Optionally refuse to destroy resources on update

[negz]

What problem are you facing?

Terraform behaves differently from Crossplane in that when asked to change an immutable field Terraform will do so by first deleting then recreating the affected resource. This is reasonable in Terraform's case because it typically expects a human operator to inspect and approve the action before it happens. Crossplane typically simply refuses to update immutable fields unless asked to explicitly delete and then recreate the affected resource.

In the case of this provider Crossplane is calling terraform apply -auto-approve at all times, which makes it easier to accidentally make a change that would delete and recreate infrastructure when only an update was expected.

How could Crossplane help solve your problem?

The Workspace resource should have an option that prevents destroying/deleting Terraform resources unless the Workspace itself is being destroyed. I suspect we could do this by inspecting the output of terraform plan -out=planfile&&terraform show -json planfile.

[senare]

Would it be possible to use OPA ? here (i.e config blast radius)

https://www.openpolicyagent.org/docs/latest/terraform/

REF => https://www.youtube.com/watch?v=T6amzsMWMgU