I'm currently working on an fully managed by Terraform environment but I reached some limitations and I would like to know if there is a feature or a workaround to do what I want :
I have an environment described like that :
Everything work, but when I want to do a full clean up by running terraform destroy I have to destroy some resources one by one with -target option and then delete manually some references in the state file.
Two reasons why I would like to do that:
Just because it fails
Don't know why, but I was unable to destroy with Terraform and manually some subnets (imposible to detach the internet gateway) but I was able to destroy them by simply destroying the VPC.
In this case, I would like to tell to Terraform to only delete the VPC, by doing that, AWS automatically destroy related components such as Subnets, Internet Gateway, Route table, Networks ACL, etc.
Because it would be faster
I'm using Terraform with Kubernetes (and Helm) provider to define my Kubernetes configuration, but when I run terraform destroy it will delete all the Kubernetes resources, then the Cluster (and workers).
Only deleting the Cluster would be really faster.
So here is my question : Is it possible to exclude resources to the destroy process in the Terraform configuration files ?
I have also seen terraform failures while destroying resources, needing manual intervention. The recommended way seems to be to modularise the required resources into separate configurations and then plan/destroy them as needed. In your case, say a separate eks.tf for EKS configuration.
There is actually no ways to do what I want, but the documentation says :
Instead of using -target as a means to operate on isolated portions of very large configurations, prefer instead to break large configurations into several smaller configurations that can each be independently applied. Data sources can be used to access information about resources created in other configurations, allowing a complex system architecture to be broken down into more manageable parts that can be updated independently.
This will not fits with some use cases if we use standard pattern (one configuration for the VPC, one for the Cluster and workers, and one for the kubernetes configuration) because destroying the VPC will still destroy all the components before destroying the VPC (and will result into a failure).
Here is a possible workaround, the goal would be to create two configurations :
With this pattern, we can then create a simple CLI with a destroy command :
terraform destroy in the main configurationI made an issue on the Terraform github repository to propose an enhancement, an annotation system allowing plugins to interact with annotated resources and listen to the different events (creation, destruction, state refresh, etc)
If you are in the same case, take a look to the issue, add a +1 and maybe comment your opinion !