Hamburger Cross Icon
Resource Destroy Protection
+
Terraform Collector

Resource Destroy Protection + Terraform Collector

Guardrail Collector Beta Deployment And Infrastructure

Enforce Resource Destroy Protection using data collected by Terraform Collector. Automatically check deployment and infrastructure standards on every PR.

Guardrail: Ensures stateless infrastructure resources (EC2 instances, load balancers, networking) have lifecycle { prevent_destroy = true } to prevent accidental destruction of critical infrastructure.
Data Source: Parse Terraform HCL files to extract configuration data. Writes file validity and full parsed HCL JSON for downstream policy analysis of providers, modules, backends, resources, and infrastructure security posture.
Get Started View on GitHub

How Terraform Collector Powers This Guardrail

The Terraform Collector gathers metadata from your security, orchestration systems. This data flows into Lunar's Component JSON, where the Resource Destroy Protection guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
Terraform Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Resource Destroy Protection Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the Terraform Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/terraform@v1.0.0
    # with: ...

# Step 2: Enable the IaC Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/iac@v1.0.0
    include: [resource-destroy-protection]
    # with: ...

What Terraform Collector Collects

This collector gathers the following data that the Resource Destroy Protection guardrail evaluates.

Collector code

terraform

Parses all Terraform (.tf) files in the repository using hcl2json and collects:

  • File validity and parse errors (.iac.files[])
  • Normalized modules with resources and analysis (.iac.modules[])
  • Full parsed HCL JSON for terraform-specific policy (.iac.native.terraform.files[])
  • Source tool metadata (.iac.source)

Example Data Flow

Here's an example of the data that Terraform Collector writes to the Component JSON, which Resource Destroy Protection then evaluates.

{ } component.json From Terraform Collector 
{
  "iac": {
    "source": {"tool": "hcl2json", "version": "0.6.8"},
    "files": [
      {"path": "deploy/terraform/main.tf", "valid": true},
      {"path": "deploy/terraform/variables.tf", "valid": true}
    ],
    "modules": [
      {
        "path": "deploy/terraform",
        "resources": [
          {"type": "aws_db_instance", "name": "main", "category": "datastore", "has_prevent_destroy": true},
          {"type": "aws_s3_bucket", "name": "logs", "category": "datastore", "has_prevent_destroy": false},
          {"type": "aws_lb", "name": "api", "category": "network", "has_prevent_destroy": false, "internet_facing": true},
          {"type": "aws_instance", "name": "web", "category": "compute", "has_prevent_destroy": false},
          {"type": "aws_wafv2_web_acl", "name": "main", "category": "security"},
          {"type": "aws_wafv2_web_acl_association", "name": "api", "category": "security"}
        ],
        "analysis": {
          "internet_accessible": true,
          "has_waf": true
        }
      }
    ],
    "native": {
      "terraform": {
        "files": [
          {
            "path": "deploy/terraform/main.tf",
            "hcl": {
              "terraform": [{"required_providers": [{"aws": {"source": "hashicorp/aws", "version": "~> 5.0"}}]}],
              "resource": {"aws_db_instance": {"main": [{"engine": "postgres"}]}}
            }
          }
        ]
      }
    }
  }
}

Other Guardrails Using Terraform Collector

Other guardrails in IaC Guardrails that use data from Terraform Collector.

Guardrail + Terraform
Valid

Validates that all IaC configuration files are syntactically correct. Invalid configurations will...
Guardrail + Terraform
Waf Protection

Requires WAF protection for internet-facing services. Checks each IaC module for public resources...
Guardrail + Terraform
Datastore Destroy Protection

Ensures stateful resources (databases, storage buckets, caches) have lifecycle { prevent_destroy =...

Learn More

Guardrail · IaC Guardrails Resource Destroy Protection View all compatible integrations
Collector Terraform Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check Infrastructure conventions
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Turn any process doc into guardrails
Book a Demo