Create_before_destroy affects other resources without lifecycle

wojtekm · June 28, 2022, 5:22pm

Hi,

Perhaps this is expected behavior but I’m not sure and curious if someone can confirm.

In Terraform we can enforce object creation before destroying with create_before_destroy = true lifecycle attribute. When resource is created, the previous instance is marked as “deposed object” and eventually destroyed. Everywhere I can read that applies to resources with this lifecycle settings, but I can see the same happens to resources that the object with create_before_destroy depends on, even if that object is not part of the plan.

For example, if I’m attaching few policies to the aws_iam_role and I have aws_iam_instance_profile with create_before_destroy = true and depends_on = [ aws_iam_role_policy_attachment.workers_policies ], as follows:

data "aws_iam_policy_document" "workers_assume_role_policy" {
  statement {
    sid = "EKSWorkerAssumeRole"

    actions = [
      "sts:AssumeRole",
    ]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "workers" {
  name                  = "test"
  assume_role_policy    = data.aws_iam_policy_document.workers_assume_role_policy.json
  force_detach_policies = true
}

resource "aws_iam_instance_profile" "workers" {
  name_prefix = "test"
  role        = aws_iam_role.workers.name

  lifecycle {
    create_before_destroy = true
  }

  depends_on = [
    aws_iam_role_policy_attachment.workers_policies
  ]
}

locals {
  workers_policies = ["arn:aws:iam::aws:policy/AmazonEC2FullAccess", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]
}

resource "aws_iam_role_policy_attachment" "workers_policies" {
  count      = length(local.workers_policies)
  role       = aws_iam_role.workers.name
  policy_arn = local.workers_policies[count.index]
}

The attachments are first created, marked as “deposed” and destroyed, so when I would change the name of any workers_policies I would get it removed after first apply, or both if I would change the order for example. It works fine if I would remove depends_on from instance_profile.

It’s a bit simplified example. I know it might be an issue just when count is used and can be easily workarounded with for_each, but I’m more curious about the whole mechanism of inheriting lifecycle behavior by other resources.

I would appreciate any confirmation or link to docs/threads if I missed something.

Thank you,
Wojtek

jbardin · June 28, 2022, 7:54pm

Hi @wojtekm,

Correct, it is not possible for Terraform to apply resources with create_before_destroy without also re-ordering all dependencies to match. I made some notes here for reference.

wojtekm · June 29, 2022, 8:15am

Thank you @jbardin for confirmation and additional notes

Topic		Replies	Views
Instance replacement creates new instance before destroying old one Terraform	2	915	June 11, 2020
Making a resource execute after destruction of another resource with create_before_destroy = true Terraform	3	1076	July 5, 2023
Terraform 0.12.16 Deposed resource destruction order versus dependencies Terraform	1	566	December 17, 2019
Create_before_destroy icw depends_on resource list Terraform	1	62	December 28, 2024
Create_before_destroy=false in aws_launch_config doesn't work Terraform	4	1679	August 23, 2019

Create_before_destroy affects other resources without lifecycle

Related topics