Terraform: Remove Resource from a Remote State in Azure Storage Account

Terraform: Remove Resource from a Remote State in Azure Storage Account


3 min read

Have you been in the situation where cleaning up your Infrastructure as Code (powered by HashiCorp Terraform) to delete deprecated resources resulted in the Terraform apply taking longer than expected? Maybe this is what you are seeing:

azurerm_backup_protected_vm.rs_name: Still destroying... [id=/subscriptions/***/***], 1h19m50s elapsed]

Once the deployment timed out I found that the resource was already deleted via the Azure portal. The Terraform state file still believes it exists and it will continue to fail the deployment, how do I resolve the issue?

What you need

Based on a Windows client, you will need:

You will also need a Azure account that has permissions to access the Azure Storage Container which stores the Terraform state file.

Steps to resolve the problem

First you should clone your repository so you can locally validate the actions you take have worked (you can complete these steps without cloning but you won't be able to follow steps to validate if the actions worked without running the pipeline again).

Create a override.tf in the location where you stored your Terraform configuration files. Within the file set the resource group name, the storage account and container name and key where the remote state file is stored.

terraform {
  backend "azurerm" {
    resource_group_name  = "resource_group_name"
    storage_account_name = "storage_account_name"
    container_name       = "container_name"
    key                  = "stafe_file_location/terraform.tfstate"

Once you've done this and saved the file, run az login (in a terminal of your choice) to authenticate with an account that has access to the Storage Account Container you specified above.

๐Ÿš€โฏ az login

Now you need to set the subscription you are working with. This should be the subscription that your state file manages.

๐Ÿš€โฏ az account set --subscription "SUBSCRIPTION NAME"

The Azure CLI has now been utilised to complete authentication. You will now need to change the local directory your terminal is using to the location where you have cloned your respoistory. On Windows, changing a directory usually is:

๐Ÿš€โฏ cd "C:\Users\CloudJames\***\***"

Once you are in the correct directory, run the terraform init to initialise the configuration so it downloads providers, modules, etc...

๐Ÿš€โฏ terraform init

Once completed, you can run terraform state list to list the resources that are in your remote state file.

๐Ÿš€โฏ terraform state list

The results should appear like this:

๐Ÿฆ„โฏ terraform state list

Find the resource that no longer exists in the Azure environment and take note of the name in full (format is resourcetype.resourcename).

We are now ready to remove the resource from the state file. We will use terraform state rm to achieve this. Here is an example:

๐Ÿš€โฏ terraform state rm azurerm_backup_protected_vm.rs_name

When ran, you should get an output like the below:

๐Ÿฆ„โฏ terraform state rm azurerm_backup_protected_vm.rs_name
Removed azurerm_backup_protected_vm.rs_name
Successfully removed 1 resource instance(s).

To validate this has worked (if you cloned the repo as described at the beginning), you just need to run a terraform plan.

๐Ÿš€โฏ terraform plan

You should not see the resource listed at all for destruction. This will mean you can run your pipeline again for it to continue as normal.

Did you find this article valuable?

Support James Cook by becoming a sponsor. Any amount is appreciated!