Terraform-provider-aws: Elastic block store volumes not deleted during "terraform destroy"

Created on 17 May 2018 · 7Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @docktermj as hashicorp/terraform#18067. It was migrated here as a result of the provider split. The original body of the issue is below._

Terraform Version

Terraform v0.11.7
+ provider.aws v1.14.0
+ provider.template v1.0.0

Terraform Configuration Files

resource "aws_instance" "data" {
  ami = "${var.data_ami}"
  associate_public_ip_address = true
  count = "${var.data_ec2_count}"
  depends_on = ["aws_internet_gateway.default"]
  instance_type = "${var.data_instance_type}"
  key_name = "${aws_key_pair.default.id}"
  private_ip = "${lookup(var.data_private_ips, count.index)}"
  subnet_id = "${aws_subnet.default.id}"
  connection {
    type = "ssh"
    user = "centos"
    private_key = "${file("${var.ssh_private_key_path}")}"
  }
  provisioner "file" {
    source      = "${template_dir.data.destination_dir}"
    destination = "/tmp/configuration"
  }
  provisioner "file" {
    source      = "${path.module}/files/${var.data_configuration}/"
    destination = "/tmp/configuration"
  }
  provisioner "file" {
    content = "${element(data.template_file.data_cockroach.*.rendered, count.index)}"
    destination = "/tmp/configuration/usr/lib/systemd/system/cockroach.service"
  }
  provisioner "file" {
    content = "${element(data.template_file.data_node_number.*.rendered, count.index)}"
    destination = "/tmp/configuration/home/centos/bin/node-number.sh"
  }
  provisioner "remote-exec" {
    inline = [
      "chmod +x /tmp/configuration/home/centos/configuration.sh",
      "sudo /tmp/configuration/home/centos/configuration.sh",
    ]
  }
  tags {
    Name = "${local.resource_prefix}-${var.data_configuration}-ec2-${count.index}"
  }
  vpc_security_group_ids = ["${aws_security_group.data.id}"]
}

Expected Behavior

After a terraform destroy, I would expect the "ELASTIC BLOCK STORE, Volumes" to be deleted with the formation. However, they remain. (And cost much-o money when they aggregate)

These volumes show up at https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#Volumes

Steps to Reproduce

Using an aws_instance similar to the one above:

terraform init
terraform apply
terraform destroy
Visit https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#Volumes
Bug: the volumes created with terraform apply are not deleted with terraform destroy

servicec2 waiting-response

Source

hashibot[bot]

Most helpful comment

@docktermj if you cannot fix the AMI, you can try adding root_block_device inside your aws_instance configuration:

resource "aws_instance" "data" {
  # ... other configuration ...

  root_block_device {
    delete_on_termination = true
 }
}

bflad on 21 May 2018

👍5

All 7 comments

@docktermj are you able to share information about the AMI? Preferably the BlockDeviceMappings output from aws ec2 describe-images --image-ids ami-XXXXXX if you have the AWS CLI.

Generally you need to configure EBS volume DeleteOnTermination either baked into the AMI or override the ebs_volume configuration in the aws_instance resource.

bflad on 18 May 2018

The AMI is a stock CentOS AMI:

variable "data_ami" {
  description = "App: CentOS Linux 7 1801_1 us-east-1"
  default = "ami-4bf3d731"
}

docktermj on 21 May 2018

$ aws ec2 describe-images --image-ids ami-4bf3d731
{
    "Images": [
        {
            "ProductCodes": [
                {
                    "ProductCodeId": "aw0evgkw8e5c1q413zgy5pjce", 
                    "ProductCodeType": "marketplace"
                }
            ], 
            "Name": "CentOS Linux 7 x86_64 HVM EBS 1801_01-b7ee8a69-ee97-4a49-9e68-afaee216db2e-ami-0a537770.4", 
            "VirtualizationType": "hvm", 
            "Hypervisor": "xen", 
            "ImageOwnerAlias": "aws-marketplace", 
            "EnaSupport": false, 
            "ImageId": "ami-4bf3d731", 
            "State": "available", 
            "BlockDeviceMappings": [
                {
                    "DeviceName": "/dev/sda1", 
                    "Ebs": {
                        "DeleteOnTermination": false, 
                        "SnapshotId": "snap-0061a4a372352a41e", 
                        "VolumeSize": 8, 
                        "VolumeType": "standard", 
                        "Encrypted": false
                    }
                }
            ], 
            "Architecture": "x86_64", 
            "ImageLocation": "aws-marketplace/CentOS Linux 7 x86_64 HVM EBS 1801_01-b7ee8a69-ee97-4a49-9e68-afaee216db2e-ami-0a537770.4", 
            "RootDeviceType": "ebs", 
            "OwnerId": "679593333241", 
            "RootDeviceName": "/dev/sda1", 
            "CreationDate": "2018-01-12T20:33:32.000Z", 
            "Public": false, 
            "ImageType": "machine", 
            "Description": "CentOS Linux 7 x86_64 HVM EBS 1801_01"
        }
    ]
}

docktermj on 21 May 2018

Well, jeepers! I see:

                        "DeleteOnTermination": false,

Is there a way to over-ride that?

docktermj on 21 May 2018

@docktermj if you cannot fix the AMI, you can try adding root_block_device inside your aws_instance configuration:

resource "aws_instance" "data" {
  # ... other configuration ...

  root_block_device {
    delete_on_termination = true
 }
}

bflad on 21 May 2018

👍5

@bflad I made the following change and it seems to be working. Thank you for your assistance. I believe we can call this issue closed.

resource "aws_instance" "data" {
  ami = "${var.data_ami}"
  associate_public_ip_address = true
  count = "${var.data_ec2_count}"
  depends_on = ["aws_internet_gateway.default"]
  ebs_block_device {
    device_name = "/dev/sda1"
    delete_on_termination = true
  }
  instance_type = "${var.data_instance_type}"
  key_name = "${aws_key_pair.default.id}"
  private_ip = "${lookup(var.data_private_ips, count.index)}"
  subnet_id = "${aws_subnet.default.id}"
  connection {
    type = "ssh"
    user = "centos"
    private_key = "${file("${var.ssh_private_key_path}")}"
  }
  provisioner "file" {
    source      = "${template_dir.data.destination_dir}"
    destination = "/tmp/configuration"
  }
  provisioner "file" {
    source      = "${path.module}/files/${var.data_configuration}/"
    destination = "/tmp/configuration"
  }
  provisioner "file" {
    content = "${element(data.template_file.data_cockroach.*.rendered, count.index)}"
    destination = "/tmp/configuration/usr/lib/systemd/system/cockroach.service"
  }
  provisioner "file" {
    content = "${element(data.template_file.data_node_number.*.rendered, count.index)}"
    destination = "/tmp/configuration/home/centos/bin/node-number.sh"
  }
  provisioner "remote-exec" {
    inline = [
      "chmod +x /tmp/configuration/home/centos/configuration.sh",
      "sudo /tmp/configuration/home/centos/configuration.sh",
    ]
  }
  tags {
    Name = "${local.resource_prefix}-${var.data_configuration}-ec2-${count.index}"
  }
  vpc_security_group_ids = ["${aws_security_group.data.id}"]
}

docktermj on 22 May 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 5 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Please add support for default values in Cloudwatch Metric Filters

hazmeister · 3Comments

Plans to support more custom endpoints in provider AWS (lambda, apigateway, ...)

hashibot · 3Comments

Using security_groups instead of the correct vpc_security_group_ids on an instance within VPC results in instance recreation on each apply

andywirv · 3Comments

AWS ECS services are force updated on each apply

EmmN · 3Comments

AWS Security Group Rule protocol/port error.

gothrek22 · 3Comments