Terraform: Feature suggestion - Destroy Provisioner (local or remote exec)

Created on 1 Dec 2015  ·  21Comments  ·  Source: hashicorp/terraform

Hi guys,

I've been working on a project on Azure and run into a couple of challenges because I want to create a VPN gateway and upload a cert as a part of the terraform script (https://github.com/hashicorp/terraform/issues/4116) I've come up with a workaround using the provisioner to call local-exec to a powershell command and from there written scripts to handle the work.

Unfortunately when I got to destroy the infrastructure the virtual network can't be destroyed because it need to have the certs and gateway deleted before it can be deleted.

This made me thing - it would be very useful to have a "reverse" provisioner or one that could be flagged as to be used for create/update/destroy, that way I could write the reverse script to tear down any infra I have built in this way or effectively run a reverse bootstrap operation to clean up anything that exists outside the terraform covered resources.

Just a thought.

core enhancement
Source
picture davehodgson
👍14

Most helpful comment

destroy is sometimes explicit (terraform destroy ..) and sometimes implicit (-/+ due to re-creation). it would be nice to be able to trigger the same provisioner if either happens.

picture billf on 12 Mar 2016
👍7

All 21 comments

This would also be useful to us so we could automatically remove the node & client from Chef server when the instance is destroyed by Terraform.

mtougeron picture mtougeron on 2 Dec 2015
👍1

+1
We're using Terraform to provision Kubernetes in AWS and we can't destroy completely because some resources are created by K8s which Terraform doesn't know about, ie loadbalancer, security groups.
Being able to bootstrap the command kubectl delete namespace to terraform destroy, would make things a lot simpler.

gileshinchcliff picture gileshinchcliff on 25 Feb 2016

+1
It would be excellent to be able to exec upon destroy, in order to e.g. remove a key from a SaltStack master a la https://github.com/saltstack-formulas/ec2-autoscale-reactor

gordonIanJ picture gordonIanJ on 29 Feb 2016

+1 Would be really nice to have this!

karcaw picture karcaw on 29 Feb 2016

+1 - I need to drop users & tables from an RDS db upon destroy. I create the user and table space at spin-up, but short of (once again) writing a wrapper to run terraform, I have no way to reverse actions run at incarnation time.

pll picture pll on 5 Mar 2016

I would love to have to this too. As a workaround, we have a wrapper script that calls terraform, and upon "destroy", the wrapper script can then local-exec anything we want. It' not ideal, but gets the job done.

grayaii picture grayaii on 11 Mar 2016

I think handling post-destroy in a wrapper is a good design decision. -1
for the feature.

On Friday, March 11, 2016, grayaii [email protected] wrote:

I would love to have to this too. As a workaround, we have a wrapper
script that calls terraform, and upon "destroy", the wrapper script can
then local-exec anything we want. It' not ideal, but gets the job done.


Reply to this email directly or view it on GitHub
https://github.com/hashicorp/terraform/issues/4121#issuecomment-195566464
.

gordonIanJ picture gordonIanJ on 11 Mar 2016
👎3

@gordonIanJ - Why? Do also object to remote execution of provisioners? Seems like this would be nothing more than enabling the reverse of that.

pll picture pll on 11 Mar 2016

destroy is sometimes explicit (terraform destroy ..) and sometimes implicit (-/+ due to re-creation). it would be nice to be able to trigger the same provisioner if either happens.

billf picture billf on 12 Mar 2016
👍7

+1

DevBOFH picture DevBOFH on 12 May 2016

+1. In addition to local/remote provisioner commands that need to be un-done during destroy, we have the same use case as @gileshinchcliff with Kubernetes creation of resources outside of Terraform.

mluedke picture mluedke on 13 May 2016

+1, we are using terraform to create a vpc and a lambda function inside that VPC. Under the covers Lambda creates ENIs that terraform doesn't know about and those ENIs botch our destroy. A 'exec' on destroy would allow us to clean up those ENIs before terraform attempts to destroy the VPC.

gposton picture gposton on 31 May 2016

+1

Alars-ALIT picture Alars-ALIT on 6 Jul 2016

+1

chrisevett picture chrisevett on 13 Jul 2016

+1

rendicott picture rendicott on 7 Oct 2016

+1

bigdaddyvol picture bigdaddyvol on 7 Oct 2016

+1

saurabh-hirani picture saurabh-hirani on 25 Oct 2016

Dup of #386. Its coming!

mitchellh picture mitchellh on 11 Nov 2016

+1

jsilberm picture jsilberm on 8 Feb 2017

+1

iradaik picture iradaik on 25 Feb 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 4 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rjinski picture rjinski  ·  3Comments
Seraf picture Seraf  ·  3Comments
ronnix picture ronnix  ·  3Comments
shanmugakarna picture shanmugakarna  ·  3Comments
larstobi picture larstobi  ·  3Comments