Deletion protection in Grafana Cloud: a simple way to safeguard your observability stack

We’ve all had that “uh-oh” moment. You press Enter and your blood runs cold, as you realize you just deleted something critical.

For engineering teams, this type of disaster takes many forms. For example, maybe you used a DELETE statement without a WHERE clause to delete a row in a database, and accidentally deleted all of them instead. 

To protect you from the accidental deletion of critical resources in Grafana Cloud, we’re introducing a feature called deletion protection. In this blog post, we’ll take a closer look at what deletion protection is, how to enable it, and how to integrate it within your infrastructure as code workflows. 

What is deletion protection in Grafana Cloud?

Deletion protection is a safeguard that prevents the unintended removal of your Grafana Cloud stack, meaning all the managed observability solutions used within your Grafana Cloud account. 

Once enabled, it blocks deletion attempts across multiple channels, including:

• The Grafana Cloud UI (via grafana.com) 
• The Grafana Terraform provider
• The Grafana Crossplane provider
• The Grafana Ansible collection

If a stack is protected, any deletion attempts will be explicitly rejected until deletion protection is manually disabled. For example, if you enable deletion protection via the UI, Terraform will reject stack deletions unless you explicitly remove the protection first.

How to enable deletion protection

Starting last month, all newly created Grafana Cloud stacks will have deletion protection enabled by default when created through grafana.com, and supported versions of Terraform, Crossplane, and Ansible. 

This means that you must explicitly disable the protection before a stack can be deleted.

To manually toggle the deletion protection feature on and off, you have a few options:

• Use the Grafana Cloud UI: Navigate to your stack settings and check the deletion protection check box to enable it. Uncheck the box to disable the feature.

• Use the Grafana Cloud API: Perform a GET request using the Cloud API and update the value of the deleteProtection property. A value of true enables the feature, and a value of false disables it. 

• Use one of the infrastructure as code methods described below.

Deletion protection: infrastructure as code support

At Grafana Labs, we believe automation is essential for robust, predictable, and reliable outcomes within your observability workflows. Grafana Cloud supports infrastructure as code by providing several tools and integrations that allow you to manage and provision Grafana resources declaratively, using code. 

Deletion protection is fully supported in our infrastructure as code integrations for Terraform, Crossplane, and Ansible. 

Terraform support

Starting from provider version v4.0.0, all newly created Grafana Cloud stacks have delete_protection enabled by default in the stack resource.

Copy

resource "grafana_cloud_stack" "my_stack" {
  provider = grafana.cloud

  delete_protection = true
  name              = "<stack-name>"
  slug              = "<stack-name>"
  region_slug       = "<region>" # Example "us","eu" etc
}

Crossplane support

Like Terraform, the  deleteProtection flag will be enabled by default on all newly created Grafana Cloud stacks, starting from supported Crossplane versions v0.31.0.

Copy

# Cloud Stack
apiVersion: cloud.grafana.crossplane.io/v1alpha1
kind: Stack
metadata:
  name: my-stack
spec:
  forProvider:
    slug: 'crossplanetest'
    name: 'crossplanetest'
    regionSlug: "us"
    deleteProtection: true
  providerConfigRef:
    name: grafana-cloud-provider

Ansible support

Consistent with Terraform and Crossplane, the delete_protection property is enabled (true) by default for newly created Grafana Cloud stacks, starting from supported Ansible versions 6.0.2.

Copy

- name: Using grafana collection
  tasks:
    - name: Create a Grafana Cloud stack
      grafana.grafana.cloud_stack:
        name: <name>
        stack_slug: <stack-slug>
        org_slug: <org-slug>
        cloud_api_key: "<api-key>"
        region: eu
        delete_protection: true
        state: present

Protection by default

To better protect your Grafana Cloud stack, Terraform and Crossplane providers supporting the new delete_protection flag will default to enabling protection, even if the flag isn’t explicitly set.

This means that if you do not disable it, it will be enabled for you.

This default protection will also occur when you upgrade from a version of a provider that does not support deletion protection to a version that does. When you upgrade the Terraform or Crossplane provider or the Ansible collection, drift will be detected because the desired state does not contain the deletion protection flag (and it defaults to true), whereas the stack in the backend has it set to false (for backwards compatibility). 

The recommended action is to apply the changes to remove the drift and get your stack protected against accidental deletions, but if you do not want deletion protection, you can set the flag to false.

How to learn more 

We hope this new capability in Grafana Cloud empowers you with greater flexibility to safely manage your resources.

To learn more, please check out our technical docs. 

Grafana Cloud is the easiest way to get started with metrics, logs, traces, dashboards, and more. We have a generous forever-free tier and plans for every use case. Sign up for free now__!