Tainted null_resource with destroy provisioner does not run the destroy command.

[zhaohanweng]

Hi there,

I am using destroy provisioner on null_resource, this works great on terraform destroy. When I try to taint this resource and re-apply, the destroy script does not run. Is this expected?

Terraform Version

Terraform v0.9.5

Affected Resource(s)

• null_resource

Terraform Configuration Files

{
  "provider": {
    "azurerm": {
      "client_id": "${var.client_id}",
      "client_secret": "${var.client_secret}",
      "subscription_id": "${var.subscription_id}",
      "tenant_id": "${var.tenant_id}"
    }
  },
  "resource": {
    "null_resource": {
      "test2_add_group_role": {
        "provisioner": [
          {
            "local-exec": {
              "command": "\naz ad group create --display-name dev-group --mail-nickname dev-group\n\n"
            }
          },
          {
            "local-exec": {
              "command": "\naz ad group delete -g dev-group\n\n",
              "on_failure": "continue",
              "when": "destroy"
            }
          }
        ]
      }
    }
  }
}

Expected Behavior

The destroy provisioner should run when the resource is tainted, and re-applied.

Actual Behavior

The destroy provisioner did not run.

Steps to Reproduce

1. terraform taint null_resource.test2_add_group_role
2. terraform plan
3. terraform apply

[burdiyan]

Destroy provisioners neither run if null_resource is removed or commented out from the .tf file. Maybe the information about destroy provisioning should be stored in the state file somehow, so that Terraform will now what to do without looking into the resource itself.

[elafarge]

That would be great indeed, I worked around the issue by putting by destroy provisioner on "real" resources that are destroyed along with my null_resources for now but that's not ideal and clear for everyone in my team.

[bbakersmith]

+1

[borsboom]

Since it's been a while, I can confirm that this is still happening on version 0.11.1.

[h4m24]

+1

[MagicMicky]

+1

[tata2000]

+1

[piotr-napadlek]

+1

[apparentlymart]

Please do not post "+1" comments, since they just create noise for those monitoring this issue and don't contribute to prioritization (because we can't report on them).

Instead, leave a 👍 reaction on the original comment of this issue, which we can and do report on as an input to prioritization.

[scross01]

This issue doesn't seem to be limited to just the null_resource. I have a real resource that has a destroy time remote-exec which works fine on destroy, or when setting the resource count to 0, but does not run when manually tainting the resource.

[Priteshkal]

Have we gotten any traction on this?

I also have the same problem as @scross01 and @zhaohanweng.

Suppose instead of using taint, I used a terraform destroy -target=xxx, but this is also destroying the dependent resources connected to the target xxx. I want the ability to be able to either taint specific resources and have my on destroy "remote-exec" run when I do plan and apply or the ability to destroy just specific resources using -target.

How can I go about this?

[tholu]

I'm using terraform taint to mark resources for recreating, used e.g. for redeployments. This issue bites me as well here, as destroy time provisioners only seem to run when terraform destroy is used, not with terraform taint. This is unexpected, as the resource is also destroyed and recreated when tainting it. Or is there any other reasoning behind it?

[josh-pritchard-fcx]

Is there any traction in on this issue? I feel like destroy provisioner information should be stored in the state to resolve this.

[AshMenhennett]

Use case that is causing issues for me is an on-destroy local-exec that needs to be triggered when a generic resource type is destroyed via GitOps based workflow (config dropped).

[mgzenitech]

Definitely what our team needs too! We expected to use null_resource with local provisioner as a cleanup script for another resource (which creates physical files but does not delete them if destroyed)

[haidaraM]

Just wondering if there is any plan to fully support taint on null_resource with destroy time provisioner ? This issue is there for almost 4 years

[apparentlymart]

Hi all,

This isn't an issue with any particular resource type or provider, and is instead an artifact of the design of destroy-time provisioners, which in current Terraform are really only for situations where an object is being destroyed as part of either a full destroy (terraform destroy) or a "replace" operation (which includes both a destroy and a create).

We've been using #13549 as an umbrella issue for all of these feature requests for destroy-time provisioners to be run in more situations, and so I'm going to close this one just to consolidate the discussion over there. We are currently only really maintaining the behavior of provisioners as they currently exist and not investing further in the concept, because provisioners are a last resort. However, we'll keep the other issue open to track the underlying use-case for whatever mechanisms will eventually replace all of the remaining reasons to use provisioners.

If you upvoted here and are still interested in this, please transfer your upvote to #13549. Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.