[Bug]: terraform_data provisioner when=destroy not executed

[yakyouk]

Terraform Version

Terraform v1.11.4
on windows_386
+ provider registry.terraform.io/citrix/citrixadc v1.43.1
+ provider registry.terraform.io/hashicorp/null v3.2.4

Terraform Configuration Files

Note: this works fine in when=create

resource "terraform_data" "unbinds" {
  for_each = local.unbinds
  input = {
    vservername = each.value.vservername
    certkeyname = each.value.certkeyname
  }
  provisioner "local-exec" {
    when = destroy
    environment = {
      TF_VSERVERNAME = self.input.vservername
      TF_CERTKEYNAME = self.input.certkeyname
    }
    interpreter = ["powershell.exe","-Command"]
    command = "&'${abspath(path.module)}/bin/cleanup.ps1 -v ${self.input.vservername} -c ${self.input.certkeyname}"
  }
}

Debug Output

NA

Expected Behavior

the command should be executed upon destruction of the terraform_data instance.

Actual Behavior

The terraform_data resource gets destroyed but the command does not get executed. Note that the exact same block with when=create does work fine.

Steps to Reproduce

create a terraform_data resource with a provisioner "local-exec" { when = destroy } block
remove the resource and apply => resource gets destroyed without the script running

Additional Context

No response

References

No response

Generative AI / LLM assisted development?

No response

[jbardin]

Hi @yakyouk,

If you remove the resource from the configuration, then the provisioner is no longer there to be evaluated and executed. If you want to remove a resource while still retaining the provisioner, you can use a removed block

[yakyouk]

Hi @jbardin , the goal was to execute code when my terraform_data resource gets removed; the doc seems to confirm it should be the case. If the code doesn't run when the resource gets removed, I don't understand the purpose of a when=destroy provisioner, could you clarify?

[jbardin]

@yakyouk, The linked documentation states:

Destroy-time provisioners can only run if they remain in the configuration at the time a resource is destroyed. If a resource block with a destroy-time provisioner is removed entirely from the configuration, its provisioner configurations are removed along with it and thus the destroy provisioner won't run.

when=destroy works with resource replacement and resource instances removed via count or for_each. If you need it to work with a resource which was removed entirely, then you can use the removed block.

[yakyouk]

Oh I see, thanks for the clarification. My resource actually has for_each, but for testing I was commenting out the whole resource block and trying to apply a specific instance with -target. Good to know that they're not equivalent operations.