Skip to content

feat: Add delete protection support for ROSA HCP clusters#1034

Open
paulczar wants to merge 1 commit intoterraform-redhat:mainfrom
paulczar:delete-protection
Open

feat: Add delete protection support for ROSA HCP clusters#1034
paulczar wants to merge 1 commit intoterraform-redhat:mainfrom
paulczar:delete-protection

Conversation

@paulczar
Copy link

@paulczar paulczar commented Jan 21, 2026

What this PR does / why we need it:

Adds delete protection support for ROSA HCP clusters, enabling users to prevent accidental cluster deletion through Terraform. This feature matches the ROSA CLI functionality and enables full infrastructure-as-code workflows.

Changes:

  • Add delete_protection attribute to rhcs_cluster_rosa_hcp resource
  • Enable/disable delete protection during create, update, and delete operations
  • Automatically disable protection before cluster deletion
  • Add unit and subsystem tests
  • Fix thumbprint fetching inconsistency in Read operation

Which issue(s) this PR fixes:
Fixes #1033

Change type

  • New feature
  • Unit tests
  • Subsystem tests

@paulczar
feat: Add delete protection support for ROSA HCP clusters
21fdfa1 
Add delete_protection attribute to rhcs_cluster_rosa_hcp resource to
prevent accidental cluster deletion. This feature enables users to
protect production clusters through Terraform, matching the functionality
available in the ROSA CLI.

Changes:
- Add delete_protection boolean attribute to ClusterRosaHcpState
- Enable delete protection during cluster creation when set to true
- Read delete protection status from OCM API in Read operation
- Update delete protection status via Terraform Update operation
- Automatically disable delete protection before cluster deletion
- Add unit tests for delete protection state handling
- Add subsystem tests for full CRUD flow with mocked API handlers

The implementation uses the OCM API endpoint
/api/clusters_mgmt/v1/clusters/{cluster_id}/delete_protection to manage
delete protection status. When delete protection fails to enable during
creation, a warning is logged but cluster creation succeeds, and the
state value is preserved to avoid Terraform inconsistency errors.

Signed-off-by: Paul Czarkowski <username.taken@gmail.com>
@openshift-ci openshift-ci bot requested review from oriAdler and yuwang-RH January 21, 2026 00:06
@openshift-ci
Copy link

openshift-ci bot commented Jan 21, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign philipwu08 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Jan 21, 2026

Hi @paulczar. Thanks for your PR.

I'm waiting for a terraform-redhat member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@hunterkepley
Copy link
Member

hunterkepley commented Jan 21, 2026

/ok-to-test

@openshift-ci
Copy link

openshift-ci bot commented Jan 21, 2026

@paulczar: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-presubmits-rosa-hcp-advanced-critical-high-presubmit 21fdfa1 link true /test e2e-presubmits-rosa-hcp-advanced-critical-high-presubmit
ci/prow/e2e-presubmits-rosa-hcp-private-critical-high-presubmit 21fdfa1 link true /test e2e-presubmits-rosa-hcp-private-critical-high-presubmit
ci/prow/e2e-presubmits-rosa-sts-private-critical-high-presubmit 21fdfa1 link true /test e2e-presubmits-rosa-sts-private-critical-high-presubmit
ci/prow/e2e-presubmits-rosa-sts-advanced-critical-high-presubmit 21fdfa1 link true /test e2e-presubmits-rosa-sts-advanced-critical-high-presubmit

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Jan 26, 2026

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oriAdler oriAdler Awaiting requested review from oriAdler

@yuwang-RH yuwang-RH Awaiting requested review from yuwang-RH

Assignees

No one assigned

Labels

needs-rebase ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

## Feature Request: Add Delete Protection Support for ROSA HCP Clusters

3 participants

@paulczar @hunterkepley @openshift-merge-robot