Deletion of resources

[Rohit Atri]

Hello!

Would running 'terraform destroy' on a specific resource also delete the corresponding .tf file? (of course, if its the only resource defined in the .tf file)

Also, would deleting a .tf file and running 'terraform apply', delete the resource defined in the deleted .tf file?

Thanks,
Rohit

[Dave Cunningham]

On Sat, Oct 17, 2015 at 4:05 PM, Rohit Atri <rohit...@gmail.com> wrote:

Hello!

Would running 'terraform destroy' on a specific resource also delete the corresponding .tf file? (of course, if its the only resource defined in the .tf file)

No, the tf file is left alone

 

Also, would deleting a .tf file and running 'terraform apply', delete the resource defined in the deleted .tf file?

No as the credentials are in the tf file and it can't do anything without them.

You can however comment out everything except the credentials and then apply it, which has the same semantics as destroy.

 

Thanks,
Rohit

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/3f685504-2c70-4f31-820e-ec6cb50a8b0d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rohit Atri]

Great, thanks!

I was worried about someone accidentally deleting .tf files... until we setup git & stuff.

Would Terraform complain that something is missing since the last time 'apply' was run?

Thanks,
Rohit

[Dave Cunningham]

As long as terraform sees at least one tf file I believe it does not complain.  So yes, you could create a plan that removes resources if you delete a tf file that contains only resources.  It's always a good idea to look at the plan first, in fact I always run terraform in a script that displays the plan then prompts for [y/N].

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/cf7839a2-ce08-4202-ae8e-47e3286d796d%40googlegroups.com.

[Rohit Atri]

"So yes, you could create a plan that removes resources if you delete a tf file that contains only resources."

Sorry, I didn't understand this statement. Are you saying that terraform will notice something is missing (by the way of proposing to delete some resources) when I delete a .tf file? But wont succeed since it doesn't have the credentials?

Thanks,
Rohit

[Cameron Stokes]

If a .tf file is removed and Terraform is already managing resources that were defined in that file, then Terraform will attempt to destroy the resources that were in that file. A file being removed has the same effect as all resources in that file being removed or commented out. Terraform treats these cases the same and will attempt to remove any of the resources it already has in its state file. More on the state file is at https://terraform.io/docs/state/index.html. 

It is always a good idea, to do a terraform plan prior to a terraform apply to check and confirm changes before they're made. 

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CANarjTjdU0Rx9%2BDQkKX3i8QHZsfB52DpSyFo98KXU1d1gk52LQ%40mail.gmail.com.

[Dave Cunningham]

Unless the tf file contained the provider in which case I think Terraform will complain because there are things in the tfstate that it can't refresh.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/97C19DCB-3C2B-41F6-AEE2-D49D53DD47F4%40hashicorp.com.

[Cameron Stokes]

That is true. If the file contains the provider details, then terraform will need be able to proceed with any changes.

Many projects separate their resources into multiple tf files, so I wanted to be clear that removing a file (that doesn't contain the provider info) will result in those resources being destroyed on the next apply. 

Hope that helps clear it up. :)

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CANarjTijcv%3DiykHZiE2k%2B8zMUpOz%3DO7UbrXYkqG%3DfUJU506_nw%40mail.gmail.com.

[Rohit Atri]

Thanks! Yes, it clears things up for me now.

Is there a way to avoid accidental deletion? I am automating the entire process and so there would be no one verifying the plan. May be the script should parse the plan to check for destructive actions?

I am guessing setting 'lifecycle' to 'prevent_destroy' would be useless if the .tf file with the resource itself is gone.

Thanks
Rohit

---

From: Cameron Stokes
Sent: ‎18-‎10-‎2015 02:57
To: terrafo...@googlegroups.com
Subject: Re: [terraform] Deletion of resources

You received this message because you are subscribed to a topic in the Google Groups "Terraform" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/terraform-tool/KknJ4XtkBCk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/573E5A41-F636-419B-A435-210D77853098%40hashicorp.com.

[Cameron Stokes]

There is not a built-in way to prevent all deletes from happening, but there are a couple other options...

1) If your provider supports it, you could restrict the permissions belonging to your provider keys to prevent delete operations from occurring. This is possible with AWS IAM policies as an example.

2) You could put in some additional scripting to check the output of terraform plan to inspect if it plans to destroy any resources before continuing.

$ terraform plan -destroy terraform/
Refreshing Terraform state prior to plan...
...
Plan: 0 to add, 0 to change, 4 to destroy.
$

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/56231660.05dd440a.cd5ba.ffffef68%40mx.google.com.

[Alex Dupuy]

Cameron Stokes wrote:

There is not a built-in way to prevent all deletes from happening, but there are a couple other options...

1) If your provider supports it, you could restrict the permissions belonging to your provider keys to prevent delete operations from occurring. This is possible with AWS IAM policies as an example.

Some providers may also provide ways to "lock" or otherwise protect a resource so that it cannot be destroyed using the API that Terraform is using.  For our OpenStack deployment, we protected VM instances using the "nova lock" command (deletion and other modifications of locked instances will fail), and protected storage volumes by creating snapshots (deletion of a storage volume with associated snapshots will fail).  We even automated these protections by adding them to the resources via local-exec provisioners, e.g.:

resource "openstack_compute_instance_v2" "example" {

    region = "${var.region}"

    name = "example"

    image_name = "${var.host_image}"

    flavor_name = "m1.small"

    volume {

        volume_id = "${openstack_blockstorage_volume_v1.example_vdb.id}"

        device = "/dev/vdb"

    }

...

    provisioner "local-exec" {

        command = "nova --os-tenant-id ${lookup(var.tenant_ids,var.tenant)} --os-auth-url ${var.auth_url} lock ${self.id}"

    }

}

resource "openstack_blockstorage_volume_v1" "example_vdb" {

    region = "${var.region}"

    name = "example_vdb"

    description = "Example storage volume"

    size = 50

    volume_type = "${var.volume_type}"

    availability_zone = "${var.availability_zone}"

    provisioner "local-exec" {

      command =

        "cinder --os-tenant-id ${lookup(var.tenant_ids,var.tenant)} --os-auth-url ${var.auth_url} snapshot-create ${self.id} --display-name '${self.name}-protect' --display-description 'Prevent deletion of ${self.name} (${self.id})'"

    }

}

@alex