From 0c046ffd0a25b3281d082f34747dcb657aa29f00 Mon Sep 17 00:00:00 2001
From: Bob Callaway <bobcallaway@users.noreply.github.com>
Date: Mon, 24 Jun 2024 11:34:23 -0400
Subject: [PATCH] enable DB deletion protection across all GCP API surfaces
 (#1150)

* enable DB deletion protection across all GCP API surfaces

Signed-off-by: Bob Callaway <bcallaway@google.com>

* move into settings block

Signed-off-by: Bob Callaway <bcallaway@google.com>

---------

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 terraform/gcp/modules/mysql-shard/mysql.tf | 5 ++++-
 terraform/gcp/modules/mysql/mysql.tf       | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/terraform/gcp/modules/mysql-shard/mysql.tf b/terraform/gcp/modules/mysql-shard/mysql.tf
index 1746b5b08..4a9ad4035 100644
--- a/terraform/gcp/modules/mysql-shard/mysql.tf
+++ b/terraform/gcp/modules/mysql-shard/mysql.tf
@@ -25,7 +25,7 @@ resource "google_sql_database_instance" "trillian" {
   database_version = var.database_version
   region           = var.region
 
-  # Set to false to delete this database
+  # Set to false to delete this database using terraform
   deletion_protection = var.deletion_protection
 
   settings {
@@ -33,6 +33,9 @@ resource "google_sql_database_instance" "trillian" {
     activation_policy = "ALWAYS"
     availability_type = var.availability_type
 
+    # this sets the flag on the GCP platform to prevent deletion across all API surfaces
+    deletion_protection_enabled = var.deletion_protection
+
     ip_configuration {
       ipv4_enabled    = var.ipv4_enabled
       private_network = var.network
diff --git a/terraform/gcp/modules/mysql/mysql.tf b/terraform/gcp/modules/mysql/mysql.tf
index c79f144c0..7839ebc60 100644
--- a/terraform/gcp/modules/mysql/mysql.tf
+++ b/terraform/gcp/modules/mysql/mysql.tf
@@ -109,7 +109,7 @@ resource "google_sql_database_instance" "sigstore" {
   database_version = var.database_version
   region           = var.region
 
-  # Set to false to delete this database
+  # Set to false to delete this database using terraform
   deletion_protection = var.deletion_protection
 
   depends_on = [google_service_networking_connection.private_vpc_connection]
@@ -119,6 +119,9 @@ resource "google_sql_database_instance" "sigstore" {
     activation_policy = "ALWAYS"
     availability_type = var.availability_type
 
+    # this sets the flag on the GCP platform to prevent deletion across all API surfaces
+    deletion_protection_enabled = var.deletion_protection
+
     ip_configuration {
       ipv4_enabled    = var.ipv4_enabled
       private_network = var.network