Will terraform delete all my resources?

[B Holmes]

Hi,

I've inherited a large AWS implementation, and trying to bring it under Terraform management.  The resources are split into six environments (eg dev, test, qa, training, pre-prod and prod) by an environment tag.  Importing must be done resource by resource, so as it's my first attempt, I would like to validate the iterative process of: 

1. terraform import

2. write terraform code describing each resource

3. terraform plan

until terraform plan reports nothing will be deleted\changed.  I understand this approach is best practice until terraform import can write the code rather than just populate the state file.  My question: since I have a large quantity of resources, I would like to do this environment by environment starting with dev.  This allows me to split my code logically by environment.  What will happen if I import all the dev resources, I write terraform code until terraform plan reports nothing will be deleted\changed, and then run terraform apply?  Will terraform ignore the other environments' resources because they're not in its state (not imported), and leave them intact?  Or will it import everything during the apply run, think everything except dev resources are anomalous and delete them?

I really don't want to get this wrong, accidentally delete everything (except dev) and re-implement.

Many thanks

[David Adams]

You've got it right. Terraform will only try to manipulate resources that are in the state file (ie they were created by TF in the first place, or they were imported into state). It ignores everything else. Also, `terraform plan` is pretty trustworthy, especially the last line where it details how many resources will be changed, deleted, or created. If those all say zero, then you are in a safe place.

While you're at it, speaking of safety, since you are writing TF code as you import things, you should consider adding `lifecycle { prevent_destroy = true }` to any resources you really REALLY don't want deleted. That way even if you do a `terraform destroy` and say `yes` those particular resources won't actually get deleted until and unless you remove that flag.

-dave

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/c087eeba-0c8f-444e-9d13-515eaf67e7d0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[B Holmes]

Thanks dave, consider me reassured, and thx also for the prevent_destroy tip.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

[B Holmes]

Am I right that I need to use the -refresh=false switch (ie "terraform apply -refresh=false"), because otherwise the state will get refreshed from reality, and the next terraform apply would wipe everything (except dev)?

Alternatively, could I output my terraform plan for the dev resources to a plan file, (ie "terraform plan <dev.tfplan>") and then only apply that plan file (ie "terraform apply <dev.tfplan>")?  Since "Execution plans can be used to _only_ execute a pre-determined set of actions." - https://goo.gl/vOP0IR

Still a bit confused how best to proceed.

[David Adams]

-refresh just pulls in the latest info from what's already in the state file. It won't find other resources. I haven't done anything with tfplan files myself so I can't help you there. But if you haven't already, I'd recommend creating some resources from scratch with terraform, modifying, and destroying them, to get a feel for the workflow. That might help you feel more confident about how things will work after you do the imports.

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/515b06a5-f4fd-4982-901a-6f1496799b55%40googlegroups.com.

[B Holmes]

Thanks David, confident that refresh=true won't cause mass-deletions now, but yes I'll have a play to build confidence.