How to recover from this terraform destroy action?

Question

I am trying to destroy some terraform created resources on AWS.

Terraform comes up with this plan

Terraform will perform the following actions:

  - aws_lambda_function.myproject-mainprocess-restore-db-from-snapshot

  - module.myproject-mainprocess.aws_db_event_subscription.send_rds_event_to_sns

  - module.myproject-mainprocess.aws_lambda_permission.allow_sns_call_rds_lambda

  - module.myproject-mainprocess.aws_sns_topic_subscription.call_lambda_by_sns

  - module.myproject-mainprocess.module.lambda.aws_iam_policy.lambda_policy

  - module.myproject-mainprocess.module.lambda.aws_iam_policy.lambda_policy_logs

  - module.myproject-mainprocess.module.lambda.aws_iam_role.lambda_role

  - module.myproject-mainprocess.module.lambda.aws_iam_role_policy_attachment.policy_attachment

  - module.myproject-mainprocess.module.lambda.aws_iam_role_policy_attachment.policy_attachment_logs

  - module.myproject-mainprocess.module.lambda.aws_lambda_function.lambda

  - module.myproject-mainprocess.module.lambda.datadog_monitor.lambda_errors_alert

  - module.myproject-mainprocess.module.rds_event_sns.aws_sns_topic.topic_simple

However because of my aws profile's lack of some deletion permission, one of the step has failed:

  - module.myproject-mainprocess.aws_db_event_subscription.send_rds_event_to_sns


Error: Error applying plan:

1 error(s) occurred:

* module.media-rotate-reports-db.aws_db_event_subscription.send_rds_event_to_sns (destroy): 1 error(s) occurred:

* aws_db_event_subscription.send_rds_event_to_sns: Error deleting RDS Event Subscription dev-media-rotate-reports-db-rds-snapshot-creation-event-subscription: AccessDenied: User: arn:aws:sts::141225792464:assumed-role/myteam/anthony_dev_credentials is not authorized to perform: rds:DeleteEventSubscription on resource: arn:aws:rds:us-east-1:141225792464:es:dev-myproject-mainprocess-rds-snapshot-creation-event-subscription
    status code: 403, request id: a20c2dbf-8526-4a8f-9d86-71f2df4507c5

I have removed the above aws_db_event_subscription manually by using an alternative AWS role. However I am unable to get terraform to resume and ignore this error.

Terraform still needs to execute the following:

Terraform will perform the following actions:

  - module.myproject-mainprocess.aws_db_event_subscription.send_rds_event_to_sns

  - module.myproject-mainprocess.module.rds_event_sns.aws_sns_topic.topic_simple 

How can I tell Terraform to resume and ignore module.myproject-mainprocess.aws_db_event_subscription.send_rds_event_to_sns that is already removed?

Answer 1

Backup your tfstate first and use the rm command to remove the resource from the tfstate. Use it like this:

terraform state rm module.myproject-mainprocess.aws_db_event_subscription.send_rds_event_to_sns
terraform state rm module.myproject-mainprocess.module.rds_event_sns.aws_sns_topic.topic_simple 

edit Just read

This command will output a backup copy of the state prior to saving any changes. The backup cannot be disabled. Due to the destructive nature of this command, backups are required.

I would still recommend to make a manual backup as well as recovering from a broken tfstate or reconstruction of a tfstate is a time consuming and risky operation I would want to avoid at any cost.