🚀 DevOps & SRE Certification Program 📅 Starting: 1st of Every Month 🤝 +91 8409492687 🔍 Contact@DevOpsSchool.com

Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Terraform

Terraform taint and untaint explained with example programs and tutorials

April 21, 2020 comments off

What is meaning of taint?

a trace of a bad or undesirable substance or quality.

What is tainted?

spoiled; damaged in quality, taste, or value:

What is Terraform taint?

The terraform taint command manually marks a Terraform-managed resource as tainted, forcing it to be destroyed and recreated on the next apply.

Use case of Terraform taint?

  • It could use it to something like re-creating an EC2 instance if someone logged in and made some manual changes.
  • Use taint mostly to force rolling deploys of ASGs for webservices when tf wouldn’t normally require it.
  • Can use it to force a rebuild of certain resources without doing a full destroy – though usually only during development phase. A full build might take 20-30 mins where we want to test a single update.

Behaviours of terraform taint

  • This command will not modify infrastructure, but does modify the state file in order to mark a resource as tainted.
  • Once a resource is marked as tainted, the next plan will show that the resource will be destroyed and recreated and the next apply will implement this change.
  • Forcing the recreation of a resource is useful when you want a certain side effect of recreation that is not visible in the attributes of a resource. For example: re-running provisioners will cause the node to be different or rebooting the machine from a base image will cause new startup scripts to run.

Failed Provisioners and Tainted Resources

  • If a resource successfully creates but fails during provisioning, Terraform will error and mark the resource as “tainted”. A resource that is tainted has been physically created, but can’t be considered safe to use since provisioning failed.
  • When you generate your next execution plan, Terraform will not attempt to restart provisioning on the same resource because it isn’t guaranteed to be safe. Instead, Terraform will remove any tainted resources and create new resources, attempting to provision them again after creation.
  • Terraform also does not automatically roll back and destroy the resource during the apply when the failure happens, because that would go against the execution plan: the execution plan would’ve said a resource will be created, but does not say it will ever be deleted. If you create an execution plan with a tainted resource, however, the plan will clearly state that the resource will be destroyed because it is tainted.

Manually Tainting Resources

In cases where you want to manually destroy and recreate a resource, Terraform has a built in taint function in the CLI. This command will not modify infrastructure, but does modify the state file in order to mark a resource as tainted. Once a resource is marked as tainted, the next plan will show that the resource will be destroyed and recreated and the next apply will implement this change.

To taint a resource, use the following command:

$ terraform taint resource.id

resource.id refers to the resource block name and resource ID to taint. Review the resource block we 

previously created:

resource "aws_instance" "example" {
  ami           = "ami-b374d5a5"
  instance_type = "t2.micro"
}

The correct resource and ID to taint this resource would be terraform taint aws_instance.example.
The terraform state list command is used to list resources within a Terraform state.

$ terraform state list
$ terraform plan
$ terraform untaint resource.id
$ terraform plan

Usage and exmaple of terraform taint

Usage: terraform taint [options] address

The address argument is the address of the resource to mark as tainted. The address is in the resource 

address syntax syntax, as shown in the output from other commands, such as:

aws_instance.foo
aws_instance.bar[1]
aws_instance.baz[\"key\"] (quotes in resource addresses must be escaped on the command line, so that 

they are not interpreted by your shell)
module.foo.module.bar.aws_instance.qux

Example: Tainting a Single Resource
$ terraform taint aws_security_group.allow_all
The resource aws_security_group.allow_all in the module root has been marked as tainted.

Example: Tainting a single resource created with for_each

It is necessary to wrap the resource in single quotes and escape the quotes. This example will taint a 

single resource created with for_each:

$ terraform taint 'module.route_tables.azurerm_route_table.rt[\"DefaultSubnet\"]'
The resource module.route_tables.azurerm_route_table.rt["DefaultSubnet"] in the module root has been 

marked as tainted.

Example: Tainting a Resource within a Module

This example will only taint a resource within a module:

$ terraform taint "module.couchbase.aws_instance.cb_node[9]"
Resource instance module.couchbase.aws_instance.cb_node[9] has been marked as tainted.

Example: Tainting a Resource within a Module
terraform taint -module=hosting null_resource.provision_last
view raw Terraform-taint-untaint-explained.md hosted with ❤ by GitHub

Terraform untaint Manually unmark a resource as tainted, restoring it as the primary instance in the state. This reverses either a manual 'terraform taint' or the result of provisioners failing on a resource.

This will not modify your infrastructure. This command changes your state to unmark a resource as tainted. This command can be undone by reverting the state backup file that is created, or by runnin 'terraform taint' on the resource.

---------------
resource "docker_image" "image_id" {
  name = "ghost:latest"
}

# Start the Container
resource "docker_container" "container_id" {
  name  = "ghost_blog"
  image = docker_image.image_id.latest
  ports {
    internal = "2368"
    external = "80"
  }
}
---------------

terraform init
terraform plan
terraform apply
terraform taint docker_container.container_id
terraform plan
terraform untaint docker_container.container_id
terraform plan
terraform taint docker_container.container_id
terraform apply
terraform destroy
view raw Terraform-untaint.md hosted with ❤ by GitHub

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.