Cleaning Out a Compartment on Oracle Cloud using Terraform provider

The situation: a Compartment on OCI should be removed. Or at least all its resources should be purged. Or at least most of the resources should be removed.

The challenge: there is no “purge compartment” available that will delete the resources in the compartment. Removing each resource one by one is quite a lot of work; it takes a long time and is very, very dull.

The solution: use the Terraform OCI provider to discover resources – then use Terraform to destroy all resources using the generated plan files and the generated state file. You can delete or edit the plan files to fine tune what gets destroyed. When working in OCI Cloud Shell, this is quite simple to pull off

Demonstration

Create some cloud resources in a compartment – through whatever means (CLI, API, Console, Terraform/Resource Manager). In this case for example, I have created a few storage buckets, some policies and an application. I could have created many more and very different resources.

To get rid of these resources, I could delete them through the console, one by one. That is a lot of work.

What should work – but failed a few times for me – is:

• go to Stacks in the Console
• create a new Stack – for all services – creating a set of Terraform plan files for all resources in the compartment
  
  
• run Destroy on the Stack
  
  

This action should succeed – but if there is only the slightest issue with the generated plan files in the stack, the destroy operation fails.

An alternative approach in that case is the following: open your OCI Cloud Shell – from the Console:

Create a directory bin under the user’s root directory.

Download the latest OCI Provider release for Linux 64bit from the webpage: https://releases.hashicorp.com/terraform-provider-oci/:

using wget <link address> into the bin folder. Then unzip the downloaded file.

Create a directory cleaning under the user home directory and change into that directory.

Run the resource discovery command for the compartment of interest – you need the compartment’s OCID for this. Specify the services for which you want to do resource discovery – or omit the services keyword to do discovery for all services. Note: a comma separated list of resource identifiers (OCIDs) can also be provided to focus resource discovery and subsequent deletion on only a specific set). Special note: Some resources, such as identity resources like policies, exist only at the tenancy level and cannot be discovered within a specific compartment; to discover such resources, use the following command without the compartment parameter.

~/bin/terraform-provider-oci_v4.53.0_x4 -command=export -compartment_id=<OCID> -output_path=. -services=objectstorage,functions,identity -generate_state

or

~/bin/terraform-provider-oci_v4.53.0_x4 -command=export -compartment_id=<OCID> -output_path=. -services=object_storage,functions  -generate_state

Running this command will inspect the resources, create Terraform Plan files (*.tf) with their definitions as Terraform resources and also import them into a Terraform state file.

Inspecting the *.tf files will reveal the definitions of the cloud resources that I want to get rid of:

The actual clean up of the compartment can now be started – using terraform destroy:

If I like what I see – three objects will be destroyed – I type yes and press enter. Anything else will exit terraform without removing any resources.

The resources I had created for this quick demo have been removed. Not so the policies.

(to remove the policies, I use the console for manual removal – which for policies and dynamic groups is fairly easy to do)

Conclusion

Resource discovery is a pretty powerful mechanism to get a hold on the resources in an OCI Compartment. The resulting Terraform plan files can be used to destroy the resources from the compartment – in the proper order and taking all underlying details and child elements into account. A real time and boredom saver.

Note that these plan files created through discovery can also be used to create these same resources, either in the same or in a different compartment. Copying resources between compartments can therefore easily be achieved.

The OCI Cloud Shell provides an easy access mechanism to get going with Terraform in general and with resource discovery in particular.

Resources

Terraform OCI Provider Docs – Resource Discovery – https://registry.terraform.io/providers/hashicorp/oci/latest/docs/guides/resource_discovery

OCI Docs – Resource Discovery – https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformresourcediscovery.htm

OCI Docs – intro to Cloud Shell – https://docs.oracle.com/en-us/iaas/Content/API/Concepts/devcloudshellintro.htm

OCI Docs – Resource Manager (on Stacks) – https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm