Remove Provisioned Infra with Terraform Destroy

Updated 2 days ago by Michael Cretzman

You can add a Terraform Destroy Workflow step to remove any provisioned infrastructure, just like running the terraform destroy command. See  destroy from Terraform.

The Terraform Destroy step is independent of any other Terraform provisioning step in a Workflow. It is not restricted to removing the infrastructure deployed in its Workflow. It can remove any infrastructure you have provisioned using a Terraform Infrastructure Provisioner.

In this topic:

Before You Begin

This topic assumes you have read the following:

Review: What Gets Destroyed?

When you create a Harness Terraform Infrastructure Provisioner you specify the Terraform script that Harness will use for provisioning, as well as inputs for variables in the script.

When you destroy the provisioned infrastructure, you specify the Terraform Infrastructure Provisioner for Harness to use to locate this script.

There are two ways to use the Terraform Destroy:

  • Destroy the infrastructure provisioned by the last successful use of a specific Terraform Infrastructure Provisioner, via a Terraform Provision or Terraform Apply step. Harness will use the same input values and backend configuration (Remote state) set up in the Terraform Infrastructure Provisioner.
  • Destroy the infrastructure by entering new input values and backend configuration (Remote state) for a specific Terraform Infrastructure Provisioner.

Which method you use is determined by the Inherit from last successful Terraform Apply option in the Terraform Destroy step.

When the Terraform Provision or Terraform Apply step were executed, Harness saved the Inline Values and Backend Configuration values using a combination of the following:

  • Infrastructure Provisioner used.
  • Environment used for the Workflow.
  • Workspace used (or default if no workspace was specified).

You can decide to use these by selecting the Inherit from last successful Terraform Apply option or provide your own Inline Values and Backend Configuration values by not selecting this option.

Use Last Successful Terraform Provision or Apply Steps

When you use the Terraform Destroy step, you specify the Provisioner and Workspace to use, and Harness gets the the Inline Values and Backend Configuration values from the last successful execution of that Provisioner.

When Terraform Destroy is run, it uses the same combination to identify which Inline Values and Backend Configuration values to use. You simply need to provide the Provisioner and Workspace.

Specify Backend Configuration (Remote State)

You can specify a Backend Configuration (Remote State) to use to identify the infrastructure to destroy.

You simply need to specify a Terraform Infrastructure Provisioner so that Harness knows where to look for the script.

In Terraform Destroy, you disable the Inherit from last successful Terraform Apply option, and then provide the input value and remote state settings to use.

Step 1: Add Terraform Destroy Step

In the Post-deployment Steps of the Workflow, click Add Step, and then select Terraform Destroy.

The Terraform Destroy settings appear.

Step 2: Select Provisioner and Workspace

Select the Terraform Infrastructure Provisioner and Workspace that was used to provision the infrastructure you want to destroy.

Typically, this is the Terraform Provisioner and Workspace used in the Pre-deployment Steps.

Option: Select Delegate

In Delegate Selector, enter the Delegate Selector for the Delegate that you want to execute this step. Typically, this is the same Selector used to select a Delegate in the Terraform Provision step.

Option: Terraform Environment Variables

You can remove any Terraform environment variables you created using the Terraform Provision or Terraform Apply steps.

You cannot add new environment variables in the Terraform Destroy step.

If you select the Inherit from last successful Terraform Apply option, then the environment variables are also inherited from the environment variables set in any pervious Terraform provisioning step in the Workflow.

Option: Inherit from last successful Terraform Apply

As described in Review: What Gets Destroyed?, select this option to destroy the infrastructure provisioned by the last successful Terraform Provision or Terraform Apply step in the Workflow.

If you select this option, then the Input Values and Backend Configuration settings are disabled.

Option: Set as Terraform Destroy Plan and Export

Select this option to make this Terraform Destroy step a Terraform plan. This is useful when you want to use an Approval step to approve Terraform Destroy steps.

This is the same as running terraform plan -destroy in Terraform.

If you select this option, Harness generates a plan to destroy all the known resources.

Later, when you want to actually destroy the resources, you add another Terraform Destroy step and select the option Inherit following configurations from Terraform Destroy Plan.

The Inherit following configurations from Terraform Destroy Plan option only appears if the Set as Terraform Destroy Plan and Export option was set in the preceding Terraform Destroy step.

The Terraform Plan is stored in a Secrets Manager as an encrypted text.

Terraform Plan Size Limit

The Terraform Plan is stored in the default Harness Secrets Manager as encrypted text. This is because plans often contain variables that store secrets.

The Terraform plan size must not exceed the secret size limit for secrets in your default Secret Manager. AWS Secrets Manager has a limitation of 64KB. Other supported Secrets Managers support larger file size.

See Add a Secrets Manager.

Terraform Destroy Plan Output Variable

If you select the Set as Terraform Destroy Plan and Export option, you can display the output of the plan using the variable expression ${terraformDestroy.tfplan}. For example, you can display the plan output in a Shell Script step.

Option: Inherit following configurations from Terraform Destroy Plan

Select this option to apply the previous Terraform Destroy step if that step has the Set as Terraform Destroy Plan and Export option enabled.

As noted above in Option: Set as Terraform Destroy Plan and Export, the Inherit following configurations from Terraform Destroy Plan option only appears if the Set as Terraform Destroy Plan and Export option was set in the preceding Terraform Destroy step.

Step 3: Input Values

Enter the input values to use when destroying the infrastructure.

The Terraform Infrastructure Provisioner you are using (the Terraform Infrastructure Provisioner you selected in the Provisioner setting earlier), identifies the Terraform script with the inputs are located.

See Enter Input Variables.

The Input Values section also includes the Use tfvar files option for using a variable definitions file.

The path to the variable definitions file is relative to the root of the Git repo specified in the Terraform Infrastructure Provisioner you selected in the Provisioner setting earlier.

Step 4: Backend Configuration

Use this option to access the Backend state file directly. Enter values for each backend config (remote state variable).

The Terraform Infrastructure Provisioner you are using (the Terraform Infrastructure Provisioner you selected in the Provisioner setting earlier), identifies the Terraform script where the remote state settings are located.

See Backend Configuration (Remote state).

Click Submit. The Terraform Destroy step is added to the Workflow.


How did we do?