Atlantis: Add command to enable running `terraform destroy`

Makes sense but could be dangerous, I would want the ability to enable/disable that support via config/cli args.

I like this idea, as not all items have an idea of a count, or if you have to refactor you need the ability to delete. If this becomes an organizational wide tool, then the support for performing a terraform delete should be available. However the only way I could see this happening is with the assumption of remote state.

How about atlantis plan -destroy instead? I haven't thought through all the implications of this though.

We've implemented the destroy command here with @aknysh's help: https://github.com/cloudposse/atlantis/pull/15 and https://github.com/cloudposse/atlantis/pull/16

We implemented it as another top-level action. Using our other patch to support GitHub teams, we're able to restrict who can call plan, apply, destroy. These 3 commands address the full lifecycle of our infrastructure. We also only implement the destroy action in our testing manifest using our --repo-config command.

Atlantis can run destroy by running:

atlantis plan -- -destroy

Thanks to @jolexa and @mechastorm for pointing this out.

atlantis plan -- -destroy doesn't seem to work with terragrunt :-(

So this will destroy previously deployed resources through atlantis?

it does, question answered

another issue related to destroy and custom workflows: #612

why atlantis plan -- -destroy and not atlantis destroy ?

Because it didn't require any additional work.

it introduces a bit of confusion though...

@dimisjim if there were an atlantis destroy command, then it wouldn't follow the plan then apply workflow. It would be an outlier and like running atlantis apply without running atlantis plan. While I agree the syntax is not beautiful, I think the solution is elegant as it just uses the built-in capability of teraform plan to generate a plan for destruction. Plus, it works with the built-in approval steps.

Note, I say this as someone who forked and implemented terraform destroy. However, that was some time ago and we had a change of heart. That's why we dropped support for it as well.

I am commenting on this, as I think that this is not working while providing -d <dir>

atlantis plan -d <dir> -- -destroy just plans normally (ie: discards the -destroy)

I am commenting on this, as I think that this is not working while providing -d <dir>

atlantis plan -d <dir> -- -destroy just plans normally (ie: discards the -destroy)

Hi @kiddouk , did you find a solution to this issue? We'd like to use Atlantis but this might become a no-go issue.

That should work. Do you have a custom workflow that's not using the built in plan step?

Well, the workflow would be as follows:

• an agent creates a PR: this PR deletes a whole folder containing the main.tf
• we expect atlantis to deal with the PR by running terraform destroy in the deleted folder (taken from the master branch) to comply with the config described in the branch of the PR. It's OK for us that altantis run terraform plan to do that.

@matthieudelaro i guess what Luke was asking is whether you use a custom workflow of Atlantis? Btw something i observed if you delete a file/folder Atlantis still normally plans it as it has just been added. I guess that it would make sense that if you drop a file or folder Atlantis and you submit it in Git then you expect Atlantis to create a plan that destroys that resource.

If i understood correctly what you can do right now (by the above suggestions) is:

1. an agent creates a PR: this PR deletes a whole folder containing the main.tf
2. Atlantis plans those changes as those files that already have a state
3. the agent should manually run atlantis plan -d <dir> -- -destroy and wait for destruction plans to be created
4. Colleagues should review the PR
5. the agent should run atlantis apply

In my opinion the only issue is the number (2) as Atlantis should have created destruction plans without having the user create those.

What other people think?

bump.
@lkysow can you also take a look please :-)?

sorry to sound dumb, but if you delete the folder (and thereby the .hcl file), the plan step tells me there's no work to be done because there's no .hcl file. If I don't change _something_, I can't create a PR on which to comment atlantis plan. From a terragrunt point of view, how are people handling the destroy flow? chicken / egg

Hello @jasonrberk ,
An easy way to destroy some resources is using a local variable inside terragrunt & atlantis plan like

locals {
  enabled = false
}
include {
  path = find_in_parent_folders()
}
terraform {
  source = local.enabled ? "git::https://gitlab.com/rivian/dc/platform/terraform-modules/foo.git?ref=0.0.3" : null
}
# Input variables consumed by terraform module
inputs = {
  desired_count = 1
}

After applying that you can drop the files altogether.

I don't use terragrunt, but it is common to do the following:

If I don't change _something_, I can't create a PR

git commit --allow-empty (an empty commit to open a PR)

or delete the resources and leave the workspace folder.

or atlantis plan -- -destroy (mentioned earlier, but requires a PR opened)