Terraform: Tainted `null_resource` with `destroy provisioner` does not run the destroy command.

Created on 11 May 2017  路  15Comments  路  Source: hashicorp/terraform

Hi there,

I am using destroy provisioner on null_resource, this works great on terraform destroy. When I try to taint this resource and re-apply, the destroy script does not run. Is this expected?

Terraform Version

Terraform v0.9.5

Affected Resource(s)

  • null_resource

Terraform Configuration Files

{
  "provider": {
    "azurerm": {
      "client_id": "${var.client_id}",
      "client_secret": "${var.client_secret}",
      "subscription_id": "${var.subscription_id}",
      "tenant_id": "${var.tenant_id}"
    }
  },
  "resource": {
    "null_resource": {
      "test2_add_group_role": {
        "provisioner": [
          {
            "local-exec": {
              "command": "\naz ad group create --display-name dev-group --mail-nickname dev-group\n\n"
            }
          },
          {
            "local-exec": {
              "command": "\naz ad group delete -g dev-group\n\n",
              "on_failure": "continue",
              "when": "destroy"
            }
          }
        ]
      }
    }
  }
}

Expected Behavior

The destroy provisioner should run when the resource is tainted, and re-applied.

Actual Behavior

The destroy provisioner did not run.

Steps to Reproduce

  1. terraform taint null_resource.test2_add_group_role
  2. terraform plan
  3. terraform apply
bug provisionelocal-exec v0.10 v0.11 v0.12 v0.9
Source
picture zhaohanweng
👍75

Most helpful comment

Please do not post "+1" comments, since they just create noise for those monitoring this issue and don't contribute to prioritization (because we can't report on them).

Instead, leave a :+1: reaction on the original comment of this issue, which we can and do report on as an input to prioritization.

picture apparentlymart on 1 Aug 2018
👍11

All 15 comments

Destroy provisioners neither run if null_resource is removed or commented out from the .tf file. Maybe the information about destroy provisioning should be stored in the state file somehow, so that Terraform will now what to do without looking into the resource itself.

burdiyan picture burdiyan on 7 Jun 2017
👍7 👎1

That would be great indeed, I worked around the issue by putting by destroy provisioner on "real" resources that are destroyed along with my null_resources for now but that's not ideal and clear for everyone in my team.

elafarge picture elafarge on 28 Aug 2017

+1

bbakersmith picture bbakersmith on 4 Jan 2018

Since it's been a while, I can confirm that this is still happening on version 0.11.1.

borsboom picture borsboom on 12 Jan 2018

+1

h4m24 picture h4m24 on 12 Jan 2018

+1

MagicMicky picture MagicMicky on 26 Feb 2018

+1

tata2000 picture tata2000 on 5 Jul 2018

+1

piotr-napadlek picture piotr-napadlek on 1 Aug 2018

Please do not post "+1" comments, since they just create noise for those monitoring this issue and don't contribute to prioritization (because we can't report on them).

Instead, leave a :+1: reaction on the original comment of this issue, which we can and do report on as an input to prioritization.

apparentlymart picture apparentlymart on 1 Aug 2018
👍11

This issue doesn't seem to be limited to just the null_resource. I have a real resource that has a destroy time remote-exec which works fine on destroy, or when setting the resource count to 0, but does not run when manually tainting the resource.

scross01 picture scross01 on 5 Nov 2018
👍2

Have we gotten any traction on this?

I also have the same problem as @scross01 and @zhaohanweng.

Suppose instead of using taint, I used a terraform destroy -target=xxx, but this is also destroying the dependent resources connected to the target xxx. I want the ability to be able to either taint specific resources and have my on destroy "remote-exec" run when I do plan and apply or the ability to destroy just specific resources using -target.

How can I go about this?

Priteshkal picture Priteshkal on 11 Jan 2019
👍2

I'm using terraform taint to mark resources for recreating, used e.g. for redeployments. This issue bites me as well here, as destroy time provisioners only seem to run when terraform destroy is used, not with terraform taint. This is unexpected, as the resource is also destroyed and recreated when tainting it. Or is there any other reasoning behind it?

tholu picture tholu on 19 Feb 2019
👍4

Is there any traction in on this issue? I feel like destroy provisioner information should be stored in the state to resolve this.

josh-pritchard-fcx picture josh-pritchard-fcx on 9 Mar 2020

Use case that is causing issues for me is an on-destroy local-exec that needs to be triggered when a generic resource type is destroyed via GitOps based workflow (config dropped).

AshMenhennett picture AshMenhennett on 14 Mar 2020
👍1

Definitely what our team needs too! We expected to use null_resource with local provisioner as a cleanup script for another resource (which creates physical files but does not delete them if destroyed)

mgzenitech picture mgzenitech on 27 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rkulagowski picture rkulagowski  路  3Comments
ronnix picture ronnix  路  3Comments
cpoole picture cpoole  路  3Comments
sprokopiak picture sprokopiak  路  3Comments
jrnt30 picture jrnt30  路  3Comments