Terraform destroy failing because Google SQL user owns databases

terraform

I'm using Terraform to provision a Google Cloud SQL PostgreSQL database using a google_sql_database_instance resource. I also create a user with a google_sql_user resource.

After applying, I deploy my application which creates databases owned by that user.

The problem is, when I terraform destroy, Terraform tries to delete the user before it deletes the database. It gets an error (which is expected; you can't delete Postgres users while they own databases). But Terraform doesn't need to delete the user, because the next step is to delete the whole database instance.

Is there a way to tell Terraform that deleting the google_sql_database_instance will have the effect of deleting the google_sql_user, so that Terraform doesn't try to explicity delete the user first and fail?

Best Answer

Use terraform's state rm to tell it to forget that the users and database exist so it won't actively try to delete them (and fail) at destroy time.

I use a destroy.sh script:

terraform state rm module.your_server_name.google_sql_user.users \ 
     module.your_server_name.google_sql_database.your_database_name
terraform destroy $@

Related Solutions

Terraform plan wants to destroy security groups after importing them with terraform import

So the import for network ACL and security group break things out like

resource "aws_security_group" "production_servers" {}
resource "aws_security_group_rule" "production_servers-1" {}
resource "aws_security_group_rule" "production_servers" {}

You mentioned you had all the rules in the aws_security_group which is perfectly fine. I prefer them outside since its more readable if you make a rule change and have like 10-15 rules in a group.

So whats going on is terraform wrote a blank aws_security_group with no rules and has a bunch of external aws_security_group_rule in the state file which is different then your TF config.

So on a plan it'll say I need to destroy these and then it will create them in the resource itself.

You might get a minor blip of no security group rules but in the end it'll clean up on an apply. Just look at the plan for your aws_security_group I would bet all your rules are listed in there

Destroy existing Terraform without tfstate

I would try out https://github.com/dtan4/terraforming as it can actually dump resources to tfstates.

Another shortcut: grab all resources from aws-cli, run a terraform Import in These, followed by a terraform destroy.

Best Answer

Related Solutions

Terraform plan wants to destroy security groups after importing them with terraform import

Destroy existing Terraform without tfstate

Related Topic