cluster (%s)", data.Identifier.ValueString()), err.Error())
+			return
+		}
+	}
+
 	id := fwflex.StringValueFromFramework(ctx, data.Identifier)
 	tflog.Debug(ctx, "deleting Aurora DSQL Cluster", map[string]any{
 		names.AttrIdentifier: id,
@@ -342,6 +360,9 @@ func (r *clusterResource) Delete(ctx context.Context, request resource.DeleteReq
 
 func (r *clusterResource) ImportState(ctx context.Context, request resource.ImportStateRequest, response *resource.ImportStateResponse) {
 	resource.ImportStatePassthroughID(ctx, path.Root(names.AttrIdentifier), request, response)
+
+	// Set force_destroy to false on import to prevent accidental deletion
+	response.Diagnostics.Append(response.State.SetAttribute(ctx, path.Root(names.AttrForceDestroy), types.BoolValue(false))...)
 }
 
 func findClusterByID(ctx context.Context, conn *dsql.Client, id string) (*dsql.GetClusterOutput, error) {
@@ -445,10 +466,12 @@ func waitClusterUpdated(ctx context.Context, conn *dsql.Client, id string, timeo
 
 func waitClusterDeleted(ctx context.Context, conn *dsql.Client, id string, timeout time.Duration) (*dsql.GetClusterOutput, error) {
 	stateConf := &retry.StateChangeConf{
-		Pending: enum.Slice(awstypes.ClusterStatusDeleting, awstypes.ClusterStatusPendingDelete),
-		Target:  []string{},
-		Refresh: statusCluster(ctx, conn, id),
-		Timeout: timeout,
+		Pending:      enum.Slice(awstypes.ClusterStatusDeleting, awstypes.ClusterStatusPendingDelete),
+		Target:       []string{},
+		Refresh:      statusCluster(ctx, conn, id),
+		Timeout:      timeout,
+		Delay:        1 * time.Minute,
+		PollInterval: 10 * time.Second,
 	}
 
 	outputRaw, err := stateConf.WaitForStateContext(ctx)
@@ -526,6 +549,7 @@ type clusterResourceModel struct {
 	ARN                       types.String                                                `tfsdk:"arn"`
 	DeletionProtectionEnabled types.Bool                                                  `tfsdk:"deletion_protection_enabled"`
 	EncryptionDetails         fwtypes.ListNestedObjectValueOf[encryptionDetailsModel]     `tfsdk:"encryption_details"`
+	ForceDestroy              types.Bool                                                  `tfsdk:"force_destroy"`
 	Identifier                types.String                                                `tfsdk:"identifier"`
 	KMSEncryptionKey          types.String                                                `tfsdk:"kms_encryption_key"`
 	MultiRegionProperties     fwtypes.ListNestedObjectValueOf[multiRegionPropertiesModel] `tfsdk:"multi_region_properties"`
diff --git a/internal/service/dsql/cluster_test.go b/internal/service/dsql/cluster_test.go
@@ -59,6 +59,7 @@ func TestAccDSQLCluster_basic(t *testing.T) {
 							"encryption_type":   tfknownvalue.StringExact(awstypes.EncryptionTypeAwsOwnedKmsKey),
 						}),
 					})),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("force_destroy"), knownvalue.Bool(false)),
 					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("kms_encryption_key"), knownvalue.StringExact("AWS_OWNED_KMS_KEY")),
 					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(names.AttrTags), knownvalue.Null()),
 					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("vpc_endpoint_service_name"), knownvalue.NotNull()),
@@ -154,6 +155,39 @@ func TestAccDSQLCluster_deletionProtection(t *testing.T) {
 	})
 }
 
+func TestAccDSQLCluster_forceDestroy(t *testing.T) {
+	ctx := acctest.Context(t)
+	var cluster dsql.GetClusterOutput
+	resourceName := "aws_dsql_cluster.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(ctx, t)
+			testAccPreCheck(ctx, t)
+		},
+		ErrorCheck:               acctest.ErrorCheck(t, names.DSQLServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckClusterDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccClusterConfig_forceDestroy(true),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckClusterExists(ctx, resourceName, &cluster),
+				),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionCreate),
+					},
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("deletion_protection_enabled"), knownvalue.Bool(true)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("force_destroy"), knownvalue.Bool(true)),
+				},
+			},
+		},
+	})
+}
+
 func TestAccDSQLCluster_encryption(t *testing.T) {
 	ctx := acctest.Context(t)
 	var cluster dsql.GetClusterOutput
@@ -296,6 +330,15 @@ resource "aws_dsql_cluster" "test" {
 `, deletionProtection)
 }
 
+func testAccClusterConfig_forceDestroy(deletionProtection bool) string {
+	return fmt.Sprintf(`
+resource "aws_dsql_cluster" "test" {
+  deletion_protection_enabled = %[1]t
+  force_destroy               = true
+}
+`, deletionProtection)
+}
+
 func testAccClusterConfig_baseEncryptionDetails(rName string) string {
 	return fmt.Sprintf(`
 resource "aws_kms_key" "test" {
