Allow Force Deletion of Workspaces at the Project Level (Instead of Org Level) #1936
Description
I understand the current requirements for force deleting a workspace:
- force_delete = true must be set on the workspace
- The authenticating team must have admin access at the project level
- The organization-level setting “Workspace administrators can force delete workspaces” must be enabled
To provide some context: at my organization, everything in HCP Terraform is managed exclusively via code—nothing is done manually.
We offer Projects as a managed solution to our customers and grant them maintain access at the project level. From there, the project is fully under their control, including vending and managing workspaces (again, entirely via code).
For risk reasons, we intentionally keep the organization-level setting “Workspace administrators can force delete workspaces” disabled, as enabling it globally increases the chance of accidental workspace deletion.
However, there are valid scenarios where force deletion is required. One example is when a customer is cancelling an Azure subscription and wants to retain the underlying cloud resources, but delete associated Terraform Cloud workspaces linked to that subscription. In such cases, force_delete cannot be used because the org-level setting is disabled.
This leaves us with only one option: manual force deletion, which breaks our fully automated model and creates operational overhead.
Feature request:
Instead of controlling force deletion only at the organization level, allow this capability to be configured at the project level. This would enable tighter control over who can force delete workspaces, while avoiding the risks of enabling it globally.
I believe this would benefit other customers operating at scale with strict automation and governance requirements.