Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for provisioners in removed blocks #35230

Merged
merged 3 commits into from
May 23, 2024
Merged

Conversation

jbardin
Copy link
Member

@jbardin jbardin commented May 22, 2024

During the apply phase, we'll check if there are provisioners either in the matching resource block or the matching removed block -- whichever of the two is present -- and execute the destroy-time subset of them either way.

This also establishes a standard way to attach a removed block to a NodeResourceAbstract when one is defined, which is likely to be useful for supporting other resource-related meta arguments in removed blocks in future.

removed {
  from = aws_instance.example

  provisioner "local-exec" {
    # All provisioners must have when = destroy in this context,
    # because "removed" resources can only be destroyed.
    when = destroy

    # ...
  }
}

References within the destroy provisioner will be limited in scope just as if it were written within the original resource block, meaning that only count.index, each.key, and self will be valid identifiers. Terraform will not be able to validate wether count.index or each.key will be valid beforehand, because the instances being destroyed could technically have either if the configuration had been changed between count and for_each and failed to delete, so it is up to the user to ensure any references to those values are correct for the instances being destroyed.

If the user specifies destroy = false in the removed lifecycle, then the provisioner will not be be executed, as there is no destroy step during which to execute it.

Closes #34711
Closes #13549

apparentlymart and others added 3 commits May 21, 2024 15:04
When the removed_provisioners experiment is active, removed blocks
referring to managed resources are allowed to include "connection" and
"provisioner" blocks, as long as all of the "provisioner" blocks specify
when = destroy to indicate that they should execute as part of the
resource's "destroy" action.

This commit only deals with parsing the configuration. The logic to react
to this during the apply phase will follow in later commits.
During the apply phase, we'll check if there are provisioners either in
the matching "resource" block or the matching "removed" block -- whichever
of the two is present -- and execute the destroy-time subset of them
either way.

This also establishes a standard way to attach a "removed" block to a
NodeResourceAbstract when one is defined, which is likely to be useful
for supporting other resource-related meta arguments in "removed" blocks
in future.

One known limitation and design question from this initial implementation
is: how should each.key, each.value, and count.index behave when used as
part of a provisioner configuration in a "removed" block? This is a tricky
question because whereas a "resource" block allows us to determine from
the configuration whether we're using count, for_each, or neither, removed
blocks must accept whatever happens to be in the state and so in unusual
cases there might even be a mixture of numeric instance keys and string
instance keys for the same resource, making it impossible to write a
provisioner configuration that would work with both.
This records in a test that both `count.index` and `each.key` will
validate properly within a `removed` block provisioner.
@jbardin jbardin requested a review from a team May 22, 2024 21:27
@jbardin jbardin merged commit c1c5e87 into main May 23, 2024
6 checks passed
@jbardin jbardin deleted the jbardin/removed-provisioners branch May 23, 2024 18:39
Copy link
Contributor

Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.

Copy link
Contributor

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

terraform_data ignoring local-exec destroy provisioner on-destroy provisioners not being executed
3 participants