-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request: inverse targeting / exclude #2253
Comments
Hi @shubhambhartiya - we have Can you elaborate on the behavior you're looking for? |
Considering an example. |
Ah okay I get it now. I think I'd call what you're looking for "inverse targeting". # Destroy everything except aws_db_instance.foo and its dependencies
terraform plan -destroy -exclude=aws_db_instance.foo ^^ If that looks like what you're asking for I'll edit the title and we can track that feature request with this thread. |
Yes, that would be a great thing. |
yes please! 👍 |
this is related to #4515 |
Just to confirm that it would be nice to have a feature of inverted targeting like as follows:
Thanks. |
+1 |
+1 |
Another use case: We're importing existing AWS environments. Migrating the DB to the new subnet group is a manual step. It would be nice to provision all the subnet/security/parameter groups before updating the instance (all part of the same module) |
I'd also love to see this. In the meantime, I'm using a combination of
Not pretty, but it does the job 🙂 |
Following what @anosulchik posted:
A target and something like a -target-exclude would be great to support regexp or by name-matching similar to consul, such as: thanks |
|
This would be really useful, so I can destroy everything except the resources marked with |
+1 :) My current workaround is to taket the outout of "terraform plan list" , grep out all resource I wanna keep, and then create a list of -target parameters from the rest with a shell script. Another thing that would make it supereasy to destroy everything unless the things you want to keep is to destroy all resources instead of those protected by the "prevent_destroy" flag. |
Still, it would be very useful to have |
A lot of the history has been lost on this request. Ill start by saying I was an early requester of this feature, even talking through support channels to the H. engineers directly. bottom line - its not an easy thing to solve. Level setting the technical fallout: One would have to reverse process the resource dependency tree interaction for each provider. AWS being the most popular, but also only one of many providers. This is a feature request would in the base code not the provider itself. Using the AWS provider as an example - we all know the dependency tree in that provider has gaps and is not always in-sync with whats truth in the platform, especially on Destroy. With gaps (the providers, and possibly state-file scenarios), the dependencies on both creation and destroy have to be known with absolution in order for such an operation to work. Now considering this, multiply this by every provider & things get really complicated really quick and very easily nuke a state-file beyond any sane recovery. it is possible to be implemented, but it would have a cascade effect through the code and all providers requiring dependency processing changes with strict validation. At some point - it was decided that the feature is not worth the effort, or better put - "The juice just isn't worth the squeeze" Noting again - its a feature I would like to see - I think timing and overall supporting feature maturity within the codebase matters here. Perhaps with future improvements this will be more viable. Click-ops is the no. 1 cardinal sin for IAC managed systems btw (no judgement, but we all know this) |
I am not privy to all discussions in this thread nor how resource targeting works step by step in the background, but I don't understand what this comment exactly means, or why it would be necessary to perform such actions with providers to achieve inverse targeting. I would assume that the way |
@dimisjim excluding resources before plan is I think the difficulty @tburow talks about. It changes how the tree is constructed, especially if exclusions happen at multiple different scopes, and may lead to deadlocks. I think full tree and full |
There's one serious drawback to it: implementing it this way, you can't always skip resources which are unavailable due to HW failure (which I personally consider the most legit use for targeting). An example I gave earlier in this thread: |
Fair point. It may be most legit, but is it most common? Sounds like very edge case + complex to implement + you have a viable workaround. |
My use case is similar to @weakcamel's: I have a SQL database on Google Cloud that is turned off most of time to reduce costs and when it's turned off, we can't pull data from it to include in the plan. I can manually turn on the database, but it's annoying because it takes minutes before the database comes back up, and then I have to remember to shut it down after Terraform work is done. It wouldn't be very practical either to create a separate Terraform project just for this single resource. This is the main reason why I'd like to have that "exclude" flag. I don't see that the implementation of "exclude" needs to be that complicated. For me it would be enough if it was implemented on top of "target", where the list of targets are all the resources except the ones explicitly mentioned in the "exclude" flag. Anyway, I'm not sure if there's any point in discussing this any further as it seems clear that this is not on Hashicorp's roadmap. |
yeah, exactly. Seems to me that this can be inferred somehow from the code and the state file. Not sure why a complicated "each provider inverse dependence tree" calculation is needed as others have vaguely mentioned. |
I wouldn't say it's most common yet I wouldn't say "edge case" either. It depends on your scale; hardware failures happen fairly often if you're running a lot of hosts. Connectivity problems happen too if your network is large enough or you're routing traffic through a network you don't fully control. The most common use case for targeting is arguably drift between actual deployment vs TF code due to manual interventions; if you do that (which is sometimes a legit need), you're causing the problem yourself and there's an obvious way to prevent that from happening (just don't). In case of a HW failure or third party connectivity problems - not so much. Also, implementing negative targeting differently than the (existing) positive targeting would be quite confusing to end users to say the least. |
I'm going to go out on a limb here and say that I honestly don't care why this is difficult to implement. That sounds callous as hell, but think of it like this - I'm an end user of Terraform, not a dev. I don't code, I don't intend to code, but I understand that this issue is an ask of the devs to undertake a task. All I (or others like me) can do is state that this would be useful, and the fact that OpenTofu was able to implement it leads me to believe that Hashicorp could implement it if they wanted to. TF is a tool, in my opinion. This ask is sort of like asking for a different iteration of a tool: "As a socket wrench user, I need to unscrew bolts that are six or more inches inside an engine compartment. I want to be able to attach an extension of some kind that allows my socket wrench to reach inside the engine and unscrew these bolts." "As a hammer user, I need to hit surfaces with blunt force but not leave a mark. I want to be able to use a rubber mallet to hit these surfaces." Et cetera. It'd be unreasonable to ask for a monkey wrench to have a hammer end, but IMO it'd be reasonable to ask for a monkey wrench to come in a larger size for bigger nuts or longer handle for harder to reach spots. This is what we're asking here - a tool with extended functionality. |
Most helpful would be to get the review result form Hashicorp / @crw. |
@Tbohunek Release planning happens generally around the time (just before / just after) we are preparing the latest "minor" release (the next minor release would be 1.7.0). Given that this is the top issue by upvotes, it is being routinely re-evaluated. |
This comment was marked as off-topic.
This comment was marked as off-topic.
...and the result? Of the most recent re-evaluation? Pretty please? |
I would suggest that the evil is not in |
I think this feature might be a good thing as well. I am using Azure and for Storage accounts I had a problem where private endpoints weren't working. I needed to re-deploy a module that creates a storage account and the private links for that storage account. The problem is that if there aren't any private endpoints, then the queries fail when trying to apply the terraform for the storage account. If there was an "exclude" option, i'd just exclude applying the storage account and redeploy all the private links. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment has been marked as off-topic however IMO it's quite valid (despite the casual and somewhat sarcastic tone). This is one of valid cases for implementing |
The Terraform team is currently working on a concept called "deferred actions" that does something conceptually similar to The current Deferred actions takes a different approach: it still visits all of the resources declared in the configuration, but for any that are deferred it only performs validation and not planning. Terraform can still detect and report certain kinds of problems with the objects that have been deferred, and can still use approximations of their results to validate downstream objects that refer to other deferred resources. The first goal for deferred actions is to close #30937 by making Terraform automatically defer anything that it knows it cannot plan yet due to unknown values being present. That would not directly affect this issue, but would remove one significant current use-case for But once that is dealt with it seems to me that a new explicit This is a significant new concept that needs plumbing throughout Terraform Core and so it'll take a while longer to be ready, but folks on the team are actively working on it. |
+1 |
This is by a large margin the most upvoted issue on this repo... IF this is still been developed, maybe look at #2182 would be nice to be able to do |
Hello @phinze I've encountered an issue related to the "prevent_destroy "feature and was unable to find a solution after reviewing various cases. My use case is fairly straightforward: I have a Cloud Build pipeline with the following steps:
Ideally, I’m looking for a way to handle failures gracefully. Specifically, if an error occurs, I want Terraform to proceed by destroying resources with the flag set to false before exiting. Alternatively, if exiting with an error is unavoidable, I want it to first destroy those non-protected resources before terminating. Any advice or guidance on how to achieve this would be greatly appreciated. Thank you! |
+1 for this feature, which has been requested by the community, as I see, since years. To illustrate one of our concrete use case: We manage AWS EC2 instances with automatic AMI rotation detection (using Currently, when we want to apply other urgent infrastructure changes (e.g. just provisioning a new S3 bucket or a DNS entry), we face a dilemma:
An |
I believe this is implemented in Tofu 1.9.0 |
Is there anything that can be done such that db_instance - RDS formed by the terraform files can be saved if we destroy the whole state?
The text was updated successfully, but these errors were encountered: