Terraform: Feature: Find and possibly destroy unmanaged resources
This is certainly not high-priority, and may even fall outside the scope of the Terraform core, but I thought I'd open the idea anyway even if it's just to get some input on possible workarounds or other solutions.
A use case I have is to report on and possibly remove resources that _can_ be managed by Terraform but _aren't_.
Given the case where you are automating as much as possible within (say) an AWS account and that you don't expect manually-created resources exist, you want to track if something or someone, somehow, has manually added a resource that is not managed by Terraform but is of a type which should be. For example, an IAM user someone or something added as a back-door into the account, or a big EC2 machine someone created by hand for temporary use and then forgot about.
I could see some potential workarounds in the form of auxiliary utilities that scan resources and compare them to the statefile, but that feels like it would need to duplicate a lot of the functionality Terraform has in being able to use all the provider APIs.
I can also see a bunch of problems with doing any automated destroys here since, at least in the AWS world, you're going to get unmanaged resources such as EC2 machines created by AutoScaling Groups, and EBS volumes created by EC2.
gwilym
All 6 comments
I'm up for the idea :+1: , I was actually thinking of creating a tool for this a few days back. I can totally see the use-case and value.
I think the problem is kind of related to the import of existing resources into terraform. See https://github.com/hashicorp/terraform/issues/581
The logic that would has to be implemented is very similar, if not the same. We'd probably need to add a new schema.Resource method for finding all resources of that type. Therefore I think it's not too much outside of the scope after all.
That said, Terraform should IMO never be cleaning up things it doesn't manage _by design/default_. It should be an extra functionality optionally triggered by the user via different subcommand.
radeksimko
on 19 Jan 2016
I think this fits well within Terraform but is probably a very far future idea.
The idea is simple though: as Terraform 0.7's import functionality grows to support effectively pointing it at an entire account (one day), you could diff this with the set of states you have and remove the unmanaged resources or do whatever you'd like.
It will probably be a very long time before TF has this machinery itself so I'm going to close this otherwise it'll probably just bitrot for years. :) Great idea though, and I'd love to see someone perhaps build this on top of what TF has.
mitchellh
on 11 Nov 2016
I'd love to see this, as it would be a great auditing tool!
ghost
on 8 Jun 2017
Are there any extant third-party tools that do something like this? I don't need the full import functionality, just a list of resource ids that aren't managed by terraform.
tmccombs
on 10 Jan 2018
I've written https://github.com/JohannesEbke/aws_list_all to programmatically list all resources in an AWS account using boto3 API inspection. Filtering by terraform state is not implemented, but it might be a good starting point.
JohannesEbke
on 22 Jan 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 5 Apr 2020
Related issues
thebenwaters
ยท
3Comments
zeninfinity
ยท
3Comments
rkulagowski
ยท
3Comments
franklinwise
ยท
3Comments
larstobi
ยท
3Comments
Most helpful comment
I'd love to see this, as it would be a great auditing tool!