OpenTofu 1.12 The Feature Terraform Never Shipped

OpenTofu 1.12 The Feature Terraform Never Shipped

Briefly

"The most discussed feature is dynamic prevent_destroy. Until now, if you wanted to protect a resource from accidental deletion, you had to hard-code that decision in your configuration. That was fine when you owned a single environment, but it broke down immediately in shared module setups, the kind where the same module gets reused across dev, staging, and production. The workaround was always some variation of "duplicate the module" or "accept that dev databases can accidentally be protected too." Neither is great."

"OpenTofu 1.12 lets you wire prevent_destroy to a variable, so a production workspace can set it to true while a dev workspace leaves it false, without forking the module. It sounds like a small thing. For teams managing dozens of environments from shared module code, it genuinely isn't. The change removes the need to keep lifecycle rules identical across environments when the desired behavior differs."

"Requests to wire prevent_destroy to a variable date back to Terraform 0.7 in 2016. Over the years, the issue tracker gathered multiple threads on this topic. Teams faced errors like "Variables may not be used here" when trying the pattern now standard in OpenTofu 1.12. People tried workarounds like dynamic lifecycle blocks, only to hit "Blocks of type 'lifecycle' are not expected here"."

"Others proposed environment variable overrides like TF_ALLOW_DESTROY as a workaround, which is the kind of solution you invent when the proper fix never arrives. HashiCorp never shipped the feature. Teams using shared modules in different environments faced a tough choice. They had to either duplicate module code or let development and production follow the same lifecycle rules. OpenTofu resolved it in 1.12, roughly a decade after the first request landed in the Terrafo"