Remote state keeping data.* on destroy, why?

Hello all:

Besides using prevent_destroy what would stop Terraform from removing information from a remote state (kept in Consul).

terraform: 1.0.4
terragrunt: 0.31.3

I ran terragrunt refresh && terragrunt state list to jot down what the state looked like:

data.consul_service.vault
data.rancher2_cluster.local
data.rancher2_project.System
data.rancher2_role_template.member
data.rancher2_role_template.view_all_projects
data.rancher2_role_template.view_cluster_catalogs
data.rancher2_role_template.view_cluster_member
data.rancher2_role_template.view_nodes
data.vault_generic_secret.kubeconfig
data.vault_generic_secret.terraform_castellan
data.vault_generic_secret.terraform_openldap
data.vault_generic_secret.terraform_rancher_k8s
data.vault_generic_secret.terraform_velero
data.vault_generic_secret.terraform_vsphere
kubernetes_secret.encryption
kubernetes_secret.s3-backup
rancher2_app_v2.backup
rancher2_app_v2.logging-operator
rancher2_app_v2.logging-operator-logging
rancher2_catalog_v2.banzaicloud
rancher2_namespace.cattle-resources-system
rancher2_namespace.logging
rancher2_role_template.cluster_manager
random_password.encryption
vault_generic_secret.backup_encryption

terragrunt refresh && terragrunt state rm vault_generic_secret.backup_encryption which has prevent_destroy on it, followed by terragrunt refresh && terragrunt destroy -auto-approve.

When I re-ran terragrunt refresh && terragrunt state list it still showed

data.consul_service.vault
data.rancher2_cluster.local
data.rancher2_project.System
data.rancher2_role_template.member
data.rancher2_role_template.view_all_projects
data.rancher2_role_template.view_cluster_catalogs
data.rancher2_role_template.view_cluster_member
data.rancher2_role_template.view_nodes
data.vault_generic_secret.kubeconfig
data.vault_generic_secret.terraform_castellan
data.vault_generic_secret.terraform_openldap
data.vault_generic_secret.terraform_rancher_k8s
data.vault_generic_secret.terraform_velero
data.vault_generic_secret.terraform_vsphere

Which confused me. Another refresh and terragrunt plan -destroy says:

No changes. No objects need to be destroyed.

Either you have not created any objects yet or the existing objects were
already deleted outside of Terraform.

And Im the only one accessing this particular remote state …

Thanks
– Birl

The problem stems from my misunderstanding of how terragrunt and terraform works. I manually did terragrunt state rm against the data values and received the output that those items were destroyed.

I re-ran terragrunt refresh && terragrunt state list, only to discover those items again. Ive been told a terragrunt refresh will (re)populate the state with the data.

“The more you know” …

Hi @sbirl!

I’m not sure of the details of Terragrunt here, but I can confirm that terraform refresh (which I assume terragrunt refresh wrapping) will fetch the data resource data and add it to the state. Updating data resources to match the latest data from upstream is one of the use-cases of terraform refresh, so this is intended behavior.

I think if you run terraform destroy (or probably terragrunt destroy, indeed) and then use terraform state list (not terragrunt state list) then you should see an empty state as a result of destroying everything.