How do I cause terraform to skip destroying resources?

3
votes

I am using terraform to provision an Azure AKS Kubernetes cluster, including a bunch of namespaces, deployments (e.g., cert-manager, external-dns, etc), secrets, and so on. These all get deleted when the cluster is torn down, but some of them cannot be deleted by terraform. This happens most often with namespaces, like the following (it never actually finishes removing all content): 

"Operation cannot be fulfilled on namespaces "cert-manager": The system is ensuring all content is removed from this namespace.  Upon completion, this namespace will automatically be purged by the system."

How do I cause terraform to ignore these resources when destroying?

1
terraform

1 Answers

1
votes

On the surface, this seems like a big ask from Terraform

Terraform manages state, so it knows what it created, and what resources depend on each other. When it destroys something, it knows what dependencies to destroy as well, and this sets up an ordering of operations.

So it seems you're saying you want Terraform to control the creation, but to "forget" to destroy some things, despite it keeping a map of dependencies. This seems like a good way to get a corrupt state.

So with that caveat in mind, perhaps you could try "terraform state rm" judiciously, so that terraform isn't managing the things that need to be skipped when destroying things.

Something like

  • terraform apply
  • some script that picks holes in the state with "terraform state rm"
  • terraform destroy

The hard part is making sure all the things that remain do not reference anything that has been "rm'd" - terraform will get mad at you and probably refuse to do it